update docs

terraform-modules · Mar 1, 2021 · 6815d7a · 6815d7a
1 parent b9e5504
commit 6815d7a
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -2,38 +2,48 @@
 
 This module will create an IAM role.  Its primary purpose is for a SAML-enbled role, and to create the  
 necessary LDAP object in eBOCAS, provided credentials and the provider exists (it checks for this).  
-The [ldap-provider](https://github.e.it.census.gov/terraform/support/tree/master/providers/terraform-provider-ldap) binary is  
-expected to be in your `$PATH`.
+The [ldap-provider](https://github.e.it.census.gov/terraform/support/tree/master/providers/terraform-provider-ldap) binary is expected to be in your `$PATH`.
 
 There are some quirks to the `ldap-provider` (we use [this](https://github.com/Pryz/terraform-provider-ldap) one), where if any  
 details change in the DN or the DN cannot be constructed due to missing data, a *tcp connection closed* message occurs.
 
 Because of this quirk, this is a two-step apply.  The first step creates the IAM role and creates an LDIF file in
 `setup/{role-name}.ldif`.  It uses the presence of this file to create the LDAP object in the second step.  Example:
 
-```shell
-terraform apply -target=module.myrole
-terraform apply -target=module.myrole
+```console
+# step 1, creates role and null resource
+% terraform apply -target=module.myrole
+# step 2, creates ldap object
+% terraform apply -target=module.myrole
 ```
 
 # Usage
 
+Creating a SAML role with two attached policies
 ```hcl
-module "myrole" {
+module "myrole1" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
 
-  role_name                  = "my-role"
-  saml_provider_arn          = "aws:aws-us-gov:iam:1234567890:saml/X"
+  role_name                  = "my-role1"
+  saml_provider_arn          = "arn:aws:iam::079788916859:saml-provider/Census_TCO_IDMS"
   enable_ldap_creation       = true
   assume_policy_document     = data.terraform_remote_state.common.outputs.saml_assume_json
-  attached_policies          = ["arn1", "arn2"]
+  attached_policies          = [ data.aws_iam_policy.aws-managed-administratoraccess.arn, aws_iam_policy.role_assume.arn ]
   ldap_user                  = "cn=myuser,ou=Application,o=U.S. Census Bureau,c=US"
   ldap_password              = "password1234$$"
 
   # optional
   ldap_host                  = "ldap.e.tco.census.gov"
   ldap_port                  = 389
 }
+```  
+Creating a non-SAML role
+```hcl
+module "myrole2" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
+
+  role_name                  = "my-role2"
+  attached_policies          = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
 ```
 
 ## Requirements

diff --git a/main.tf b/main.tf
@@ -3,31 +3,33 @@
 *
 * This module will create an IAM role.  Its primary purpose is for a SAML-enbled role, and to create the
 * necessary LDAP object in eBOCAS, provided credentials and the provider exists (it checks for this).
-* The [ldap-provider](https://github.e.it.census.gov/terraform/support/tree/master/providers/terraform-provider-ldap) binary is
-* expected to be in your `$PATH`.
+* The [ldap-provider](https://github.e.it.census.gov/terraform/support/tree/master/providers/terraform-provider-ldap) binary is expected to be in your `$PATH`.
 * 
 * There are some quirks to the `ldap-provider` (we use [this](https://github.com/Pryz/terraform-provider-ldap) one), where if any
 * details change in the DN or the DN cannot be constructed due to missing data, a *tcp connection closed* message occurs.
 *
 * Because of this quirk, this is a two-step apply.  The first step creates the IAM role and creates an LDIF file in 
 * `setup/{role-name}.ldif`.  It uses the presence of this file to create the LDAP object in the second step.  Example:
 *
-* ```shell
-* terraform apply -target=module.myrole
-* terraform apply -target=module.myrole
+* ```console
+* # step 1, creates role and null resource
+* % terraform apply -target=module.myrole
+* # step 2, creates ldap object
+* % terraform apply -target=module.myrole
 * ```
 *
 * # Usage
-* 
+*
+* Creating a SAML role with two attached policies
 * ```hcl
-* module "myrole" {
+* module "myrole1" {
 *   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
 * 
-*   role_name                  = "my-role"
-*   saml_provider_arn          = "aws:aws-us-gov:iam:1234567890:saml/X"
+*   role_name                  = "my-role1"
+*   saml_provider_arn          = "arn:aws:iam::079788916859:saml-provider/Census_TCO_IDMS"
 *   enable_ldap_creation       = true
 *   assume_policy_document     = data.terraform_remote_state.common.outputs.saml_assume_json
-*   attached_policies          = ["arn1", "arn2"]
+*   attached_policies          = [ data.aws_iam_policy.aws-managed-administratoraccess.arn, aws_iam_policy.role_assume.arn ]
 *   ldap_user                  = "cn=myuser,ou=Application,o=U.S. Census Bureau,c=US"
 *   ldap_password              = "password1234$$"
 * 
@@ -36,6 +38,14 @@
 *   ldap_port                  = 389
 * }
 * ```
+* Creating a non-SAML role
+* ```hcl
+* module "myrole2" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
+* 
+*   role_name                  = "my-role2"
+*   attached_policies          = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
+* ```
 */
 
 #*   ec2_role_name              = "my-role-other"