Aws Flow module #10
Aws Flow module #10
Conversation
- fixed issue in aws_account example - changed aws_account external id generator to random_password to not show it in the plan/apply/destroy making it sensitive - example for aws flow usage. version bump 1.2.0
|
|
||
| resource "aws_iam_role_policy" "IllumioCloudBucketListPolicy" { | ||
| count = length(local.flow_logs_bucket_list) > 0 ? 1 : 0 | ||
| name = "IllumioCloudBucketListPolicy" |
There was a problem hiding this comment.
Don't hardcode names. Follow the same pattern as for aws_account.
modules/aws_flows/main.tf
Outdated
| data "aws_iam_role" "illumio_cloud_integration_role" { | ||
| name = var.role_arn | ||
| } |
There was a problem hiding this comment.
Just modify aws_acocunt to output the role ID instead of the ARN.
|
|
||
| resource "aws_iam_role_policy" "IllumioCloudBucketReadPolicy" { | ||
| count = length(local.flow_logs_bucket_read) > 0 ? 1 : 0 | ||
| name = "IllumioCloudBucketReadPolicy" |
There was a problem hiding this comment.
Don't hardcode names. Follow the same pattern as for aws_account.
| random = { | ||
| source = "hashicorp/random" | ||
| version = "~> 3.0" | ||
| } |
There was a problem hiding this comment.
Remove. Not needed.
| random = { | |
| source = "hashicorp/random" | |
| version = "~> 3.0" | |
| } |
There was a problem hiding this comment.
Keep the names consistent with the Terraform provider's resources.
Rename this module into aws_flow_logs_s3_buckets.
| terraform { | ||
| required_providers { | ||
| illumio-cloudsecure = { | ||
| source = "illumio/illumio-cloudsecure" | ||
| version = "~> 1.0.11" | ||
| } | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "~> 3.0" | ||
| } | ||
| random = { | ||
| source = "hashicorp/random" | ||
| version = "~> 3.0" | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Move this into a separate versions.tf file to follow the standard conventions.
|
|
||
| # Use the full ARN with path for GetObject actions | ||
| flow_logs_bucket_read = [ | ||
| for bucket_arn in var.flow_logs_bucket_arns : "${bucket_arn}/*" |
There was a problem hiding this comment.
Also replace //* with /* as in the original CloudFormation Template.
| role = data.aws_iam_role.illumio_cloud_integration_role.id | ||
| policy = jsonencode({ | ||
| Version = "2012-10-17" | ||
| Statement = [{ | ||
| Effect = "Allow" | ||
| Sid = "IllumioBucketListAccess" | ||
| Action = [ | ||
| "s3:ListBucket", | ||
| "s3:ListBucketVersion", | ||
| "s3:GetBucketLocation" | ||
| ] | ||
| Resource = local.flow_logs_bucket_list | ||
| }] | ||
| }) | ||
| } | ||
|
|
||
| resource "aws_iam_role_policy" "IllumioCloudBucketReadPolicy" { | ||
| count = length(local.flow_logs_bucket_read) > 0 ? 1 : 0 | ||
| name = "IllumioCloudBucketReadPolicy" | ||
| role = data.aws_iam_role.illumio_cloud_integration_role.id | ||
| policy = jsonencode({ | ||
| Version = "2012-10-17" | ||
| Statement = [{ | ||
| Effect = "Allow" | ||
| Sid = "IllumioBucketReadAccess" | ||
| Action = ["s3:GetObject"] | ||
| Resource = local.flow_logs_bucket_read | ||
| }] | ||
| }) | ||
| } |
There was a problem hiding this comment.
Just define one policy with two statements.
| @@ -0,0 +1,17 @@ | |||
| variable "flow_logs_bucket_arns" { | |||
There was a problem hiding this comment.
Keep the naming of variables with the naming of attributes of the provider resource:
https://github.com/illumio/terraform-provider-illumio-cloudsecure/blob/010d3d1dc7ac76005ab893aa6d4064968f4ae533/api/schema/aws_flow_logs_s3_bucket.go#L32
| variable "flow_logs_bucket_arns" { | |
| variable "s3_bucket_arns" { |
| } | ||
|
|
||
| resource "aws_iam_role_policy" "IllumioCloudBucketReadPolicy" { | ||
| count = length(local.flow_logs_bucket_read) > 0 ? 1 : 0 |
There was a problem hiding this comment.
Remove. The flow_logs_bucket_arns variable is validated to never be empty.
| count = length(local.flow_logs_bucket_read) > 0 ? 1 : 0 |
| } | ||
|
|
||
| resource "aws_iam_role_policy" "IllumioCloudBucketListPolicy" { | ||
| count = length(local.flow_logs_bucket_list) > 0 ? 1 : 0 |
There was a problem hiding this comment.
Remove. The flow_logs_bucket_arns variable is validated to never be empty.
| count = length(local.flow_logs_bucket_list) > 0 ? 1 : 0 |
|
|
||
| module "aws_flows_dev" { | ||
| source = "github.com/illumio/terraform-illumio-cloudsecure//modules/aws_flows?ref=v1.2.0" | ||
| role_arn = var.illumio_cloudsecure_role_arn |
There was a problem hiding this comment.
Modify this example to add an aws_account to show how those should be used together, instead of taking the role ARN as a variable.
| variable "flow_logs_bucket_arns" { | ||
| type = list(string) | ||
| description = "List of S3 buckets having flow logs" | ||
| validation { | ||
| condition = length(var.flow_logs_bucket_arns) > 0 | ||
| error_message = "The flow_logs_bucket_arns value must not be empty." | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Remove this. Give a concrete list of literal ARNs in the example to illustrate how to use the module.
| variable "flow_logs_bucket_arns" { | |
| type = list(string) | |
| description = "List of S3 buckets having flow logs" | |
| validation { | |
| condition = length(var.flow_logs_bucket_arns) > 0 | |
| error_message = "The flow_logs_bucket_arns value must not be empty." | |
| } | |
| } |
You can see how we removed all variables other than client_id and client_secret from the other examples.
| variable "illumio_cloudsecure_role_arn" { | ||
| type = string | ||
| description = "The ARN of the IAM role granted to the CloudSecure account." | ||
| validation { | ||
| condition = length(var.illumio_cloudsecure_role_arn) > 1 | ||
| error_message = "The illumio_cloudsecure_role_arn value must not be empty." | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Remove this. Add an aws_account into the example to illustrate how those two modules should be used together.
| variable "illumio_cloudsecure_role_arn" { | |
| type = string | |
| description = "The ARN of the IAM role granted to the CloudSecure account." | |
| validation { | |
| condition = length(var.illumio_cloudsecure_role_arn) > 1 | |
| error_message = "The illumio_cloudsecure_role_arn value must not be empty." | |
| } | |
| } |
You can see how we removed all variables other than client_id and client_secret from the other examples.
|
closing as covered in #11 |
version bump 1.2.0