illumio · rlenglet · Oct 2, 2024 · Sep 30, 2024 · Sep 30, 2024 · Sep 30, 2024
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -9,12 +9,22 @@ jobs:
       with:
         ref: ${{ github.event.pull_request.head.ref }}
 
-    - name: Render terraform docs inside the README.md and push changes back to PR branch
+    - name: Generate README.md for each Terraform nested module and push changes back to PR branch
       uses: terraform-docs/[email protected]
       with:
         working-dir: .
         recursive: true
         recursive-path: modules
         output-file: README.md
         output-method: inject
+        git-push: "true"
+
+    - name: Generate README.md for each example and push changes back to PR branch
+      uses: terraform-docs/[email protected]
+      with:
+        working-dir: .
+        recursive: true
+        recursive-path: examples
+        output-file: README.md
+        output-method: inject
         git-push: "true"
diff --git a/.gitignore b/.gitignore
@@ -6,4 +6,6 @@
 
 # .tfstate files
 *.tfstate
-*.tfstate.*
+*.tfstate.*
+
+.idea
diff --git a/README.md b/README.md
@@ -1,38 +1,16 @@
-# Illumio Terraform Submodules
-Terraform submodules that add functionality to Illumios terraform provider. See the modules directory for the various sub modules usage.
-
-
-## Availible Features
-1. Onboarding and deploying a cloud-opeartor and credentials to a k8s cluster
-
-## Usage
-
-```
-provider "helm" {
-  kubernetes {
-    config_path = "~/.kube/config"  # Adjust this path as needed
-  }
-}
-
-provider "illumio-cloudsecure" {
-  client_id     = var.illumio_cloudsecure_client_id
-  client_secret = var.illumio_cloudsecure_client_secret
-}
-
-module "k8s_cluster" {
-  source            = "github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster?ref=v0.0.3"
-  illumio_region    = var.illumio_region
-  name              = var.name
-  description       = var.description
-}
-```
+# Illumio CloudSecure Terraform Modules
+Terraform submodules that add functionality to Illumio's CloudSecure Terraform provider. See the modules directory for the various submodules' usage.
+
+## Available Nested Modules
+* `aws_account`: onboarding of an AWS account with CloudSecure.
+* `k8s_cluster`: deployment and onboarding of CloudSecure's `cloud-operator` into a k8s cluster.
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | ~> 1.0.9 |
+| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | ~> 1.0.11 |
 
 ## Providers
 

diff --git a/examples/aws_account/README.md b/examples/aws_account/README.md
@@ -0,0 +1,33 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~>3.0 |
+| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | ~> 1.0.11 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws_account_dev"></a> [aws\_account\_dev](#module\_aws\_account\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account | v1.1.0 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_illumio_cloudsecure_client_id"></a> [illumio\_cloudsecure\_client\_id](#input\_illumio\_cloudsecure\_client\_id) | The OAuth 2 client identifier used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
+| <a name="input_illumio_cloudsecure_client_secret"></a> [illumio\_cloudsecure\_client\_secret](#input\_illumio\_cloudsecure\_client\_secret) | The OAuth 2 client secret used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/examples/aws_account/main.tf b/examples/aws_account/main.tf
@@ -0,0 +1,17 @@
+provider "aws" {
+  region = "us-west-1"
+}
+
+provider "illumio-cloudsecure" {
+  client_id     = var.illumio_cloudsecure_client_id
+  client_secret = var.illumio_cloudsecure_client_secret
+}
+
+module "aws_account_dev" {
+  source        = "github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account?ref=v1.1.0"
+  name          = "Test Account"
+  tags = {
+      Name  = "CloudSecure Account Policy"
+      Owner = "Engineering"
+  }
+}
diff --git a/examples/aws_account/outputs.tf b/examples/aws_account/outputs.tf
diff --git a/examples/aws_account/variables.tf b/examples/aws_account/variables.tf
@@ -0,0 +1,18 @@
+variable "illumio_cloudsecure_client_id" {
+  type        = string
+  description = "The OAuth 2 client identifier used to authenticate against the CloudSecure Config API."
+  validation {
+    condition     = length(var.name) > 1
+    error_message = "The illumio_cloudsecure_client_id value must not be empty."
+  }
+}
+
+variable "illumio_cloudsecure_client_secret" {
+  type        = string
+  sensitive   = true
+  description = "The OAuth 2 client secret used to authenticate against the CloudSecure Config API."
+  validation {
+    condition     = length(var.name) > 1
+    error_message = "The illumio_cloudsecure_client_secret value must not be empty."
+  }
+}
diff --git a/examples/aws_account/versions.tf b/examples/aws_account/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    illumio-cloudsecure = {
+      source  = "illumio/illumio-cloudsecure"
+      version = "~> 1.0.11"
+    }
+    aws = {
+      source = "hashicorp/aws"
+      version = "~>3.0"
+    }
+  }
+}
diff --git a/examples/k8s_cluster/README.md b/examples/k8s_cluster/README.md
@@ -4,7 +4,7 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~>2.15.0 |
-| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | ~> 1.0.9 |
+| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | ~> 1.0.11 |
 
