diff --git a/modules/account-map/modules/iam-roles/README.md b/modules/account-map/modules/iam-roles/README.md
index 984c9beaa..c08ecf2a5 100644
--- a/modules/account-map/modules/iam-roles/README.md
+++ b/modules/account-map/modules/iam-roles/README.md
@@ -2,14 +2,15 @@
This submodule is used by other modules to determine which IAM Roles
or AWS CLI Config Profiles to use for various tasks, most commonly
-for applying Terraform plans.
+for applying Terraform plans.
## Special Configuration Needed
In order to avoid having to pass customization information through every module
that uses this submodule, if the default configuration does not suit your needs,
-you are expected to customize `variables.tf` with the defaults you want to
-use in your project. For example, if you are including the `tenant` label
-in the designation of your "root" account (your Organization Management Account),
-then you should modify `variables.tf` so that `global_tenant_name` defaults
-to the appropriate value.
+you are expected to add `variables_override.tf` to override the variables with
+the defaults you want to use in your project. For example, if you are not using
+"core" as the `tenant` portion of your "root" account (your Organization Management Account),
+then you should include the `variable "overridable_global_tenant_name"` declaration
+in your `variables_override.tf` so that `overridable_global_tenant_name` defaults
+to the value you are using (or the empty string if you are not using `tenant` at all).
diff --git a/modules/account-map/modules/iam-roles/main.tf b/modules/account-map/modules/iam-roles/main.tf
index bab29e15c..e9a95553f 100644
--- a/modules/account-map/modules/iam-roles/main.tf
+++ b/modules/account-map/modules/iam-roles/main.tf
@@ -22,5 +22,6 @@ module "account_map" {
}
locals {
- account_name = lookup(module.always.descriptors, "account_name", module.always.stage)
+ account_name = lookup(module.always.descriptors, "account_name", module.always.stage)
+ profiles_enabled = module.account_map.outputs.profiles_enabled
}
diff --git a/modules/account-map/modules/iam-roles/outputs.tf b/modules/account-map/modules/iam-roles/outputs.tf
index 04b3bb220..252b6a3e2 100644
--- a/modules/account-map/modules/iam-roles/outputs.tf
+++ b/modules/account-map/modules/iam-roles/outputs.tf
@@ -1,5 +1,5 @@
output "terraform_role_arn" {
- value = module.account_map.outputs.terraform_roles[local.account_name]
+ value = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[local.account_name]
description = "The AWS Role ARN for Terraform to use when provisioning resources in the account, when Role ARNs are in use"
}
@@ -9,7 +9,7 @@ output "terraform_role_arns" {
}
output "terraform_profile_name" {
- value = module.account_map.outputs.terraform_profiles[local.account_name]
+ value = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[local.account_name] : null
description = "The AWS config profile name for Terraform to use when provisioning resources in the account, when profiles are in use"
}
@@ -27,17 +27,17 @@ output "org_role_arn" {
}
output "global_tenant_name" {
- value = var.global_tenant_name
+ value = var.overridable_global_tenant_name
description = "The `null-label` `tenant` value used for organization-wide resources"
}
output "global_environment_name" {
- value = var.global_environment_name
+ value = var.overridable_global_environment_name
description = "The `null-label` `environment` value used for regionless (global) resources"
}
output "global_stage_name" {
- value = var.global_stage_name
+ value = var.overridable_global_stage_name
description = "The `null-label` `stage` value for the organization management account (where the `account-map` state is stored)"
}
@@ -50,22 +50,22 @@ output "current_account_account_name" {
}
output "dns_terraform_role_arn" {
- value = module.account_map.outputs.terraform_roles[module.account_map.outputs.dns_account_account_name]
+ value = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.dns_account_account_name]
description = "The AWS Role ARN for Terraform to use to provision DNS Zone delegations, when Role ARNs are in use"
}
output "dns_terraform_profile_name" {
- value = module.account_map.outputs.terraform_profiles[module.account_map.outputs.dns_account_account_name]
+ value = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.dns_account_account_name] : null
description = "The AWS config profile name for Terraform to use to provision DNS Zone delegations, when profiles are in use"
}
output "audit_terraform_role_arn" {
- value = module.account_map.outputs.terraform_roles[module.account_map.outputs.audit_account_account_name]
+ value = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.audit_account_account_name]
description = "The AWS Role ARN for Terraform to use to provision resources in the \"audit\" role account, when Role ARNs are in use"
