From e40d47b396f0ad07d22e7caccacde0a06c8e0d22 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 16 Dec 2021 10:07:49 -0500 Subject: [PATCH 01/20] v1.3.1: add max_session_duration variable --- CHANGELOG.md | 29 ++++++++++++++++++++++++ README.md | 2 ++ defaults.tf | 6 +++++ main.tf | 10 ++++---- variables.ldap.tf | 27 ++++++++++++++++++++++ variables.tf | 58 ++++------------------------------------------- version.tf | 2 +- 7 files changed, 75 insertions(+), 59 deletions(-) create mode 100644 defaults.tf create mode 100644 variables.ldap.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 9af80b1..52c10ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # Versions +## version 1.x + * v1.0.0 -- 20210301 - initial creation @@ -22,3 +24,30 @@ * v1.3.0 -- 20211018 - add new bocApplicationData CPASS_ApprovalGroup attribute + +* 2.0.1 -- 20211216 + - add max_session_duration variable + - split ldap variables into variables.ldap.tf + - add defaults.tf + +* v1.3.0 -- 20211018 + - add new bocApplicationData CPASS_ApprovalGroup attribute + +* 1.3.1 -- 20211216 + - add max_session_duration variable + - split ldap variables into variables.ldap.tf + - add defaults.tf + +## version 2.x + +branch: compat-tf-0.13 +tag: 2.0.1 + +* v1.3.0-compat-tf-0.13 -- 20211122 + - tag compat-tf-0.13 + - add provider support for tf 0.13+ + +* 2.0.1 -- 20211216 + - add max_session_duration variable + - split ldap variables into variables.ldap.tf + - add defaults.tf diff --git a/README.md b/README.md index f92f23d..05ca258 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,7 @@ module "myrole1" { ldap_password = "password1234$$" # optional + max_session_duration = 14400 # 4h ldap_host = "ldap.e.tco.census.gov" ldap_port = 389 } @@ -148,6 +149,7 @@ No modules. | [ldap\_password](#input\_ldap\_password) | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no | | [ldap\_port](#input\_ldap\_port) | LDAP port (default is 389 but also using STARTTLS) | `number` | `389` | no | | [ldap\_user](#input\_ldap\_user) | LDAP user for writing data into eDirectory or Active Directory | `string` | `""` | no | +| [max\_session\_duration](#input\_max\_session\_duration) | n/a | `number` | `3600` | no | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (role, policy). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | | [role\_description](#input\_role\_description) | Role/application description | `string` | `""` | no | | [role\_name](#input\_role\_name) | Role/application name without prefix | `string` | n/a | yes | diff --git a/defaults.tf b/defaults.tf new file mode 100644 index 0000000..71d8828 --- /dev/null +++ b/defaults.tf @@ -0,0 +1,6 @@ +locals { + _defaults = { + "force_detach_policies" = false + "max_session_duration" = 3600 + } +} diff --git a/main.tf b/main.tf index eaa4ffe..4097ccc 100644 --- a/main.tf +++ b/main.tf @@ -57,6 +57,7 @@ * ldap_password = "password1234$$" * * # optional +* max_session_duration = 14400 # 4h * ldap_host = "ldap.e.tco.census.gov" * ldap_port = 389 * } @@ -135,8 +136,8 @@ locals { resource "aws_iam_role" "role" { name = local.role_name description = local.role_description - force_detach_policies = false - max_session_duration = 3600 + force_detach_policies = lookup(local._defaults["force_detatch_policies"], false) + max_session_duration = var.max_session_duration # assume_role_policy = data.terraform_remote_state.common.outputs.inf_saml_assume_policy_document assume_role_policy = var.assume_policy_document @@ -153,7 +154,7 @@ resource "aws_iam_role" "role" { var.tags, local.base_tags, lookup(var.component_tags, "role", {}), - map("Name", local.role_name) + tomap({ Name = local.role_name }) ) } @@ -196,7 +197,8 @@ resource "null_resource" "role_ldif" { } resource "ldap_object" "role" { - count = local.ldap_exists && local.enable_ldap ? 1 : 0 + count = local.ldap_exists && local.enable_ldap ? 1 : 0 + # count = local.enable_ldap ? 