Skip to content

Commit

Permalink
Add var.create_elasticsearch_user_role (#161)
Browse files Browse the repository at this point in the history
* Add var.create_elasticsearch_user_role

* Update README.md

* Modify count condition for assume_role resource

* Use splat expression for default policy document

* Run make github/init
  • Loading branch information
mohamed-essam authored May 11, 2023
1 parent dda8ef4 commit 5b260ae
Show file tree
Hide file tree
Showing 7 changed files with 37 additions and 7 deletions.
17 changes: 14 additions & 3 deletions .github/mergify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,17 @@ pull_request_rules:
- name: "approve automated PRs that have passed checks"
conditions:
- "author~=^(cloudpossebot|renovate\\[bot\\])$"
- "base=master"
- "-closed"
- "head~=^(auto-update|renovate)/.*"
- "check-success=test/bats"
- "check-success=test/readme"
- "check-success=test/terratest"
- "check-success=validate-codeowners"
- or:
- "base=master"
- "base=main"
- "base~=^release/v\\d{1,2}$"

actions:
review:
type: "APPROVE"
Expand All @@ -20,7 +24,6 @@ pull_request_rules:
- name: "merge automated PRs when approved and tests pass"
conditions:
- "author~=^(cloudpossebot|renovate\\[bot\\])$"
- "base=master"
- "-closed"
- "head~=^(auto-update|renovate)/.*"
- "check-success=test/bats"
Expand All @@ -30,6 +33,11 @@ pull_request_rules:
- "#approved-reviews-by>=1"
- "#changes-requested-reviews-by=0"
- "#commented-reviews-by=0"
- or:
- "base=master"
- "base=main"
- "base~=^release/v\\d{1,2}$"

actions:
merge:
method: "squash"
Expand All @@ -50,7 +58,10 @@ pull_request_rules:

- name: "remove outdated reviews"
conditions:
- "base=master"
- or:
- "base=master"
- "base=main"
- "base~=^release/v\\d{1,2}$"
actions:
dismiss_reviews:
changes_requested: true
Expand Down
1 change: 1 addition & 0 deletions .github/renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"config:base",
":preserveSemverRanges"
],
"baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"],
"labels": ["auto-update"],
"dependencyDashboardAutoclose": true,
"enabledManagers": ["terraform"],
Expand Down
12 changes: 11 additions & 1 deletion .github/workflows/auto-context.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,16 @@ jobs:
steps:
- uses: actions/checkout@v2

