cloudposse · Nuru · Jun 22, 2023 · Jun 21, 2023 · Jun 22, 2023
@@ -28,7 +28,7 @@ module "account_map" {
 }
 
 locals {
-  profiles_enabled = local.account_map.profiles_enabled
+  profiles_enabled = coalesce(var.profiles_enabled, local.account_map.profiles_enabled)
 
   account_map  = module.account_map.outputs
   account_name = lookup(module.always.descriptors, "account_name", module.always.stage)

@@ -1,9 +1,16 @@
 variable "privileged" {
   type        = bool
-  description = "True if the default provider already has access to the backend"
+  description = "True if the Terraform user already has access to the backend"
   default     = false
 }
 
+variable "profiles_enabled" {
+  type        = bool
+  description = "Whether or not to use profiles instead of roles for Terraform. Default (null) means to use global settings."
+  default     = null
+}
+
+
 ## The overridable_* variables in this file provide Cloud Posse defaults.
 ## Because this module is used in bootstrapping Terraform, we do not configure
 ## these inputs in the normal way. Instead, to change the values, you should

@@ -15,6 +15,9 @@ provider "aws" {
 }
 
 module "iam_roles" {
-  source  = "../../account-map/modules/iam-roles"
+  source = "../../account-map/modules/iam-roles"
+
+  profiles_enabled = false
+
   context = module.this.context
 }
@@ -199,8 +199,6 @@ atmos terraform apply guardduty/org-settings/uw1 -s core-uw1-security
 | <a name="input_findings_notification_arn"></a> [findings\_notification\_arn](#input\_findings\_notification\_arn) | The ARN for an SNS topic to send findings notifications to. This is only used if create\_sns\_topic is false.<br>If you want to send findings to an existing SNS topic, set this to the ARN of the existing topic and set<br>create\_sns\_topic to false. | `string` | `null` | no |
 | <a name="input_global_environment"></a> [global\_environment](#input\_global\_environment) | Global environment name | `string` | `"gbl"` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
-| <a name="input_import_profile_name"></a> [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
-| <a name="input_import_role_arn"></a> [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
 | <a name="input_kubernetes_audit_logs_enabled"></a> [kubernetes\_audit\_logs\_enabled](#input\_kubernetes\_audit\_logs\_enabled) | If `true`, enables Kubernetes audit logs as a data source for Kubernetes protection.<br><br>For more information, see:<br>https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector#audit_logs | `bool` | `false` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |

@@ -1,23 +1,23 @@
 provider "aws" {
   region = var.region
 
-  profile = !var.privileged && module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+  profile = !var.privileged && module.iam_roles.profiles_enabled ? module.iam_roles.terraform_profile_name : null
   dynamic "assume_role" {
-    for_each = var.privileged || module.iam_roles.profiles_enabled ? [] : ["role"]
+    for_each = var.privileged || module.iam_roles.profiles_enabled || (module.iam_roles.terraform_role_arn == null) ? [] : ["role"]
     content {
-      role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+      role_arn = module.iam_roles.terraform_role_arn
     }
   }
 }
 
 provider "awsutils" {
   region = var.region
 
-  profile = !var.privileged && module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+  profile = !var.privileged && module.iam_roles.profiles_enabled ? module.iam_roles.terraform_profile_name : null
   dynamic "assume_role" {
-    for_each = var.privileged || module.iam_roles.profiles_enabled ? [] : ["role"]
+    for_each = var.privileged || module.iam_roles.profiles_enabled || (module.iam_roles.terraform_role_arn == null) ? [] : ["role"]
     content {
-      role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+      role_arn = module.iam_roles.terraform_role_arn
     }
   }
 }
@@ -28,15 +28,3 @@ module "iam_roles" {
 
   context = module.this.context
 }
-
-variable "import_profile_name" {
-  type        = string
-  default     = null
-  description = "AWS Profile name to use when importing a resource"
-}
-
-variable "import_role_arn" {
-  type        = string
-  default     = null
-  description = "IAM Role ARN to use when importing a resource"
-}