1 : 0 provider = ldap dn = local.ldap_dn object_classes = [ diff --git a/variables.ldap.tf b/variables.ldap.tf new file mode 100644 index 0000000..5b7f231 --- /dev/null +++ b/variables.ldap.tf @@ -0,0 +1,27 @@ +#--- +# ldap +#--- +variable "ldap_user" { + description = "LDAP user for writing data into eDirectory or Active Directory" + type = string + default = "" +} + +variable "ldap_password" { + description = "LDAP password for ldap_user for writing data into eDirectory or Active Directory" + type = string + default = "" +} + +variable "ldap_host" { + description = "LDAP Hostname (default is for eBOCAS)" + type = string + default = "ldap.e.tco.census.gov" +} + +variable "ldap_port" { + description = "LDAP port (default is 389 but also using STARTTLS)" + type = number + default = 389 +} + diff --git a/variables.tf b/variables.tf index 8cfe127..fcc3376 100644 --- a/variables.tf +++ b/variables.tf @@ -51,31 +51,10 @@ variable "instance_profile_path" { default = "/" } -#--- -# ldap -#--- -variable "ldap_user" { - description = "LDAP user for writing data into eDirectory or Active Directory" - type = string - default = "" -} - -variable "ldap_password" { - description = "LDAP password for ldap_user for writing data into eDirectory or Active Directory" - type = string - default = "" -} - -variable "ldap_host" { - description = "LDAP Hostname (default is for eBOCAS)" - type = string - default = "ldap.e.tco.census.gov" -} - -variable "ldap_port" { - description = "LDAP port (default is 389 but also using STARTTLS)" - type = number - default = 389 +variable "max_session_duration" { + descriptio = "Override the maximum session duration from the default (3600)" + type = number + default = 3600 } variable "component_tags" { @@ -83,32 +62,3 @@ variable "component_tags" { type = map(map(string)) default = { "role" = {}, "policy" = {} } } - - -## #--- -## # instance role -## #--- -## variable "ec2_role_name" { -## description = "EC2 instace Role/application name without prefix" -## type = string -## default = "" -## } -## -## variable "enable_instance_role" { -## description = "Flag to enable the creation of a partner EC2 instance role with specific policies and optionally a different name" -## type = bool -## default = false -## } -## -## variable "ec2_assume_policy_document" { -## description = "JSON policy document for EC2 instance role (default is sts:AssumeRole for ec2 service)" -## type = string -## default = "" -## } -## -## variable "ec2_attached_policies" { -## description = "List of IAM Policy ARNs to attach to this EC2 instance role" -## type = list(string) -## default = [] -## } -## diff --git a/version.tf b/version.tf index 08f3f68..e4a1130 100644 --- a/version.tf +++ b/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.3.0" + _module_version = "1.3.1" } From 91c2de94eb10c09b78cf6411d2a9bd156cd9b5b9 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 16 Dec 2021 13:44:55 -0500 Subject: [PATCH 02/20] fix --- README.md | 2 +- variables.tf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 05ca258..0aa7636 100644 --- a/README.md +++ b/README.md @@ -149,7 +149,7 @@ No modules. | [ldap\_password](#input\_ldap\_password) | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no | | [ldap\_port](#input\_ldap\_port) | LDAP port (default is 389 but also using STARTTLS) | `number` | `389` | no | | [ldap\_user](#input\_ldap\_user) | LDAP user for writing data into eDirectory or Active Directory | `string` | `""` | no | -| [max\_session\_duration](#input\_max\_session\_duration) | n/a | `number` | `3600` | no | +| [max\_session\_duration](#input\_max\_session\_duration) | Override the maximum session duration from the default (3600) | `number` | `3600` | no | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (role, policy). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | | [role\_description](#input\_role\_description) | Role/application description | `string` | `""` | no | | [role\_name](#input\_role\_name) | Role/application name without prefix | `string` | n/a | yes | diff --git a/variables.tf b/variables.tf index fcc3376..8baae5f 100644 --- a/variables.tf +++ b/variables.tf @@ -52,9 +52,9 @@ variable "instance_profile_path" { } variable "max_session_duration" { - descriptio = "Override the maximum session duration from the default (3600)" - type = number - default = 3600 + description = "Override the maximum session duration from the default (3600)" + type = number + default = 3600 } variable "component_tags" { From 6d93495ec96373d537d02b3378997af54505f9ae Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 