From 991f0c44bee45962cecedc5dc8ed353ca90ef0fb Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 29 Jul 2025 12:13:25 -0400 Subject: [PATCH] update --- rolesanywhere/README.md | 51 +++++++++++++++++++++++++++++++++++++++++ rolesanywhere/main.tf | 35 ++++++++++++++-------------- 2 files changed, 68 insertions(+), 18 deletions(-) diff --git a/rolesanywhere/README.md b/rolesanywhere/README.md index b12cdf6..5e03946 100644 --- a/rolesanywhere/README.md +++ b/rolesanywhere/README.md @@ -1,4 +1,55 @@ +# About aws-iam-role/rolesanywhere + +This module will create an IAM RolesAnywhere role, profile, and certificate from ACM-PCA. + +## Policies + +When using `attached_policies`, it is important those policy ARNs exist before attempting to use the module +with `plan` or `apply`. The module is called with an unknown value and it fails if not. You'll need to target your +first apply with that of the policy like: + +```shell +tf-apply -target=aws_iam_policy.mypolicy +``` + +# Usage + +Creating a role. +```hcl +module "myrole2" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + role_name = "my-role2" + attached_policies = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ] + contact_group_email = "group-email-address@census.gov" +} +``` + +Creating a with inline policies and a different OU for the certificate +```hcl +data "aws_iam_document_policy" "my-policy-1" { + statement { + sid = "NameOfPermissiosn" + # rest of stuff + } +} + +module "myrole3" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + + role_name = "my-role3" + attached_policies = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ] + contact_group_email = "group-email-address@census.gov" + certificate_conditions = { "x509Subject/OU" = "MyRolesAnywhere" } + inline_policies = [ + { + name = "my-policy-1" + policy = data.aws_iam_policy_document.my-policy-1.json + } + ] +} +``` + ## Requirements | Name | Version | diff --git a/rolesanywhere/main.tf b/rolesanywhere/main.tf index e9f4df5..fb8369b 100644 --- a/rolesanywhere/main.tf +++ b/rolesanywhere/main.tf @@ -1,21 +1,3 @@ -locals { - base_tags = { - "boc:tf_module_version" = local._module_version - "boc:created_by" = "terraform" - } -} - -locals { - account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id - region = data.aws_region.current.name - account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - account_alias = var.account_alias != "" && var.account_alias != null ? var.account_alias : "none" - - role_name = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name) - role_description = var.role_description == "" ? format("%vRole for %v", local.saml_string, var.role_name) : var.role_description -} - - /* * # About aws-iam-role/rolesanywhere * @@ -68,3 +50,20 @@ locals { * } * ``` */ + +locals { + base_tags = { + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + region = data.aws_region.current.name + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + account_alias = var.account_alias != "" && var.account_alias != null ? var.account_alias : "none" + + role_name = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name) + role_description = var.role_description == "" ? format("%vRole for %v", local.saml_string, var.role_name) : var.role_description +}