From e198524c82a6b512ea1b757f9af0ba2c87cc6a72 Mon Sep 17 00:00:00 2001 From: Nuru Date: Sun, 4 Jun 2023 18:59:25 -0700 Subject: [PATCH] Move `profiles_enabled` logic out of `providers.tf` and into `iam-roles` (#702) --- .../account-map/modules/iam-roles/README.md | 13 +++++---- modules/account-map/modules/iam-roles/main.tf | 3 +- .../account-map/modules/iam-roles/outputs.tf | 28 +++++++++---------- .../modules/iam-roles/variables.tf | 12 +++++--- modules/aws-waf-acl/README.md | 1 + modules/aws-waf-acl/providers.tf | 18 ++++++++++-- modules/cognito/README.md | 3 +- modules/cognito/providers.tf | 17 +++++++++-- modules/dns-delegated/providers.tf | 2 +- modules/dns-primary/providers.tf | 2 +- modules/documentdb/providers.tf | 1 + modules/eks-iam/README.md | 1 + modules/eks-iam/providers.tf | 22 ++++++++++----- modules/elasticache-redis/providers.tf | 1 + modules/mq-broker/README.md | 1 + modules/mq-broker/providers.tf | 16 +++++++++-- modules/sqs-queue/providers.tf | 1 + modules/sso-saml-provider/providers.tf | 1 + modules/vpc-flow-logs-bucket/README.md | 3 +- modules/vpc-flow-logs-bucket/providers.tf | 17 +++++++++-- modules/zscaler/README.md | 1 + modules/zscaler/providers.tf | 17 ++++++++--- 22 files changed, 132 insertions(+), 49 deletions(-) mode change 100755 => 100644 modules/eks-iam/providers.tf mode change 100755 => 100644 modules/mq-broker/providers.tf diff --git a/modules/account-map/modules/iam-roles/README.md b/modules/account-map/modules/iam-roles/README.md index 984c9beaa..c08ecf2a5 100644 --- a/modules/account-map/modules/iam-roles/README.md +++ b/modules/account-map/modules/iam-roles/README.md @@ -2,14 +2,15 @@ This submodule is used by other modules to determine which IAM Roles or AWS CLI Config Profiles to use for various tasks, most commonly -for applying Terraform plans. +for applying Terraform plans. ## Special Configuration Needed In order to avoid having to pass customization information through every module that uses this submodule, if the default configuration does not suit your needs, -you are expected to customize `variables.tf` with the defaults you want to -use in your project. For example, if you are including the `tenant` label -in the designation of your "root" account (your Organization Management Account), -then you should modify `variables.tf` so that `global_tenant_name` defaults -to the appropriate value. +you are expected to add `variables_override.tf` to override the variables with +the defaults you want to use in your project. For example, if you are not using +"core" as the `tenant` portion of your "root" account (your Organization Management Account), +then you should include the `variable "overridable_global_tenant_name"` declaration +in your `variables_override.tf` so that `overridable_global_tenant_name` defaults +to the value you are using (or the empty string if you are not using `tenant` at all). diff --git a/modules/account-map/modules/iam-roles/main.tf b/modules/account-map/modules/iam-roles/main.tf index bab29e15c..e9a95553f 100644 --- a/modules/account-map/modules/iam-roles/main.tf +++ b/modules/account-map/modules/iam-roles/main.tf @@ -22,5 +22,6 @@ module "account_map" { } locals { - account_name = lookup(module.always.descriptors, "account_name", module.always.stage) + account_name = lookup(module.always.descriptors, "account_name", module.always.stage) + profiles_enabled = module.account_map.outputs.profiles_enabled } diff --git a/modules/account-map/modules/iam-roles/outputs.tf b/modules/account-map/modules/iam-roles/outputs.tf index 04b3bb220..252b6a3e2 100644 --- a/modules/account-map/modules/iam-roles/outputs.tf +++ b/modules/account-map/modules/iam-roles/outputs.tf @@ -1,5 +1,5 @@ output "terraform_role_arn" { - value = module.account_map.outputs.terraform_roles[local.account_name] + value = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[local.account_name] description = "The AWS Role ARN for Terraform to use when provisioning resources in the account, when Role ARNs are in use" } @@ -9,7 +9,7 @@ output "terraform_role_arns" { } output "terraform_profile_name" { - value = module.account_map.outputs.terraform_profiles[local.account_name] + value = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[local.account_name] : null description = "The AWS config profile name for Terraform to use when provisioning resources in the account, when profiles are in use" } @@ -27,17 +27,17 @@ output "org_role_arn" { } output "global_tenant_name" { - value = var.global_tenant_name + value = var.overridable_global_tenant_name