16 Dec 2021 13:55:37 -0500 Subject: [PATCH 03/20] fix --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 4097ccc..b5e7ccc 100644 --- a/main.tf +++ b/main.tf @@ -136,7 +136,7 @@ locals { resource "aws_iam_role" "role" { name = local.role_name description = local.role_description - force_detach_policies = lookup(local._defaults["force_detatch_policies"], false) + force_detach_policies = local._defaults["force_detatch_policies"] max_session_duration = var.max_session_duration # assume_role_policy = data.terraform_remote_state.common.outputs.inf_saml_assume_policy_document assume_role_policy = var.assume_policy_document From a22445ea0d984e8c2454d832f63c365a33c4ea08 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 16 Dec 2021 13:58:27 -0500 Subject: [PATCH 04/20] fix --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index b5e7ccc..6f782d2 100644 --- a/main.tf +++ b/main.tf @@ -136,7 +136,7 @@ locals { resource "aws_iam_role" "role" { name = local.role_name description = local.role_description - force_detach_policies = local._defaults["force_detatch_policies"] + force_detach_policies = lookup(local._defaults, "force_detach_policies", false) max_session_duration = var.max_session_duration # assume_role_policy = data.terraform_remote_state.common.outputs.inf_saml_assume_policy_document assume_role_policy = var.assume_policy_document From b30211746c1303d058eb4ff81908952143ab8d70 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 16 Dec 2021 13:58:52 -0500 Subject: [PATCH 05/20] fix --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 6f782d2..b64db98 100644 --- a/main.tf +++ b/main.tf @@ -136,7 +136,7 @@ locals { resource "aws_iam_role" "role" { name = local.role_name description = local.role_description - force_detach_policies = lookup(local._defaults, "force_detach_policies", false) + force_detach_policies = local._defaults["force_detach_policies"] max_session_duration = var.max_session_duration # assume_role_policy = data.terraform_remote_state.common.outputs.inf_saml_assume_policy_document assume_role_policy = var.assume_policy_document From 30cb2490d86a51993174c09ee1f71434ece5683e Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 22 Dec 2021 15:26:14 -0500 Subject: [PATCH 06/20] v1.3.2: add output instance_profile_arn --- CHANGELOG.md | 6 ++++++ README.md | 1 + outputs.tf | 5 +++++ version.tf | 2 +- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 52c10ca..8a6741a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,9 @@ - split ldap variables into variables.ldap.tf - add defaults.tf +* 1.3.2 -- 20211222 + - output instance_profile_arn + ## version 2.x branch: compat-tf-0.13 @@ -51,3 +54,6 @@ tag: 2.0.1 - add max_session_duration variable - split ldap variables into variables.ldap.tf - add defaults.tf + +* 2.0.2 -- 20211222 + - output instance_profile_arn diff --git a/README.md b/README.md index 0aa7636..085cdf6 100644 --- a/README.md +++ b/README.md @@ -160,6 +160,7 @@ No modules. | Name | Description | |------|-------------| +| [instance\_profile\_arn](#output\_instance\_profile\_arn) | Created instance profile ARN, if enabled | | [ldap\_dn](#output\_ldap\_dn) | Created LDAP DN for role (empty if ldap is not enabled) | | [role\_arn](#output\_role\_arn) | Created role ARN | | [role\_name](#output\_role\_name) | Created role name | diff --git a/outputs.tf b/outputs.tf index 84a527a..312ad09 100644 --- a/outputs.tf +++ b/outputs.tf @@ -13,3 +13,8 @@ output "ldap_dn" { description = "Created LDAP DN for role (empty if ldap is not enabled)" value = local.enable_ldap ? local.ldap_dn : "" } + +output "instance_profile_arn" { + description = "Created instance profile ARN, if enabled" + value = var.enable_instance_profile ? aws_iam_instance_profile.role.arn : "" +} diff --git a/version.tf b/version.tf index e4a1130..5ec2ece 100644 --- a/version.tf +++ b/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.3.1" + _module_version = "1.3.2" } From d195ebe3a71263e335f5c3e604c313e76b6d6fc1 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 22 Dec 2021 15:37:31 -0500 Subject: [PATCH 07/20] fix --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 312ad09..9a56266 100644 --- a/outputs.tf +++ b/outputs.tf @@ -16,5 +16,5 @@ output "ldap_dn" { output "instance_profile_arn" { description = "Created instance profile ARN, if enabled" - value = var.enable_instance_profile ? aws_iam_instance_profile.role.arn : "" + value = var.enable_instance_profile ? aws_iam_instance_profile.role[0].arn : "" } From 35405741535da34365fff4082f053d216012cf8a Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 6 Jan 2022 12:24:07 -0500 Subject: [PATCH 08/20] update changelog, version --- CHANGELOG.md | 6 ++++++ version.tf | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a6741a..391c2ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,6 +41,9 @@ * 1.3.2 -- 20211222 - output instance_profile_arn +* 1.3.3 -- 20220106 + - add version number max for external provier to 1.2 (2.x not compatible with tf 0.12) + ## version 2.x branch: compat-tf-0.13 @@ -57,3 +60,6 @@ tag: 2.0.1 * 2.0.2 -- 20211222 - output instance_profile_arn + +* 2.1.0 -- 20220106 + - prep for tf 0.13+ diff --git a/version.tf b/version.tf index 5ec2ece..4df8d41 100644 --- a/version.tf +++ b/version.tf @@ -1,3 +1,4 @@ locals { - _module_version = "1.3.2" + _module_version = "1.3.3" + # _module_version = "2.1.0" } From 6c310157fe33c23cc0b48a142aa20248c45f9060 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 6 Jan 2022 12:32:35 -0500 Subject: [PATCH 09/20] pin version to 1.2 --- README.md | 15 ++++++++++----- versions.tf | 23 +++++++++++++++++++++++ 2 files changed, 33 insertions(+), 5 deletions(-) create mode 100644 versions.tf diff --git a/README.md b/README.md index 085cdf6..a8091bb 100644 --- a/README.md +++ b/README.md @@ -100,15 +100,20 @@ module "myrole3" { ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13 | +| [aws](#requirement\_aws) | >= 3.66.0 | +| [external](#requirement\_external) | >= 2.2.0 | +| [ldap](#requirement\_ldap) | >= 0.5.4 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | -| [external](#provider\_external) | n/a | -| [ldap](#provider\_ldap) | n/a | +| [aws](#provider\_aws) | >= 3.66.0 | +| [external](#provider\_external) | >= 2.2.0 | +| [ldap](#provider\_ldap) | >= 0.5.4 | | [null](#provider\_null) | n/a | | [template](#provider\_template) | n/a | @@ -123,7 +128,7 @@ No modules. | [aws_iam_instance_profile.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [ldap_object.role](https://registry.terraform.io/providers/hashicorp/ldap/latest/docs/resources/object) | resource | +| [ldap_object.role](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object) | resource | | [null_resource.role_ldif](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..f6feb00 --- /dev/null +++ b/versions.tf @@ -0,0 +1,23 @@ +# tf 0.13+ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.66.0" + } + ldap = { + source = "trevex/ldap" + version = ">= 0.5.4" + } + external = { + source = "hashicorp/external" + version = ">= 2.2.0" + } + } + required_version = ">= 0.13" +} + +# tf 0.12 +# provider "external" { +# version = "~> 1.2" +# } From 3b0fa4c26fd68e5c03bc8b7ec6b01c6c49891817 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 6 Jan 2022 12:56:28 -0500 Subject: [PATCH 10/20] fix --- README.md | 5 ++--- versions.tf | 15 ++++++--------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index a8091bb..839c923 100644 --- a/README.md +++ b/README.md @@ -102,9 +102,8 @@ module "myrole3" { | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | | [aws](#requirement\_aws) | >= 3.66.0 | -| [external](#requirement\_external) | >= 2.2.0 | +| [external](#requirement\_external) | ~> 1.1 | | [ldap](#requirement\_ldap) | >= 0.5.4 | ## Providers @@ -112,7 +111,7 @@ module "myrole3" { | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 3.66.0 | -| [external](#provider\_external) | >= 2.2.0 | +| [external](#provider\_external) | ~> 1.1 | | [ldap](#provider\_ldap) | >= 0.5.4 | | [null](#provider\_null) | n/a | | [template](#provider\_template) | n/a | diff --git a/versions.tf b/versions.tf index f6feb00..512d138 100644 --- a/versions.tf +++ b/versions.tf @@ -1,4 +1,3 @@ -# tf 0.13+ terraform { required_providers { aws = { @@ -10,14 +9,12 @@ terraform { version = ">= 0.5.4" } external = { - source = "hashicorp/external" - version = ">= 2.2.0" + source = "hashicorp/external" + # tf 0.13 + # version = ">= 2.2.0" + # tf 0.12 + version = "~> 