merge changes for create flag

CHANGELOG.md

@@ -50,6 +50,10 @@
 * 1.3.5 -- 20220110
   - add output instance_profile_name
 
+* 1.4.0 -- 20220113
+  - add flag create to trigger creating or not creating the module resources
+  - ignore boc:tf_module_version tag in lifecycle change
+
 ## version 2.x
 
 branch: compat-tf-0.13
@@ -72,3 +76,7 @@ tag: 2.0.1
 
 * 2.1.1 -- 20220110
   - add output instance_profile_name
+
+* 2.2.0 -- 20220113
+  - add flag create to trigger creating or not creating the module resources
+  - ignore boc:tf_module_version tag in lifecycle change

README.md

@@ -146,6 +146,7 @@ No modules.
 | <a name="input_assume_policy_document"></a> [assume\_policy\_document](#input\_assume\_policy\_document) | JSON policy document for role to assume (i.e., the SAML assume document) | `string` | `""` | no |
 | <a name="input_attached_policies"></a> [attached\_policies](#input\_attached\_policies) | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (role, policy) | `map(map(string))` | <pre>{<br>  "policy": {},<br>  "role": {}<br>}</pre> | no |
+| <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
 | <a name="input_enable_instance_profile"></a> [enable\_instance\_profile](#input\_enable\_instance\_profile) | Flag to enable/disable instance profile on role | `bool` | `false` | no |
 | <a name="input_enable_ldap_creation"></a> [enable\_ldap\_creation](#input\_enable\_ldap\_creation) | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `bool` | `false` | no |
 | <a name="input_inline_policies"></a> [inline\_policies](#input\_inline\_policies) | List of IAM Policy Document objects to include in this role. Format is {name=name,policy=policy-json} | `list(object({ name = string, policy = string }))` | `[]` | no |

main.tf

@@ -118,14 +118,14 @@ locals {
   #  ec2_role_name    = format("%v-ec2-%v", lookup(local._prefixes, "role", ""), local._ec2_role_name)
   #  ec2_policy_name  = format("%v-ec2-%v", lookup(local._prefixes, "policy", ""), local._ec2_role_name)
 
-  ldap_exists         = fileexists("${path.root}/setup/${aws_iam_role.role.name}.ldif")
+  ldap_exists         = fileexists("${path.root}/setup/${local.role_name}.ldif")
   bocappdata_auth     = local.account_environment == "gov" ? "Cloud_AWSGovCloud_Auth" : "Cloud_AWS_Auth"
-  bocappdata_fullauth = format("gov.census.tco:%v=%v,%v", local.bocappdata_auth, aws_iam_role.role.arn, var.saml_provider_arn)
+  bocappdata_fullauth = format("gov.census.tco:%v=%v,%v", local.bocappdata_auth, var.create ? aws_iam_role.role[0].arn : "", var.saml_provider_arn)
   bocappdata_approval = format("gov.census.tco:%v=%v", "CPASS_ApprovalGroup", "cn=CloudServices_Approvers,ou=CloudServices,ou=Administration,ou=eCustomers,o=U.S. Census Bureau,c=US")
 
   ldap_provider_exists = data.external.ldap_provider_bin.result.status == "0" ? true : false
   enable_ldap          = var.enable_ldap_creation && var.ldap_user != "" && var.ldap_password != "" && var.saml_provider_arn != "" && local.ldap_provider_exists
-  ldap_dn              = format("cn=%s,ou=%s,ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US", aws_iam_role.role.name, local.account_id)
+  ldap_dn              = format("cn=%s,ou=%s,ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US", var.create ? aws_iam_role.role[0].name : "", local.account_id)
 
   base_tags = {
     "boc:tf_module_version" = local._module_version
@@ -134,6 +134,7 @@ locals {
 }
 
 resource "aws_iam_role" "role" {
+  count                 = var.create ? 1 : 0
   name                  = local.role_name
   description           = local.role_description
   force_detach_policies = local._defaults["force_detach_policies"]
@@ -150,6 +151,10 @@ resource "aws_iam_role" "role" {
     }
   }
 
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
+
   tags = merge(
     var.tags,
     local.base_tags,
@@ -159,45 +164,58 @@ resource "aws_iam_role" "role" {
 }
 
 resource "aws_iam_role_policy_attachment" "role" {
-  for_each   = toset(var.attached_policies)
-  role       = aws_iam_role.role.name
+  for_each   = var.create ? toset(var.attached_policies) : toset([])
+  role       = var.create ? aws_iam_role.role[0].name : ""
   policy_arn = each.value
 }
 
 resource "aws_iam_instance_profile" "role" {
-  count = var.enable_instance_profile ? 1 : 0
-  name  = aws_iam_role.role.name
-  role  = aws_iam_role.role.name
-  path  = var.instance_profile_path
+  count = var.enable_instance_profile && var.create ? 1 : 0
+  #  name  = aws_iam_role.role.name
+  name = var.create ? aws_iam_role.role[0].name : ""
+  #  role  = aws_iam_role.role.name
+  role = var.create ? aws_iam_role.role[0].name : ""
+  path = var.instance_profile_path
 }
 