- name: Find default branch name
id: defaultBranch
shell: bash
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
run: |
default_branch=$(gh repo view --json defaultBranchRef --jq .defaultBranchRef.name)
echo "defaultBranch=${default_branch}" >> "$GITHUB_OUTPUT"
printf "defaultBranchRef.name=%s\n" "${default_branch}"
- name: Update context.tf
shell: bash
id: update
Expand Down Expand Up @@ -50,7 +60,7 @@ jobs:
To support all the features of the `context` interface.
branch: auto-update/context.tf
base: master
base: ${{ steps.defaultBranch.outputs.defaultBranch }}
delete-branch: true
labels: |
auto-update
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,7 @@ Available targets:
| <a name="input_cognito_user_pool_id"></a> [cognito\_user\_pool\_id](#input\_cognito\_user\_pool\_id) | The ID of the Cognito User Pool to use | `string` | `""` | no |
| <a name="input_cold_storage_enabled"></a> [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Enables cold storage support. | `bool` | `false` | no |
| <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "descriptor_formats": {},<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "labels_as_tags": [<br> "unset"<br> ],<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {},<br> "tenant": null<br>}</pre> | no |
| <a name="input_create_elasticsearch_user_role"></a> [create\_elasticsearch\_user\_role](#input\_create\_elasticsearch\_user\_role) | Whether to create an IAM role for Users/EC2 to assume to access the Elasticsearch domain. Set it to `false` if you already manage access through other means. | `bool` | `true` | no |
| <a name="input_create_iam_service_linked_role"></a> [create\_iam\_service\_linked\_role](#input\_create\_iam\_service\_linked\_role) | Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info | `bool` | `true` | no |
| <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Whether to create a dedicated security group for the Elasticsearch domain. Set it to `false` if you already have security groups that you want to attach to the domain and specify them in the `security_groups` variable. | `bool` | `true` | no |
| <a name="input_custom_endpoint"></a> [custom\_endpoint](#input\_custom\_endpoint) | Fully qualified domain for custom endpoint. | `string` | `""` | no |
Expand Down
1 change: 1 addition & 0 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
| <a name="input_cognito_user_pool_id"></a> [cognito\_user\_pool\_id](#input\_cognito\_user\_pool\_id) | The ID of the Cognito User Pool to use | `string` | `""` | no |
| <a name="input_cold_storage_enabled"></a> [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Enables cold storage support. | `bool` | `false` | no |
| <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "descriptor_formats": {},<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "labels_as_tags": [<br> "unset"<br> ],<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {},<br> "tenant": null<br>}</pre> | no |
| <a name="input_create_elasticsearch_user_role"></a> [create\_elasticsearch\_user\_role](#input\_create\_elasticsearch\_user\_role) | Whether to create an IAM role for Users/EC2 to assume to access the Elasticsearch domain. Set it to `false` if you already manage access through other means. | `bool` | `true` | no |
| <a name="input_create_iam_service_linked_role"></a> [create\_iam\_service\_linked\_role](#input\_create\_iam\_service\_linked\_role) | Whether to create `AWSServiceRoleForAmazonElasticsearchService` service-linked role. Set it to `false` if you already have an ElasticSearch cluster created in the AWS account and AWSServiceRoleForAmazonElasticsearchService already exists. See https://github.com/terraform-providers/terraform-provider-aws/issues/5218 for more info | `bool` | `true` | no |
| <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Whether to create a dedicated security group for the Elasticsearch domain. Set it to `false` if you already have security groups that you want to attach to the domain and specify them in the `security_groups` variable. | `bool` | `true` | no |
| <a name="input_custom_endpoint"></a> [custom\_endpoint](#input\_custom\_endpoint) | Fully qualified domain for custom endpoint. | `string` | `""` | no |
Expand Down
6 changes: 3 additions & 3 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ resource "aws_iam_service_linked_role" "default" {

# Role that pods can assume for access to elasticsearch and kibana
resource "aws_iam_role" "elasticsearch_user" {
count = module.this.enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
count = module.this.enabled && var.create_elasticsearch_user_role && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
name = module.user_label.id
assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json)
description = "IAM Role to assume to access the Elasticsearch ${module.this.id} cluster"
Expand All @@ -82,7 +82,7 @@ resource "aws_iam_role" "elasticsearch_user" {
}

data "aws_iam_policy_document" "assume_role" {
count = module.this.enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
count = module.this.enabled && var.create_elasticsearch_user_role && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0

statement {
actions = [
Expand Down Expand Up @@ -255,7 +255,7 @@ data "aws_iam_policy_document" "default" {

principals {
type = "AWS"
identifiers = distinct(compact(concat(var.iam_role_arns, aws_iam_role.elasticsearch_user.*.arn)))
identifiers = distinct(compact(concat(var.iam_role_arns, aws_iam_role.elasticsearch_user[*].arn)))
}
}

Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,12 @@ variable "create_security_group" {
description = "Whether to create a dedicated security group for the Elasticsearch domain. Set it to `false` if you already have security groups that you want to attach to the domain and specify them in the `security_groups` variable."
}

variable "create_elasticsearch_user_role" {
type = bool
default = true
description = "Whether to create an IAM role for Users/EC2 to assume to access the Elasticsearch domain. Set it to `false` if you already manage access through other means."
}

variable "ingress_port_range_start" {
type = number
default = 0
Expand Down

0 comments on commit 5b260ae

Please sign in to comment.