1.1" } } - required_version = ">= 0.13" + # required_version = ">= 0.13" } - -# tf 0.12 -# provider "external" { -# version = "~> 1.2" -# } From be33406a5a21cd79e1a46f082465dc7fe029c4e4 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 7 Jan 2022 12:50:13 -0500 Subject: [PATCH 11/20] 1.3.4: fix to removeve ldap provider in requirements for tf-0.12 --- CHANGELOG.md | 3 +++ README.md | 5 ++--- version.tf | 2 +- versions.tf | 8 ++++---- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 391c2ca..459df6b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,6 +44,9 @@ * 1.3.3 -- 20220106 - add version number max for external provier to 1.2 (2.x not compatible with tf 0.12) +* 1.3.4 -- 20220107 + - fix to remove ldap provider for tf-0.12 + ## version 2.x branch: compat-tf-0.13 diff --git a/README.md b/README.md index 839c923..a07bc31 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,6 @@ module "myrole3" { |------|---------| | [aws](#requirement\_aws) | >= 3.66.0 | | [external](#requirement\_external) | ~> 1.1 | -| [ldap](#requirement\_ldap) | >= 0.5.4 | ## Providers @@ -112,7 +111,7 @@ module "myrole3" { |------|---------| | [aws](#provider\_aws) | >= 3.66.0 | | [external](#provider\_external) | ~> 1.1 | -| [ldap](#provider\_ldap) | >= 0.5.4 | +| [ldap](#provider\_ldap) | n/a | | [null](#provider\_null) | n/a | | [template](#provider\_template) | n/a | @@ -127,7 +126,7 @@ No modules. | [aws_iam_instance_profile.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [ldap_object.role](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object) | resource | +| [ldap_object.role](https://registry.terraform.io/providers/hashicorp/ldap/latest/docs/resources/object) | resource | | [null_resource.role_ldif](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | diff --git a/version.tf b/version.tf index 4df8d41..a057cc0 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { - _module_version = "1.3.3" + _module_version = "1.3.4" # _module_version = "2.1.0" } diff --git a/versions.tf b/versions.tf index 512d138..8a51c93 100644 --- a/versions.tf +++ b/versions.tf @@ -4,10 +4,10 @@ terraform { source = "hashicorp/aws" version = ">= 3.66.0" } - ldap = { - source = "trevex/ldap" - version = ">= 0.5.4" - } + # ldap = { + # source = "trevex/ldap" + # version = ">= 0.5.4" + # } external = { source = "hashicorp/external" # tf 0.13 From ac8a160bfd9682887c06aa33bf17263a79a18284 Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 10 Jan 2022 12:10:00 -0500 Subject: [PATCH 12/20] 1.3.5: add output instance_profile_name --- CHANGELOG.md | 6 ++++++ README.md | 1 + outputs.tf | 5 +++++ version.tf | 4 ++-- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 459df6b..5f62325 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,6 +47,9 @@ * 1.3.4 -- 20220107 - fix to remove ldap provider for tf-0.12 +* 1.3.5 -- 20220110 + - add output instance_profile_name + ## version 2.x branch: compat-tf-0.13 @@ -66,3 +69,6 @@ tag: 2.0.1 * 2.1.0 -- 20220106 - prep for tf 0.13+ + +* 2.1.1 -- 20220110 + - add output instance_profile_name diff --git a/README.md b/README.md index a07bc31..dbb209a 100644 --- a/README.md +++ b/README.md @@ -164,6 +164,7 @@ No modules. | Name | Description | |------|-------------| | [instance\_profile\_arn](#output\_instance\_profile\_arn) | Created instance profile ARN, if enabled | +| [instance\_profile\_name](#output\_instance\_profile\_name) | Created instance profile name, if enabled | | [ldap\_dn](#output\_ldap\_dn) | Created LDAP DN for role (empty if ldap is not enabled) | | [role\_arn](#output\_role\_arn) | Created role ARN | | [role\_name](#output\_role\_name) | Created role name | diff --git a/outputs.tf b/outputs.tf index 9a56266..1deda7d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -18,3 +18,8 @@ output "instance_profile_arn" { description = "Created instance profile ARN, if enabled" value = var.enable_instance_profile ? aws_iam_instance_profile.role[0].arn : "" } + +output "instance_profile_name" { + description = "Created instance profile name, if enabled" + value = var.enable_instance_profile ? aws_iam_instance_profile.role[0].name : "" +} diff --git a/version.tf b/version.tf index a057cc0..aa8147b 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { - _module_version = "1.3.4" - # _module_version = "2.1.0" + _module_version = "1.3.5" + # _module_version = "2.1.1" } From 9b27fae61b2ce6366001e4a68228299b71b490a0 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 13 Jan 2022 16:23:34 -0500 Subject: [PATCH 13/20] add variable create to permit conditional create of the module resources --- CHANGELOG.md | 6 ++++++ README.md | 1 + main.tf | 37 +++++++++++++++++++++++++------------ outputs.tf | 6 +++--- variables.create.tf | 6 ++++++ version.tf | 4 ++-- 6 files changed, 43 insertions(+), 17 deletions(-) create mode 100644 variables.create.