}
output "audit_terraform_profile_name" {
- value = module.account_map.outputs.terraform_profiles[module.account_map.outputs.audit_account_account_name]
+ value = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.audit_account_account_name] : null
description = "The AWS config profile name for Terraform to use to provision resources in the \"audit\" role account, when profiles are in use"
}
@@ -75,26 +75,26 @@ output "identity_account_account_name" {
}
output "identity_terraform_role_arn" {
- value = module.account_map.outputs.terraform_roles[module.account_map.outputs.identity_account_account_name]
+ value = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.identity_account_account_name]
description = "The AWS Role ARN for Terraform to use to provision resources in the \"identity\" role account, when Role ARNs are in use"
}
output "identity_terraform_profile_name" {
- value = module.account_map.outputs.terraform_profiles[module.account_map.outputs.identity_account_account_name]
+ value = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.identity_account_account_name] : null
description = "The AWS config profile name for Terraform to use to provision resources in the \"identity\" role account, when profiles are in use"
}
output "identity_cicd_role_arn" {
- value = module.account_map.outputs.cicd_roles[module.account_map.outputs.identity_account_account_name]
+ value = local.profiles_enabled ? null : module.account_map.outputs.cicd_roles[module.account_map.outputs.identity_account_account_name]
description = "(Deprecated) The AWS Role ARN for CI/CD tools to assume to gain access to other accounts, when Role ARNs are in use"
}
output "identity_cicd_profile_name" {
- value = module.account_map.outputs.cicd_profiles[module.account_map.outputs.identity_account_account_name]
+ value = local.profiles_enabled ? module.account_map.outputs.cicd_profiles[module.account_map.outputs.identity_account_account_name] : null
description = "(Deprecated) The AWS config profile name for CI/CD tools to assume to gain access to other accounts, when profiles are in use"
}
output "profiles_enabled" {
- value = module.account_map.outputs.profiles_enabled
+ value = local.profiles_enabled
description = "When true, use AWS config profiles in Terraform AWS provider configurations. When false, use Role ARNs."
}
diff --git a/modules/account-map/modules/iam-roles/variables.tf b/modules/account-map/modules/iam-roles/variables.tf
index 54967766a..554da715f 100644
--- a/modules/account-map/modules/iam-roles/variables.tf
+++ b/modules/account-map/modules/iam-roles/variables.tf
@@ -4,20 +4,24 @@ variable "privileged" {
default = false
}
-variable "global_tenant_name" {
+## The overridable_* variables in this file provide Cloud Posse defaults.
+## Because this module is used in bootstrapping Terraform, we do not configure
+## these inputs in the normal way. Instead, to change the values, you should
+## add a `variables_override.tf` file and change the default to the value you want.
+variable "overridable_global_tenant_name" {
type = string
description = "The tenant name used for organization-wide resources"
default = "core"
}
-variable "global_environment_name" {
+variable "overridable_global_environment_name" {
type = string
description = "Global environment name"
default = "gbl"
}
-variable "global_stage_name" {
+variable "overridable_global_stage_name" {
type = string
- description = "The stage name for the organization management account (where the `accout-map` state is stored)"
+ description = "The stage name for the organization management account (where the `account-map` state is stored)"
default = "root"
}
diff --git a/modules/aws-waf-acl/README.md b/modules/aws-waf-acl/README.md
index 32cf4f1da..9b78eea97 100644
--- a/modules/aws-waf-acl/README.md
+++ b/modules/aws-waf-acl/README.md
@@ -84,6 +84,7 @@ components:
| [geo\_match\_statement\_rules](#input\_geo\_match\_statement\_rules) | A rule statement used to identify web requests based on country of origin.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
statement:
country\_codes:
A list of two-character country codes.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no |
| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
+| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
| [ip\_set\_reference\_statement\_rules](#input\_ip\_set\_reference\_statement\_rules) | A rule statement used to detect web requests coming from particular IP addresses or address ranges.
action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.
statement:
arn:
The ARN of the IP Set that this statement references.
ip\_set\_forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.
position:
The position in the header to search for the IP address.
Possible values include: `FIRST`, `LAST`, or `ANY`.
visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
| [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
| [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no |
diff --git a/modules/aws-waf-acl/providers.tf b/modules/aws-waf-acl/providers.tf
index c6e854450..08ee01b2a 100644
--- a/modules/aws-waf-acl/providers.tf
+++ b/modules/aws-waf-acl/providers.tf
@@ -1,6 +1,14 @@
provider "aws" {
- region = var.region
- profile = coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name)
+ region = var.region
+
+ profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
+ dynamic "assume_role" {
+ for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
+ content {
+ role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+ }
+ }
}
module "iam_roles" {
@@ -13,3 +21,9 @@ variable "import_profile_name" {
default = null
description = "AWS Profile name to use when importing a resource"
}
+
+variable "import_role_arn" {
+ type = string
+ default = null
+ description = "IAM Role ARN to use when importing a resource"
+}
diff --git a/modules/cognito/README.md b/modules/cognito/README.md
index 1531e3d54..09920c701 100644
--- a/modules/cognito/README.md
+++ b/modules/cognito/README.md
@@ -119,7 +119,8 @@ components:
| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
| [identity\_providers](#input\_identity\_providers) | Cognito Identity Providers configuration | `list(any)` | `[]` | no |
-| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile to use when importing a resource | `string` | `null` | no |
+| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
+| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no |
diff --git a/modules/cognito/providers.tf b/modules/cognito/providers.tf
index de2e8a327..08ee01b2a 100644
--- a/modules/cognito/providers.tf
+++ b/modules/cognito/providers.tf
@@ -1,7 +1,14 @@
provider "aws" {
region = var.region
- profile = coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name)
+ profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
+ dynamic "assume_role" {
+ for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
+ content {
+ role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+ }
+ }
}
module "iam_roles" {
@@ -12,5 +19,11 @@ module "iam_roles" {
variable "import_profile_name" {
type = string
default = null
- description = "AWS Profile to use when importing a resource"
+ description = "AWS Profile name to use when importing a resource"
+}
+
+variable "import_role_arn" {
+ type = string
+ default = null
+ description = "IAM Role ARN to use when importing a resource"
}
diff --git a/modules/dns-delegated/providers.tf b/modules/dns-delegated/providers.tf
index dd2b4a1fb..944bbdbf0 100644
--- a/modules/dns-delegated/providers.tf
+++ b/modules/dns-delegated/providers.tf
@@ -20,7 +20,7 @@ provider "aws" {
profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
dynamic "assume_role" {
- for_each = var.import_role_arn == null ? (module.iam_roles.terraform_role_arn != null ? [true] : []) : ["import"]
+ for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
content {
role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
}
diff --git a/modules/dns-primary/providers.tf b/modules/dns-primary/providers.tf
index 447c00328..08ee01b2a 100644
--- a/modules/dns-primary/providers.tf
+++ b/modules/dns-primary/providers.tf
@@ -4,7 +4,7 @@ provider "aws" {
profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
dynamic "assume_role" {
- for_each = var.import_role_arn == null ? (module.iam_roles.terraform_role_arn != null ? [true] : []) : ["import"]
+ for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
content {
role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
}
diff --git a/modules/documentdb/providers.tf b/modules/documentdb/providers.tf
index efa9ede5d..08ee01b2a 100644
--- a/modules/documentdb/providers.tf
+++ b/modules/documentdb/providers.tf
@@ -2,6 +2,7 @@ provider "aws" {
region = var.region
profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
dynamic "assume_role" {
for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
content {
diff --git a/modules/eks-iam/README.md b/modules/eks-iam/README.md
index a3d00ade4..b2f46f7f3 100644
--- a/modules/eks-iam/README.md
+++ b/modules/eks-iam/README.md
@@ -79,6 +79,7 @@ components:
| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no |
+| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
| [kms\_alias\_name](#input\_kms\_alias\_name) | AWS KMS alias used for encryption/decryption of SSM parameters default is alias used in SSM | `string` | `"alias/aws/ssm"` | no |
| [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no |
diff --git a/modules/eks-iam/providers.tf b/modules/eks-iam/providers.tf
old mode 100755
new mode 100644
index 506e16d2e..08ee01b2a
--- a/modules/eks-iam/providers.tf
+++ b/modules/eks-iam/providers.tf
@@ -1,17 +1,25 @@
provider "aws" {
region = var.region
- assume_role {
- # `terraform import` will not use data from a data source,
- # so on import we have to explicitly specify the role
- role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+ profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
+ dynamic "assume_role" {
+ for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
+ content {
+ role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+ }
}
}
module "iam_roles" {
- source = "../account-map/modules/iam-roles"
- stage = var.stage
- region = var.region
+ source = "../account-map/modules/iam-roles"
+ context = module.this.context
+}
+
+variable "import_profile_name" {
+ type = string
+ default = null
+ description = "AWS Profile name to use when importing a resource"
}
variable "import_role_arn" {
diff --git a/modules/elasticache-redis/providers.tf b/modules/elasticache-redis/providers.tf
index efa9ede5d..08ee01b2a 100644
--- a/modules/elasticache-redis/providers.tf
+++ b/modules/elasticache-redis/providers.tf
@@ -2,6 +2,7 @@ provider "aws" {
region = var.region
profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
dynamic "assume_role" {
for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
content {
diff --git a/modules/mq-broker/README.md b/modules/mq-broker/README.md
index 63c518902..7a67934bd 100644
--- a/modules/mq-broker/README.md
+++ b/modules/mq-broker/README.md
@@ -80,6 +80,7 @@ No resources.