 data "template_file" "role" {
-  count    = local.enable_ldap ? 1 : 0
+  count    = local.enable_ldap && var.create ? 1 : 0
   template = file("${path.module}/templates/iam-role-ldif.${local.account_environment}.tpl")
   vars = {
-    role_name         = aws_iam_role.role.name
-    role_arn          = aws_iam_role.role.arn
+    #    role_name         = aws_iam_role.role.name
+    role_name = var.create ? aws_iam_role.role[0].name : ""
+    #    role_arn          = aws_iam_role.role.arn
+    role_arn          = var.create ? aws_iam_role.role[0].arn : ""
     account_id        = local.account_id
     saml_provider_arn = var.saml_provider_arn
     aws_environment   = local.account_environment
   }
 }
 
 resource "null_resource" "role_ldif" {
-  count = local.enable_ldap ? 1 : 0
+  count = var.create && local.enable_ldap ? 1 : 0
+  triggers = {
+    name = local.role_name
+  }
+
   provisioner "local-exec" {
     command = "test -d ${path.root}/setup || mkdir ${path.root}/setup"
   }
   provisioner "local-exec" {
-    command = "echo '${data.template_file.role[0].rendered}' > ${path.root}/setup/${aws_iam_role.role.name}.ldif"
+    command = "echo '${data.template_file.role[0].rendered}' > ${path.root}/setup/${local.role_name}.ldif"
   }
+  # does not work in 0.12
+  #  provisioner "local-exec" {
+  #    when    = destroy
+  #    command = format("rm -f %v/setup/%v.ldif", path.root, self.triggers.name)
+  #  }
   provisioner "local-exec" {
     command = "echo 'Once complete, execute tf-apply again to create LDAP group'"
   }
 }
 
 resource "ldap_object" "role" {
-  count = local.ldap_exists && local.enable_ldap ? 1 : 0
+  count = var.create && local.ldap_exists && local.enable_ldap ? 1 : 0
   #  count    = local.enable_ldap ? 1 : 0
   provider = ldap
   dn       = local.ldap_dn
@@ -207,8 +225,8 @@ resource "ldap_object" "role" {
     "groupOfNames",
   ]
   attributes = [
-    { description = format("%s account=%s type=%s", aws_iam_role.role.name, local.account_id, local.account_environment) },
-    { cn = aws_iam_role.role.name },
+    { description = format("%s account=%s type=%s", var.create ? aws_iam_role.role[0].name : "", local.account_id, local.account_environment) },
+    { cn = var.create ? aws_iam_role.role[0].name : "" },
     { bocApplicationData = format("gov.census.tco:CPASS_FullPath=Cloud/%s/%s", local.account_environment, local.account_id) },
     { bocApplicationData = "gov.census.tco:CPASS_APP=CloudServices" },
     { bocApplicationData = local.bocappdata_fullauth },

outputs.tf

@@ -1,17 +1,27 @@
 
 output "role_arn" {
   description = "Created role ARN"
-  value       = aws_iam_role.role.arn
+  value       = var.create ? aws_iam_role.role[0].arn : ""
 }
 
 output "role_name" {
   description = "Created role name"
-  value       = aws_iam_role.role.name
+  value       = var.create ? aws_iam_role.role[0].name : ""
 }
 
 output "ldap_dn" {
   description = "Created LDAP DN for role (empty if ldap is not enabled)"
-  value       = local.enable_ldap ? local.ldap_dn : ""
+  value       = local.enable_ldap && var.create ? local.ldap_dn : ""
+}
+
+output "instance_profile_arn" {
+  description = "Created instance profile ARN, if enabled"
+  value       = var.create && var.enable_instance_profile ? aws_iam_instance_profile.role[0].arn : ""
+}
+
+output "instance_profile_name" {
+  description = "Created instance profile name, if enabled"
+  value       = var.create && var.enable_instance_profile ? aws_iam_instance_profile.role[0].name : ""
 }
 
 output "instance_profile_arn" {

variables.create.tf

@@ -0,0 +1,6 @@
+variable "create" {
+  description = "Flag to indicate whether to create the resources or not (default: true)"
+  type        = bool
+  default     = true
+}
+

version.tf

@@ -1,4 +1,4 @@
 locals {
-  _module_version = "1.3.5"
-  #  _module_version = "2.1.1"
+  _module_version = "1.4.0"
+  #  _module_version = "2.2.0"
 }

versions.tf

@@ -16,8 +16,3 @@ terraform {
   }
   required_version = ">= 0.13"
 }
-
-# tf 0.12
-# provider "external" {
-#   version = "~> 1.2"
-# }