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f62325..dcfc6fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -50,6 +50,9 @@ * 1.3.5 -- 20220110 - add output instance_profile_name +* 1.4.0 -- 20220113 + - add flag create to trigger creating or not creating the module resources + ## version 2.x branch: compat-tf-0.13 @@ -72,3 +75,6 @@ tag: 2.0.1 * 2.1.1 -- 20220110 - add output instance_profile_name + +* 2.2.0 -- 20220113 + - add flag create to trigger creating or not creating the module resources diff --git a/README.md b/README.md index dbb209a..cbe21b2 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,7 @@ No modules. | [assume\_policy\_document](#input\_assume\_policy\_document) | JSON policy document for role to assume (i.e., the SAML assume document) | `string` | `""` | no | | [attached\_policies](#input\_attached\_policies) | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no | | [component\_tags](#input\_component\_tags) | Additional tags for Components (role, policy) | `map(map(string))` | 
{
  "policy": {},
  "role": {}
}
| no | +| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no | | [enable\_instance\_profile](#input\_enable\_instance\_profile) | Flag to enable/disable instance profile on role | `bool` | `false` | no | | [enable\_ldap\_creation](#input\_enable\_ldap\_creation) | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `bool` | `false` | no | | [inline\_policies](#input\_inline\_policies) | List of IAM Policy Document objects to include in this role. Format is {name=name,policy=policy-json} | `list(object({ name = string, policy = string }))` | `[]` | no | diff --git a/main.tf b/main.tf index b64db98..adbf98f 100644 --- a/main.tf +++ b/main.tf @@ -134,6 +134,7 @@ locals { } resource "aws_iam_role" "role" { + count = var.create ? 1 : 0 name = local.role_name description = local.role_description force_detach_policies = local._defaults["force_detach_policies"] @@ -159,24 +160,28 @@ resource "aws_iam_role" "role" { } resource "aws_iam_role_policy_attachment" "role" { - for_each = toset(var.attached_policies) - role = aws_iam_role.role.name + for_each = var.create ? toset(var.attached_policies) : toset({}) + role = var.create ? aws_iam_role.role[0].name : "" policy_arn = each.value } resource "aws_iam_instance_profile" "role" { - count = var.enable_instance_profile ? 1 : 0 - name = aws_iam_role.role.name - role = aws_iam_role.role.name - path = var.instance_profile_path + count = var.enable_instance_profile && var.create ? 1 : 0 + # name = aws_iam_role.role.name + name = var.create ? aws_iam_role.role[0].name : "" + # role = aws_iam_role.role.name + role = var.create ? aws_iam_role.role[0].name : "" + path = var.instance_profile_path } data "template_file" "role" { - count = local.enable_ldap ? 1 : 0 + count = local.enable_ldap && var.create ? 1 : 0 template = file("${path.module}/templates/iam-role-ldif.${local.account_environment}.tpl") vars = { - role_name = aws_iam_role.role.name - role_arn = aws_iam_role.role.arn + # role_name = aws_iam_role.role.name + role_name = var.create ? aws_iam_role.role[0].name : "" + # role_arn = aws_iam_role.role.arn + role_arn = var.create ? aws_iam_role.role[0].arn : "" account_id = local.account_id saml_provider_arn = var.saml_provider_arn aws_environment = local.account_environment @@ -184,12 +189,20 @@ data "template_file" "role" { } resource "null_resource" "role_ldif" { - count = local.enable_ldap ? 1 : 0 + count = var.create && local.enable_ldap ? 