| [host\_instance\_type](#input\_host\_instance\_type) | The broker's instance type. e.g. mq.t2.micro or mq.m4.large | `string` | `"mq.t3.micro"` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no |
| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
+| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
| [kms\_mq\_key\_arn](#input\_kms\_mq\_key\_arn) | ARN of the AWS KMS key used for Amazon MQ encryption | `string` | `null` | no |
| [kms\_ssm\_key\_arn](#input\_kms\_ssm\_key\_arn) | ARN of the AWS KMS key used for SSM encryption | `string` | `"alias/aws/ssm"` | no |
| [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
diff --git a/modules/mq-broker/providers.tf b/modules/mq-broker/providers.tf
old mode 100755
new mode 100644
index eb5dcb247..08ee01b2a
--- a/modules/mq-broker/providers.tf
+++ b/modules/mq-broker/providers.tf
@@ -1,8 +1,14 @@
provider "aws" {
region = var.region
- # `terraform import` will not use data from a data source, so on import we have to explicitly specify the profile
- profile = coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name)
+ profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
+ dynamic "assume_role" {
+ for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
+ content {
+ role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+ }
+ }
}
module "iam_roles" {
@@ -15,3 +21,9 @@ variable "import_profile_name" {
default = null
description = "AWS Profile name to use when importing a resource"
}
+
+variable "import_role_arn" {
+ type = string
+ default = null
+ description = "IAM Role ARN to use when importing a resource"
+}
diff --git a/modules/sqs-queue/providers.tf b/modules/sqs-queue/providers.tf
index efa9ede5d..08ee01b2a 100644
--- a/modules/sqs-queue/providers.tf
+++ b/modules/sqs-queue/providers.tf
@@ -2,6 +2,7 @@ provider "aws" {
region = var.region
profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
dynamic "assume_role" {
for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
content {
diff --git a/modules/sso-saml-provider/providers.tf b/modules/sso-saml-provider/providers.tf
index efa9ede5d..08ee01b2a 100644
--- a/modules/sso-saml-provider/providers.tf
+++ b/modules/sso-saml-provider/providers.tf
@@ -2,6 +2,7 @@ provider "aws" {
region = var.region
profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
dynamic "assume_role" {
for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
content {
diff --git a/modules/vpc-flow-logs-bucket/README.md b/modules/vpc-flow-logs-bucket/README.md
index 136801ef0..c9170ee2b 100644
--- a/modules/vpc-flow-logs-bucket/README.md
+++ b/modules/vpc-flow-logs-bucket/README.md
@@ -62,7 +62,8 @@ No resources.
| [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | `bool` | `false` | no |
| [glacier\_transition\_days](#input\_glacier\_transition\_days) | Number of days after which to move the data to the glacier storage tier | `number` | `60` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
-| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile to use when importing a resource | `string` | `null` | no |
+| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
+| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no |
diff --git a/modules/vpc-flow-logs-bucket/providers.tf b/modules/vpc-flow-logs-bucket/providers.tf
index 1aa5d23ec..08ee01b2a 100644
--- a/modules/vpc-flow-logs-bucket/providers.tf
+++ b/modules/vpc-flow-logs-bucket/providers.tf
@@ -1,8 +1,14 @@
provider "aws" {
region = var.region
- # `terraform import` will not use data from a data source, so on import we have to explicitly specify the profile
- profile = coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name)
+ profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
+ dynamic "assume_role" {
+ for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
+ content {
+ role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+ }
+ }
}
module "iam_roles" {
@@ -13,6 +19,11 @@ module "iam_roles" {
variable "import_profile_name" {
type = string
default = null
- description = "AWS Profile to use when importing a resource"
+ description = "AWS Profile name to use when importing a resource"
}
+variable "import_role_arn" {
+ type = string
+ default = null
+ description = "IAM Role ARN to use when importing a resource"
+}
diff --git a/modules/zscaler/README.md b/modules/zscaler/README.md
index b117bda96..0adefc619 100644
--- a/modules/zscaler/README.md
+++ b/modules/zscaler/README.md
@@ -84,6 +84,7 @@ import:
| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no |
+| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
| [instance\_type](#input\_instance\_type) | The instance family to use for the ZScaler EC2 instances. | `string` | `"r5n.medium"` | no |
| [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
diff --git a/modules/zscaler/providers.tf b/modules/zscaler/providers.tf
index fd46aae55..08ee01b2a 100644
--- a/modules/zscaler/providers.tf
+++ b/modules/zscaler/providers.tf
@@ -1,10 +1,13 @@
provider "aws" {
region = var.region
- assume_role {
- # `terraform import` will not use data from a data source,
- # so on import we have to explicitly specify the role
- role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+ profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
+ dynamic "assume_role" {
+ for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
+ content {
+ role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+ }
}
}
@@ -13,6 +16,12 @@ module "iam_roles" {
context = module.this.context
}
+variable "import_profile_name" {
+ type = string
+ default = null
+ description = "AWS Profile name to use when importing a resource"
+}
+
variable "import_role_arn" {
type = string
default = null