* 2.4.2 -- 2025-08-05

- rolesanywhere: add file_prefix and file_prefix_separator
terraform-modules · Aug 5, 2025 · 86d6e65 · 86d6e65
1 parent 3b8b928
commit 86d6e65
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -105,3 +105,6 @@ tag: 2.0.1
 
 * 2.4.1 -- 2025-08-01
   - rolesanywhere: fix account_alias
+
+* 2.4.2 -- 2025-08-05
+  - rolesanywhere: add file_prefix and file_prefix_separator
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.4.1"
+  _module_version = "2.4.2"
 }
diff --git a/rolesanywhere/README.md b/rolesanywhere/README.md
@@ -17,6 +17,8 @@ tf-apply -target=aws_iam_policy.mypolicy
 
 Creating a role with one attached policy.
 ```hcl
+data "aws_iam_account_alias" "current" {}
+
 module "myrole2" {
   providers = {
     aws.east = aws.east
@@ -26,6 +28,9 @@ module "myrole2" {
   role_name           = "my-role2"
   attached_policies   = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
   contact_group_email = "group-email-address@census.gov"
+
+## optional
+##  file_prefix = data.aws_iam_account_alias.current.account_alias
 }
 ```
 
@@ -56,6 +61,11 @@ module "myrole3" {
   ]
 }
 ```
+# Usage: file\_prefix and file\_prefix\_separator
+Use this if you want to clearly separate the output files for common role names across multiple accounts.  A recommended value
+here is the AWS Account Alias, which you can get from the `data` resource `aws_iam_account_alias.account_alias` (see example above).
+If you pass a value, it will use this value along with the value of `file_prefix_separator` (by default, a dot).  By default, the
+prefix is not used.
 
 ## Requirements
 
@@ -108,6 +118,8 @@ module "myrole3" {
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (role, policy) | `map(map(string))` | <pre>{<br/>  "policy": {},<br/>  "role": {}<br/>}</pre> | no |
 | <a name="input_contact_group_email"></a> [contact\_group\_email](#input\_contact\_group\_email) | Email of contact group | `string` | n/a | yes |
 | <a name="input_contact_users"></a> [contact\_users](#input\_contact\_users) | Username of contact(s) | `list(string)` | `[]` | no |
+| <a name="input_filename_prefix"></a> [filename\_prefix](#input\_filename\_prefix) | Prefix to include in the filename leading to {prefix}{separator}{rolename}.{ext} | `string` | `null` | no |
+| <a name="input_filename_prefix_separator"></a> [filename\_prefix\_separator](#input\_filename\_prefix\_separator) | Prefix separator (default: .) | `string` | `"."` | no |
 | <a name="input_import_to_acm"></a> [import\_to\_acm](#input\_import\_to\_acm) | Flag to import certificate to ACM, used primarily for tracking expiration and establishing contact details | `bool` | `false` | no |
 | <a name="input_inline_policies"></a> [inline\_policies](#input\_inline\_policies) | List of IAM Policy Document objects to include in this role. Format is {name=name,policy=policy-json} | `list(object({ name = string, policy = string }))` | `[]` | no |
 | <a name="input_managed_policy_arns"></a> [managed\_policy\_arns](#input\_managed\_policy\_arns) | List of IAM Managed Policy ARNs to attach to this role | `list(string)` | `[]` | no |

diff --git a/rolesanywhere/main.tf b/rolesanywhere/main.tf
@@ -17,6 +17,8 @@
 *
 * Creating a role with one attached policy.
 * ```hcl
+* data "aws_iam_account_alias" "current" {}
+*
 * module "myrole2" {
 *   providers = {
 *     aws.east = aws.east
@@ -26,6 +28,9 @@
 *   role_name           = "my-role2"
 *   attached_policies   = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
 *   contact_group_email = "group-email-address@census.gov"
+*
+* ## optional
+* ##  file_prefix = data.aws_iam_account_alias.current.account_alias
 * }
 * ```
 *
@@ -56,6 +61,11 @@
 *   ]
 * }
 * ```
+* # Usage: file_prefix and file_prefix_separator
+* Use this if you want to clearly separate the output files for common role names across multiple accounts.  A recommended value
+* here is the AWS Account Alias, which you can get from the `data` resource `aws_iam_account_alias.account_alias` (see example above).
+* If you pass a value, it will use this value along with the value of `file_prefix_separator` (by default, a dot).  By default, the
+* prefix is not used.
 */
 
 locals {

diff --git a/rolesanywhere/variables.tf b/rolesanywhere/variables.tf
@@ -50,3 +50,15 @@ variable "import_to_acm" {
   type        = bool
   default     = false
 }
+
+variable "filename_prefix" {
+  description = "Prefix to include in the filename leading to {prefix}{separator}{rolename}.{ext}"
+  type        = string
+  default     = null
+}
+
+variable "filename_prefix_separator" {
+  description = "Prefix separator (default: .)"
+  type        = string
+  default     = "."
+}