1 : 0 + triggers = { + name = local.role_name + } + provisioner "local-exec" { command = "test -d ${path.root}/setup || mkdir ${path.root}/setup" } provisioner "local-exec" { - command = "echo '${data.template_file.role[0].rendered}' > ${path.root}/setup/${aws_iam_role.role.name}.ldif" + command = "echo '${data.template_file.role[0].rendered}' > ${path.root}/setup/${local.role_name}.ldif" + } + provisioner "local-exec" { + when = destroy + command = format("rm -f %v/setup/%v.ldif", path.root, local.role_name) } provisioner "local-exec" { command = "echo 'Once complete, execute tf-apply again to create LDAP group'" @@ -197,7 +210,7 @@ resource "null_resource" "role_ldif" { } resource "ldap_object" "role" { - count = local.ldap_exists && local.enable_ldap ? 1 : 0 + count = var.create && local.ldap_exists && local.enable_ldap ? 1 : 0 # count = local.enable_ldap ? 1 : 0 provider = ldap dn = local.ldap_dn diff --git a/outputs.tf b/outputs.tf index 1deda7d..7e4c4b2 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,17 +1,17 @@ output "role_arn" { description = "Created role ARN" - value = aws_iam_role.role.arn + value = var.create ? aws_iam_role.role[0].arn : "" } output "role_name" { description = "Created role name" - value = aws_iam_role.role.name + value = var.create ? aws_iam_role.role[0].name : "" } output "ldap_dn" { description = "Created LDAP DN for role (empty if ldap is not enabled)" - value = local.enable_ldap ? local.ldap_dn : "" + value = local.enable_ldap && var.create ? local.ldap_dn : "" } output "instance_profile_arn" { diff --git a/variables.create.tf b/variables.create.tf new file mode 100644 index 0000000..b881a74 --- /dev/null +++ b/variables.create.tf @@ -0,0 +1,6 @@ +variable "create" { + description = "Flag to indicate whether to create the resources or not (default: true)" + type = bool + default = true +} + diff --git a/version.tf b/version.tf index aa8147b..d36f45e 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { - _module_version = "1.3.5" - # _module_version = "2.1.1" + _module_version = "1.4.0" + # _module_version = "2.2.0" } From e733ca6b025eb579bf4e712b67e241c31f673de1 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 13 Jan 2022 16:32:30 -0500 Subject: [PATCH 14/20] fix --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index adbf98f..8a1b47a 100644 --- a/main.tf +++ b/main.tf @@ -118,14 +118,14 @@ locals { # ec2_role_name = format("%v-ec2-%v", lookup(local._prefixes, "role", ""), local._ec2_role_name) # ec2_policy_name = format("%v-ec2-%v", lookup(local._prefixes, "policy", ""), local._ec2_role_name) - ldap_exists = fileexists("${path.root}/setup/${aws_iam_role.role.name}.ldif") + ldap_exists = fileexists("${path.root}/setup/${local.role_name}.ldif") bocappdata_auth = local.account_environment == "gov" ? "Cloud_AWSGovCloud_Auth" : "Cloud_AWS_Auth" - bocappdata_fullauth = format("gov.census.tco:%v=%v,%v", local.bocappdata_auth, aws_iam_role.role.arn, var.saml_provider_arn) + bocappdata_fullauth = format("gov.census.tco:%v=%v,%v", local.bocappdata_auth, var.create ? aws_iam_role.role[0].arn : "", var.saml_provider_arn) bocappdata_approval = format("gov.census.tco:%v=%v", "CPASS_ApprovalGroup", "cn=CloudServices_Approvers,ou=CloudServices,ou=Administration,ou=eCustomers,o=U.S. Census Bureau,c=US") ldap_provider_exists = data.external.ldap_provider_bin.result.status == "0" ? true : false enable_ldap = var.enable_ldap_creation && var.ldap_user != "" && var.ldap_password != "" && var.saml_provider_arn != "" && local.ldap_provider_exists - ldap_dn = format("cn=%s,ou=%s,ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US", aws_iam_role.role.name, local.account_id) + ldap_dn = format("cn=%s,ou=%s,ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US", var.create ? aws_iam_role.role[0].name : "", local.account_id) base_tags = { "boc:tf_module_version" = local._module_version From 56c5dc7ec4a2fc77a7d34e891b182c64424c3771 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 13 Jan 2022 16:34:46 -0500 Subject: [PATCH 15/20] fix --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 8a1b47a..9fd4320 100644 --- a/main.tf +++ b/main.tf @@ -220,8 +220,8 @@ resource "ldap_object" "role" { "groupOfNames", ] attributes = [ - { description = format("%s account=%s type=%s", aws_iam_role.role.name, local.account_id, local.account_environment) }, - { cn = aws_iam_role.role.name }, + { description = format("%s account=%s type=%s", var.create ? aws_iam_role.role[0].name : "", local.account_id, local.account_environment) }, + { cn = var.create ? aws_iam_role.role[0].name : "" }, { bocApplicationData = format("gov.census.tco:CPASS_FullPath=Cloud/%s/%s", local.account_environment, local.account_id) }, { bocApplicationData = "gov.census.tco:CPASS_APP=CloudServices" }, { bocApplicationData = local.bocappdata_fullauth }, From dcb561b1d2186a3c5bf8431bfafd038c7ec383c9 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 13 Jan 2022 16:36:52 -0500 Subject: [PATCH 16/20] fix --- outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/outputs.tf b/outputs.tf index 7e4c4b2..938e908 100644 --- a/outputs.tf +++ b/outputs.tf @@ -16,10 +16,10 @@ output "ldap_dn" { output "instance_profile_arn" { description = "Created instance profile ARN, if enabled" - value = var.enable_instance_profile ? aws_iam_instance_profile.role[0].arn : "" + value = var.create && var.enable_instance_profile ? aws_iam_instance_profile.role[0].arn : "" } output "instance_profile_name" { description = "Created instance profile name, if enabled" - value = var.enable_instance_profile ? aws_iam_instance_profile.role[0].name : "" + value = var.create && var.enable_instance_profile ? aws_iam_instance_profile.role[0].name : "" } From 63fcc463a73868c87e11d1bac37baf9c1d6c513d Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 13 Jan 2022 16:41:59 -0500 Subject: [PATCH 17/20] fix --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9fd4320..4f3dcff 100644 --- a/main.tf +++ b/main.tf @@ -160,7 +160,7 @@ resource "aws_iam_role" "role" { } resource "aws_iam_role_policy_attachment" "role" { - for_each = var.create ? toset(var.attached_policies) : toset({}) + for_each = var.create ? toset(var.attached_policies) : toset([]) role = var.create ? aws_iam_role.role[0].name : "" policy_arn = each.value } From 8a62944639e68659961c97975085dcbcd3fe270b Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 13 Jan 2022 16:45:17 -0500 Subject: [PATCH 18/20] fix --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 4f3dcff..abe2b91 100644 --- a/main.tf +++ b/main.tf @@ -202,7 +202,7 @@ resource "null_resource" "role_ldif" { } provisioner "local-exec" { when = destroy - command = format("rm -f %v/setup/%v.ldif", path.root, local.role_name) + command = format("rm -f %v/setup/%v.ldif", path.root, self.triggers.name) } provisioner "local-exec" { command = "echo 'Once complete, execute tf-apply again to create LDAP group'" From 4f5c520a1d4ec2e35e1cf2f736979585f0a1de61 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 14 Jan 2022 06:58:34 -0500 Subject: [PATCH 19/20] ignore version tag --- main.tf | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index abe2b91..6f1cd8c 100644 --- a/main.tf +++ b/main.tf @@ -151,6 +151,10 @@ resource "aws_iam_role" "role" { } } + lifecycle { + ignore_changes = [tags["boc:tf_module_version"]] + } + tags = merge( var.tags, local.base_tags, @@ -200,10 +204,11 @@ resource "null_resource" "role_ldif" { provisioner "local-exec" { command = "echo '${data.template_file.role[0].rendered}' > ${path.root}/setup/${local.role_name}.ldif" } - provisioner "local-exec" { - when = destroy - command = format("rm -f %v/setup/%v.ldif", path.root, self.triggers.name) - } + # does not work in 0.12 + # provisioner "local-exec" { + # when = destroy + # command = format("rm -f %v/setup/%v.ldif", path.root, self.triggers.name) + # } provisioner "local-exec" { command = "echo 'Once complete, execute tf-apply again to create LDAP group'" } From e7761c324fb335c2161a63be65ba0953f3c77caa Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 14 Jan 2022 07:01:02 -0500 Subject: [PATCH 20/20] ignore lifecycle change on version tag --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dcfc6fe..8adfa15 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -52,6 +52,7 @@ * 1.4.0 -- 20220113 - add flag create to trigger creating or not creating the module resources + - ignore boc:tf_module_version tag in lifecycle change ## version 2.x @@ -78,3 +79,4 @@ tag: 2.0.1 * 2.2.0 -- 20220113 - add flag create to trigger creating or not creating the module resources + - ignore boc:tf_module_version tag in lifecycle change