description = "The `null-label` `tenant` value used for organization-wide resources" } output "global_environment_name" { - value = var.global_environment_name + value = var.overridable_global_environment_name description = "The `null-label` `environment` value used for regionless (global) resources" } output "global_stage_name" { - value = var.global_stage_name + value = var.overridable_global_stage_name description = "The `null-label` `stage` value for the organization management account (where the `account-map` state is stored)" } @@ -50,22 +50,22 @@ output "current_account_account_name" { } output "dns_terraform_role_arn" { - value = module.account_map.outputs.terraform_roles[module.account_map.outputs.dns_account_account_name] + value = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.dns_account_account_name] description = "The AWS Role ARN for Terraform to use to provision DNS Zone delegations, when Role ARNs are in use" } output "dns_terraform_profile_name" { - value = module.account_map.outputs.terraform_profiles[module.account_map.outputs.dns_account_account_name] + value = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.dns_account_account_name] : null description = "The AWS config profile name for Terraform to use to provision DNS Zone delegations, when profiles are in use" } output "audit_terraform_role_arn" { - value = module.account_map.outputs.terraform_roles[module.account_map.outputs.audit_account_account_name] + value = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.audit_account_account_name] description = "The AWS Role ARN for Terraform to use to provision resources in the \"audit\" role account, when Role ARNs are in use" } output "audit_terraform_profile_name" { - value = module.account_map.outputs.terraform_profiles[module.account_map.outputs.audit_account_account_name] + value = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.audit_account_account_name] : null description = "The AWS config profile name for Terraform to use to provision resources in the \"audit\" role account, when profiles are in use" } @@ -75,26 +75,26 @@ output "identity_account_account_name" { } output "identity_terraform_role_arn" { - value = module.account_map.outputs.terraform_roles[module.account_map.outputs.identity_account_account_name] + value = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.identity_account_account_name] description = "The AWS Role ARN for Terraform to use to provision resources in the \"identity\" role account, when Role ARNs are in use" } output "identity_terraform_profile_name" { - value = module.account_map.outputs.terraform_profiles[module.account_map.outputs.identity_account_account_name] + value = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.identity_account_account_name] : null description = "The AWS config profile name for Terraform to use to provision resources in the \"identity\" role account, when profiles are in use" } output "identity_cicd_role_arn" { - value = module.account_map.outputs.cicd_roles[module.account_map.outputs.identity_account_account_name] + value = local.profiles_enabled ? null : module.account_map.outputs.cicd_roles[module.account_map.outputs.identity_account_account_name] description = "(Deprecated) The AWS Role ARN for CI/CD tools to assume to gain access to other accounts, when Role ARNs are in use" } output "identity_cicd_profile_name" { - value = module.account_map.outputs.cicd_profiles[module.account_map.outputs.identity_account_account_name] + value = local.profiles_enabled ? module.account_map.outputs.cicd_profiles[module.account_map.outputs.identity_account_account_name] : null description = "(Deprecated) The AWS config profile name for CI/CD tools to assume to gain access to other accounts, when profiles are in use" } output "profiles_enabled" { - value = module.account_map.outputs.profiles_enabled + value = local.profiles_enabled description = "When true, use AWS config profiles in Terraform AWS provider configurations. When false, use Role ARNs." } diff --git a/modules/account-map/modules/iam-roles/variables.tf b/modules/account-map/modules/iam-roles/variables.tf index 54967766a..554da715f 100644 --- a/modules/account-map/modules/iam-roles/variables.tf +++ b/modules/account-map/modules/iam-roles/variables.tf @@ -4,20 +4,24 @@ variable "privileged" { default = false } -variable "global_tenant_name" { +## The overridable_* variables in this file provide Cloud Posse defaults. +## Because this module is used in bootstrapping Terraform, we do not configure +## these inputs in