update

terraform-modules · Jul 29, 2025 · 991f0c4 · 991f0c4
1 parent 1fc08fb
commit 991f0c4
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 18 deletions.
diff --git a/rolesanywhere/README.md b/rolesanywhere/README.md
@@ -1,4 +1,55 @@
 <!-- BEGIN_TF_DOCS -->
+# About aws-iam-role/rolesanywhere
+
+This module will create an IAM RolesAnywhere role, profile, and certificate from ACM-PCA.
+
+## Policies
+
+When using `attached_policies`, it is important those policy ARNs exist before attempting to use the module
+with `plan` or `apply`.  The module is called with an unknown value and it fails if not.  You'll need to target your
+first apply with that of the policy like:
+
+```shell
+tf-apply -target=aws_iam_policy.mypolicy
+```
+
+# Usage
+
+Creating a role.
+```hcl
+module "myrole2" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
+  role_name            = "my-role2"
+  attached_policies    = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
+  contact_group_email  = "group-email-address@census.gov"
+}
+```
+
+Creating a with inline policies and a different OU for the certificate
+```hcl
+data "aws_iam_document_policy" "my-policy-1" {
+  statement {
+    sid = "NameOfPermissiosn"
+    # rest of stuff
+  }
+}
+
+module "myrole3" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
+
+  role_name              = "my-role3"
+  attached_policies      = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
+  contact_group_email    = "group-email-address@census.gov"
+  certificate_conditions = { "x509Subject/OU" = "MyRolesAnywhere" }
+  inline_policies        = [
+    {
+      name = "my-policy-1"
+      policy = data.aws_iam_policy_document.my-policy-1.json
+    }
+  ]
+}
+```
+
 ## Requirements
 
 | Name | Version |

diff --git a/rolesanywhere/main.tf b/rolesanywhere/main.tf
@@ -1,21 +1,3 @@
-locals {
-  base_tags = {
-    "boc:tf_module_version" = local._module_version
-    "boc:created_by"        = "terraform"
-  }
-}
-
-locals {
-  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
-  region              = data.aws_region.current.name
-  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
-  account_alias       = var.account_alias != "" && var.account_alias != null ? var.account_alias : "none"
-
-  role_name        = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name)
-  role_description = var.role_description == "" ? format("%vRole for %v", local.saml_string, var.role_name) : var.role_description
-}
-
-
 /*
 * # About aws-iam-role/rolesanywhere
 *
@@ -68,3 +50,20 @@ locals {
 * }
 * ```
 */
+
+locals {
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  region              = data.aws_region.current.name
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  account_alias       = var.account_alias != "" && var.account_alias != null ? var.account_alias : "none"
+
+  role_name        = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name)
+  role_description = var.role_description == "" ? format("%vRole for %v", local.saml_string, var.role_name) : var.role_description
+}