From c6e2eb22860f963bb96cc9c7f81cea20a4e84fe7 Mon Sep 17 00:00:00 2001
From: Nuru <Nuru@users.noreply.github.com>
Date: Sun, 4 Jun 2023 18:59:25 -0700
Subject: [PATCH] Move `profiles_enabled` logic out of `providers.tf` and into
 `iam-roles` (https://github.com/cloudposse/terraform-aws-components/pull/702)

---
 src/modules/iam-roles/README.md    | 13 +++++++------
 src/modules/iam-roles/main.tf      |  3 ++-
 src/modules/iam-roles/outputs.tf   | 28 ++++++++++++++--------------
 src/modules/iam-roles/variables.tf | 12 ++++++++----
 4 files changed, 31 insertions(+), 25 deletions(-)

diff --git a/src/modules/iam-roles/README.md b/src/modules/iam-roles/README.md
index 984c9be..c08ecf2 100644
--- a/src/modules/iam-roles/README.md
+++ b/src/modules/iam-roles/README.md
@@ -2,14 +2,15 @@
 
 This submodule is used by other modules to determine which IAM Roles
 or AWS CLI Config Profiles to use for various tasks, most commonly
-for applying Terraform plans. 
+for applying Terraform plans.
 
 ## Special Configuration Needed
 
 In order to avoid having to pass customization information through every module
 that uses this submodule, if the default configuration does not suit your needs,
-you are expected to customize `variables.tf` with the defaults you want to 
-use in your project. For example, if you are including the `tenant` label
-in the designation of your "root" account (your Organization Management Account),
-then you should modify `variables.tf` so that `global_tenant_name` defaults
-to the appropriate value.
+you are expected to add `variables_override.tf` to override the variables with
+the defaults you want to use in your project. For example, if you are not using
+"core" as the `tenant` portion of your "root" account (your Organization Management Account),
+then you should include the `variable "overridable_global_tenant_name"` declaration
+in your `variables_override.tf` so that `overridable_global_tenant_name` defaults
+to the value you are using (or the empty string if you are not using `tenant` at all).
diff --git a/src/modules/iam-roles/main.tf b/src/modules/iam-roles/main.tf
index bab29e1..e9a9555 100644
--- a/src/modules/iam-roles/main.tf
+++ b/src/modules/iam-roles/main.tf
@@ -22,5 +22,6 @@ module "account_map" {
 }
 
 locals {
-  account_name = lookup(module.always.descriptors, "account_name", module.always.stage)
+  account_name     = lookup(module.always.descriptors, "account_name", module.always.stage)
+  profiles_enabled = module.account_map.outputs.profiles_enabled
 }
diff --git a/src/modules/iam-roles/outputs.tf b/src/modules/iam-roles/outputs.tf
index 04b3bb2..252b6a3 100644
--- a/src/modules/iam-roles/outputs.tf
+++ b/src/modules/iam-roles/outputs.tf
@@ -1,5 +1,5 @@
 output "terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[local.account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[local.account_name]
   description = "The AWS Role ARN for Terraform to use when provisioning resources in the account, when Role ARNs are in use"
 }
 
@@ -9,7 +9,7 @@ output "terraform_role_arns" {
 }
 
 output "terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[local.account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[local.account_name] : null
   description = "The AWS config profile name for Terraform to use when provisioning resources in the account, when profiles are in use"
 }
 
@@ -27,17 +27,17 @@ output "org_role_arn" {
 }
 
 output "global_tenant_name" {
-  value       = var.global_tenant_name
+  value       = var.overridable_global_tenant_name
   description = "The `null-label` `tenant` value used for organization-wide resources"
 }
 
 output "global_environment_name" {
-  value       = var.global_environment_name
+  value       = var.overridable_global_environment_name
   description = "The `null-label` `environment` value used for regionless (global) resources"
 }
 
 output "global_stage_name" {
-  value       = var.global_stage_name
+  value       = var.overridable_global_stage_name
   description = "The `null-label` `stage` value for the organization management account (where the `account-map` state is stored)"
 }
 
@@ -50,22 +50,22 @@ output "current_account_account_name" {
 }
 
 output "dns_terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[module.account_map.outputs.dns_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.dns_account_account_name]
   description = "The AWS Role ARN for Terraform to use to provision DNS Zone delegations, when Role ARNs are in use"
 }
 
 output "dns_terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[module.account_map.outputs.dns_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.dns_account_account_name] : null
   description = "The AWS config profile name for Terraform to use to provision DNS Zone delegations, when profiles are in use"
 }
 
 output "audit_terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[module.account_map.outputs.audit_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.audit_account_account_name]
   description = "The AWS Role ARN for Terraform to use to provision resources in the \"audit\" role account, when Role ARNs are in use"
 }
 
 output "audit_terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[module.account_map.outputs.audit_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.audit_account_account_name] : null
   description = "The AWS config profile name for Terraform to use to provision resources in the \"audit\" role account, when profiles are in use"
 }
 
@@ -75,26 +75,26 @@ output "identity_account_account_name" {
 }
 
 output "identity_terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.identity_account_account_name]
   description = "The AWS Role ARN for Terraform to use to provision resources in the \"identity\" role account, when Role ARNs are in use"
 }
 
 output "identity_terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.identity_account_account_name] : null
   description = "The AWS config profile name for Terraform to use to provision resources in the \"identity\" role account, when profiles are in use"
 }
 
 output "identity_cicd_role_arn" {
-  value       = module.account_map.outputs.cicd_roles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.cicd_roles[module.account_map.outputs.identity_account_account_name]
   description = "(Deprecated) The AWS Role ARN for CI/CD tools to assume to gain access to other accounts, when Role ARNs are in use"
 }
 
 output "identity_cicd_profile_name" {
-  value       = module.account_map.outputs.cicd_profiles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.cicd_profiles[module.account_map.outputs.identity_account_account_name] : null
   description = "(Deprecated) The AWS config profile name for CI/CD tools to assume to gain access to other accounts, when profiles are in use"
 }
 
 output "profiles_enabled" {
-  value       = module.account_map.outputs.profiles_enabled
+  value       = local.profiles_enabled
   description = "When true, use AWS config profiles in Terraform AWS provider configurations. When false, use Role ARNs."
 }
diff --git a/src/modules/iam-roles/variables.tf b/src/modules/iam-roles/variables.tf
index 5496776..554da71 100644
--- a/src/modules/iam-roles/variables.tf
+++ b/src/modules/iam-roles/variables.tf
@@ -4,20 +4,24 @@ variable "privileged" {
   default     = false
 }
 
-variable "global_tenant_name" {
+## The overridable_* variables in this file provide Cloud Posse defaults.
+## Because this module is used in bootstrapping Terraform, we do not configure
+## these inputs in the normal way. Instead, to change the values, you should
+## add a `variables_override.tf` file and change the default to the value you want.
+variable "overridable_global_tenant_name" {
   type        = string
   description = "The tenant name used for organization-wide resources"
   default     = "core"
 }
 
-variable "global_environment_name" {
+variable "overridable_global_environment_name" {
   type        = string
   description = "Global environment name"
   default     = "gbl"
 }
 
-variable "global_stage_name" {
+variable "overridable_global_stage_name" {
   type        = string
-  description = "The stage name for the organization management account (where the `accout-map` state is stored)"
+  description = "The stage name for the organization management account (where the `account-map` state is stored)"
   default     = "root"
 }