 ## Providers
 
@@ -14,7 +14,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_k8s_cluster"></a> [k8s\_cluster](#module\_k8s\_cluster) | ../../modules/k8s_cluster | n/a |
+| <a name="module_k8s_cluster_dev"></a> [k8s\_cluster\_dev](#module\_k8s\_cluster\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster | v1.1.0 |
 
 ## Resources
 
@@ -24,16 +24,10 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_description"></a> [description](#input\_description) | The description of the onboarding credential. | `string` | `"Credential to onboard dev clusters in aws-us-west-2 illumio region"` | no |
 | <a name="input_illumio_cloudsecure_client_id"></a> [illumio\_cloudsecure\_client\_id](#input\_illumio\_cloudsecure\_client\_id) | The OAuth 2 client identifier used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
 | <a name="input_illumio_cloudsecure_client_secret"></a> [illumio\_cloudsecure\_client\_secret](#input\_illumio\_cloudsecure\_client\_secret) | The OAuth 2 client secret used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
-| <a name="input_illumio_region"></a> [illumio\_region](#input\_illumio\_region) | The Illumio region where the Kubernetes cluster is located. | `string` | `"aws-us-west-2"` | no |
-| <a name="input_name"></a> [name](#input\_name) | The name of the onboarding credential and Helm release. | `string` | `"example-release"` | no |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| <a name="output_client_id"></a> [client\_id](#output\_client\_id) | The client\_id to use to onboard k8s clusters. |
-| <a name="output_client_secret"></a> [client\_secret](#output\_client\_secret) | The client\_secret to use to onboard k8s clusters. |
+No outputs.
 <!-- END_TF_DOCS -->
diff --git a/examples/k8s_cluster/main.tf b/examples/k8s_cluster/main.tf
@@ -9,9 +9,9 @@ provider "illumio-cloudsecure" {
   client_secret = var.illumio_cloudsecure_client_secret
 }
 
-module "k8s_cluster" {
-  source            = "github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster?ref=v1.0.0"
-  illumio_region    = var.illumio_region
-  name              = var.name
-  description       = var.description
+module "k8s_cluster_dev" {
+  source            = "github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster?ref=v1.1.0"
+  illumio_region    = "aws-us-west-2"
+  name              = "example-release"
+  description       = "Dev cluster in aws-us-west-2"
 }
diff --git a/examples/k8s_cluster/output.tf b/examples/k8s_cluster/output.tf
diff --git a/examples/k8s_cluster/outputs.tf b/examples/k8s_cluster/outputs.tf
diff --git a/examples/k8s_cluster/variables.tf b/examples/k8s_cluster/variables.tf
@@ -1,21 +1,3 @@
-variable "illumio_region" {
-  description = "The Illumio region where the Kubernetes cluster is located."
-  type        = string
-  default     = "aws-us-west-2"
-}
-
-variable "name" {
-  description = "The name of the onboarding credential and Helm release."
-  type        = string
-  default     = "example-release"
-}
-
-variable "description" {
-  description = "The description of the onboarding credential."
-  type        = string
-  default     = "Credential to onboard dev clusters in aws-us-west-2 illumio region"
-}
-
 variable "illumio_cloudsecure_client_id" {
   type        = string
   description = "The OAuth 2 client identifier used to authenticate against the CloudSecure Config API."

diff --git a/examples/k8s_cluster/versions.tf b/examples/k8s_cluster/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     illumio-cloudsecure = {
       source  = "illumio/illumio-cloudsecure"
-      version = "~> 1.0.9"
+      version = "~> 1.0.11"
     }
     helm = {
       source = "hashicorp/helm"

diff --git a/main.tf b/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     illumio-cloudsecure = {
       source  = "illumio/illumio-cloudsecure"
-      version = "~> 1.0.9"
+      version = "~> 1.0.11"
     }
   }
 }
diff --git a/modules/aws_account/README.md b/modules/aws_account/README.md
@@ -0,0 +1,50 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.0 |
+| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | ~> 1.0.11 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 3.0 |
+| <a name="provider_illumio-cloudsecure"></a> [illumio-cloudsecure](#provider\_illumio-cloudsecure) | ~> 1.0.11 |
+| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.protection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [illumio-cloudsecure_aws_account.account](https://registry.terraform.io/providers/illumio/illumio-cloudsecure/latest/docs/resources/aws_account) | resource |
+| [random_uuid.role_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_organizations_organization.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_iam_name_prefix"></a> [iam\_name\_prefix](#input\_iam\_name\_prefix) | The prefix given to all AWS IAM resource names. | `string` | `"IllumioCloudIntegration"` | no |
+| <a name="input_illumio_cloudsecure_account_id"></a> [illumio\_cloudsecure\_account\_id](#input\_illumio\_cloudsecure\_account\_id) | The CloudSecure AWS account ID that is given the IAM role. | `string` | `"712001342241"` | no |
+| <a name="input_mode"></a> [mode](#input\_mode) | The account's access mode, must be "ReadWrite" (default) or "Read". | `string` | `"ReadWrite"` | no |
+| <a name="input_name"></a> [name](#input\_name) | The name of this account in CloudSecure. | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | The optional tags added to every configured AWS resource. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the IAM role granted to the CloudSecure account. |
+<!-- END_TF_DOCS -->