the normal way. Instead, to change the values, you should +## add a `variables_override.tf` file and change the default to the value you want. +variable "overridable_global_tenant_name" { type = string description = "The tenant name used for organization-wide resources" default = "core" } -variable "global_environment_name" { +variable "overridable_global_environment_name" { type = string description = "Global environment name" default = "gbl" } -variable "global_stage_name" { +variable "overridable_global_stage_name" { type = string - description = "The stage name for the organization management account (where the `accout-map` state is stored)" + description = "The stage name for the organization management account (where the `account-map` state is stored)" default = "root" } diff --git a/modules/aws-waf-acl/README.md b/modules/aws-waf-acl/README.md index 32cf4f1da..9b78eea97 100644 --- a/modules/aws-waf-acl/README.md +++ b/modules/aws-waf-acl/README.md @@ -84,6 +84,7 @@ components: | [geo\_match\_statement\_rules](#input\_geo\_match\_statement\_rules) | A rule statement used to identify web requests based on country of origin.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
country\_codes:
A list of two-character country codes.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | | [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | | [ip\_set\_reference\_statement\_rules](#input\_ip\_set\_reference\_statement\_rules) | A rule statement used to detect web requests coming from particular IP addresses or address ranges.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
arn:
The ARN of the IP Set that this statement references.
ip\_set\_forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.
position:
The position in the header to search for the IP address.
Possible values include: `FIRST`, `LAST`, or `ANY`.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | | [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | | [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | diff --git a/modules/aws-waf-acl/providers.tf b/modules/aws-waf-acl/providers.tf index c6e854450..08ee01b2a 100644 --- a/modules/aws-waf-acl/providers.tf +++ b/modules/aws-waf-acl/providers.tf @@ -1,6 +1,14 @@ provider "aws" { - region = var.region - profile = coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) + region = var.region + + profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null + + dynamic "assume_role" { + for_each = module.iam_roles.profiles_enabled ? [] : ["role"] + content { + role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn) + } + } } module "iam_roles" { @@ -13,3 +21,9 @@ variable "import_profile_name" { default = null description = "AWS Profile name to use when importing a resource" } + +variable "import_role_arn" { + type = string + default = null + description = "IAM Role ARN to use when importing a resource" +} diff --git a/modules/cognito/README.md b/modules/cognito/README.md index 1531e3d54..09920c701 100644 --- a/modules/cognito/README.md +++ b/modules/cognito/README.md @@ -119,7 +119,8 @@ components: | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | | [identity\_providers](#input\_identity\_providers) | Cognito Identity Providers configuration | `list(any)` | `[]` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile to use when importing a resource | `string` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | diff --git a/modules/cognito/providers.tf b/modules/cognito/providers.tf index de2e8a327..08ee01b2a 100644 --- a/modules/cognito/providers.tf +++ b/modules/cognito/providers.tf @@ -1,7 +1,14 @@ provider "aws" { region = var.region - profile = coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) + profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null + + dynamic "assume_role" { + for_each = module.iam_roles.profiles_enabled ? [] : ["role"] + content { + role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn) + } + } } module "iam_roles" { @@ -12,5 +19,11 @@ module "iam_roles" { variable "import_profile_name" { type = string default = null - description = "AWS Profile to use when importing a resource" + description = "AWS Profile name to use when importing a resource" +} + +variable "import_role_arn" { + type = string + default = null + description = "IAM Role ARN to use when importing a resource" } diff --git a/modules/dns-delegated/providers.tf b/modules/dns-delegated/providers.tf index dd2b4a1fb..944bbdbf0 100644 --- a/modules/dns-delegated/providers.tf +++ b/modules/dns-delegated/providers.tf @@ -20,7 +20,7 @@ provider "aws" { profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null dynamic "assume_role" { - for_each = var.import_role_arn == null ? (module.iam_roles.terraform_role_arn != null ? [true] : []) : ["import"] + for_each = module.iam_roles.profiles_enabled ? [] : ["role"] content { role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn) } diff --git a/modules/dns-primary/providers.tf b/modules/dns-primary/providers.tf index 447c00328..08ee01b2a 100644 --- a/modules/dns-primary/providers.tf +++ b/modules/dns-primary/providers.tf @@ -4,7 +4,7 @@ provider "aws" { profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null dynamic "assume_role" { - for_each = var.import_role_arn == null ? (module.iam_roles.terraform_role_arn != null ? [true] : []) : ["import"] + for_each = module.iam_roles.profiles_enabled ? [] : ["role"] content { role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn) } diff --git a/modules/documentdb/providers.tf b/modules/documentdb/providers.tf index efa9ede5d..08ee01b2a 100644 --- a/modules/documentdb/providers.tf +++ b/modules/documentdb/providers.tf @@ -2,6 +2,7 @@ provider "aws" { region = var.region profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null + dynamic "assume_role" { for_each = module.iam_roles.profiles_enabled ? [] : ["role"] content { diff --git a/modules/eks-iam/README.md b/modules/eks-iam/README.md index a3d00ade4..b2f46f7f3 100644 --- a/modules/eks-iam/README.md +++ b/modules/eks-iam/README.md @@ -79,6 +79,7 @@ components: | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | | [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | | [kms\_alias\_name](#input\_kms\_alias\_name) | AWS KMS alias used for encryption/decryption of SSM parameters default is alias used in SSM | `string` | `"alias/aws/ssm"` | no | | [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | diff --git a/modules/eks-iam/providers.tf b/modules/eks-iam/providers.tf old mode 100755 new mode 100644 index 506e16d2e..08ee01b2a --- a/modules/eks-iam/providers.tf +++ b/modules/eks-iam/providers.tf @@ -1,17 +1,25 @@ provider "aws" { region = var.region - assume_role { - # `terraform import` will not use data from a data source, - # so on import we have to explicitly specify the role - role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn) + profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null + + dynamic "assume_role" { + for_each = module.iam_roles.profiles_enabled ? [] : ["role"] + content { + role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn) + } } } module "iam_roles" { - source = "../account-map/modules/iam-roles" - stage = var.stage - region = var.region + source = "../account-map/modules/iam-roles" + context = module.this.context +} + +variable "import_profile_name" { + type = string + default = null + description = "AWS Profile name to use when importing a resource" } variable "import_role_arn" { diff --git a/modules/elasticache-redis/providers.tf b/modules/elasticache-redis/providers.tf index efa9ede5d..08ee01b2a 100644 --- a/modules/elasticache-redis/providers.tf +++ b/modules/elasticache-redis/providers.tf @@ -2,6 +2,7 @@ provider "aws" { region = var.region profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null + dynamic "assume_role" { for_each = module.iam_roles.profiles_enabled ? [] : ["role"] content { diff --git a/modules/mq-broker/README.md b/modules/mq-broker/README.md index 63c518902..7a67934bd 100644 --- a/modules/mq-broker/README.md +++ b/modules/mq-broker/README.md @@ -80,6 +80,7 @@ No resources. | [host\_instance\_type](#input\_host\_instance\_type) | The broker's instance type. e.g. mq.t2.micro or mq.m4.large | `string` | `"mq.t3.micro"` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | | [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | | [kms\_mq\_key\_arn](#input\_kms\_mq\_key\_arn) | ARN of the AWS KMS key used for Amazon MQ encryption | `string` | `null` | no | | [kms\_ssm\_key\_arn](#input\_kms\_ssm\_key\_arn) | ARN of the AWS KMS key used for SSM encryption | `string` | `"alias/aws/ssm"` | no | | [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | diff --git a/modules/mq-broker/providers.tf b/modules/mq-broker/providers.tf old mode 100755 new mode 100644 index eb5dcb247..08ee01b2a --- a/modules/mq-broker/providers.tf +++ b/modules/mq-broker/providers.tf @@ -1,8 +1,14 @@ provider "aws" { region = var.region - # `terraform import` will not use data from a data source, so on import we have to explicitly specify the profile - profile = coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) + profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null + + dynamic "assume_role" { + for_each = module.iam_roles.profiles_enabled ? [] : ["role"] + content { + role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn) + } + } } module "iam_roles" { @@ -15,3 +21,9 @@ variable "import_profile_name" { default = null description = "AWS Profile name to use when importing a resource" } + +variable "import_role_arn" { + type = string + default = null + description = "IAM Role ARN to use when importing a resource" +} diff --git a/modules/sqs-queue/providers.tf b/modules/sqs-queue/providers.tf index efa9ede5d..08ee01b2a 100644 --- a/modules/sqs-queue/providers.tf +++ b/modules/sqs-queue/providers.tf @@ -2,6 +2,7 @@ provider "aws" { region = var.region profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null + dynamic "assume_role" { for_each = module.iam_roles.profiles_enabled ? [] : ["role"] content { diff --git a/modules/sso-saml-provider/providers.tf b/modules/sso-saml-provider/providers.tf index efa9ede5d..08ee01b2a 100644 --- a/modules/sso-saml-provider/providers.tf +++ b/modules/sso-saml-provider/providers.tf @@ -2,6 +2,7 @@ provider "aws" { region = var.region profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null + dynamic "assume_role" { for_each = module.iam_roles.profiles_enabled ? [] : ["role"] content { diff --git a/modules/vpc-flow-logs-bucket/README.md b/modules/vpc-flow-logs-bucket/README.md index 136801ef0..c9170ee2b 100644 --- a/modules/vpc-flow-logs-bucket/README.md +++ b/modules/vpc-flow-logs-bucket/README.md @@ -62,7 +62,8 @@ No resources. | [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | `bool` | `false` | no | | [glacier\_transition\_days](#input\_glacier\_transition\_days) | Number of days after which to move the data to the glacier storage tier | `number` | `60` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile to use when importing a resource | `string` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | diff --git a/modules/vpc-flow-logs-bucket/providers.tf b/modules/vpc-flow-logs-bucket/providers.tf index 1aa5d23ec..08ee01b2a 100644 --- a/modules/vpc-flow-logs-bucket/providers.tf +++ b/modules/vpc-flow-logs-bucket/providers.tf @@ -1,8 +1,14 @@ provider "aws" { region = var.region - # `terraform import` will not use data from a data source, so on import we have to explicitly specify the profile - profile = coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) + profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null + + dynamic "assume_role" { + for_each = module.iam_roles.profiles_enabled ? [] : ["role"] + content { + role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn) + } + } } module "iam_roles" { @@ -13,6 +19,11 @@ module "iam_roles" { variable "import_profile_name" { type = string default = null - description = "AWS Profile to use when importing a resource" + description = "AWS Profile name to use when importing a resource" } +variable "import_role_arn" { + type = string + default = null + description = "IAM Role ARN to use when importing a resource" +} diff --git a/modules/zscaler/README.md b/modules/zscaler/README.md index b117bda96..0adefc619 100644 --- a/modules/zscaler/README.md +++ b/modules/zscaler/README.md @@ -84,6 +84,7 @@ import: | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | | [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | | [instance\_type](#input\_instance\_type) | The instance family to use for the ZScaler EC2 instances. | `string` | `"r5n.medium"` | no | | [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | diff --git a/modules/zscaler/providers.tf b/modules/zscaler/providers.tf index fd46aae55..08ee01b2a 100644 --- a/modules/zscaler/providers.tf +++ b/modules/zscaler/providers.tf @@ -1,10 +1,13 @@ provider "aws" { region = var.region - assume_role { - # `terraform import` will not use data from a data source, - # so on import we have to explicitly specify the role - role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn) + profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null + + dynamic "assume_role" { + for_each = module.iam_roles.profiles_enabled ? [] : ["role"] + content { + role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn) + } } } @@ -13,6 +16,12 @@ module "iam_roles" { context = module.this.context } +variable "import_profile_name" { + type = string + default = null + description = "AWS Profile name to use when importing a resource" +} + variable "import_role_arn" { type = string default = null