v1.0.1: add docs, add check for binary

CHANGELOG.md

@@ -2,3 +2,8 @@
 
 * v1.0.0 -- 20210301
   - initial creation
+
+* v1.0.1 -- 20210301
+  - add docs
+  - comment out ec2* role stuff
+  - add check for ldap provider

README.md

@@ -1,5 +1,21 @@
 # About aws-iam-role
 
+This module will create an IAM role.  Its primary purpose is for a SAML-enbled role, and to create the  
+necessary LDAP object in eBOCAS, provided credentials and the provider exists (it checks for this).  
+The [ldap-provider](https://github.e.it.census.gov/terraform/support/tree/master/providers/terraform-provider-ldap) binary is  
+expected to be in your `$PATH`.
+
+There are some quirks to the `ldap-provider` (we use [this](https://github.com/Pryz/terraform-provider-ldap) one), where if any  
+details change in the DN or the DN cannot be constructed due to missing data, a *tcp connection closed* message occurs.
+
+Because of this quirk, this is a two-step apply.  The first step creates the IAM role and creates an LDIF file in
+`setup/{role-name}.ldif`.  It uses the presence of this file to create the LDAP object in the second step.  Example:
+
+```shell
+terraform apply -target=module.myrole
+terraform apply -target=module.myrole
+```
+
 # Usage
 
 ```hcl
@@ -15,10 +31,6 @@ module "myrole" {
   ldap_password              = "password1234$$"
 
   # optional
-  ec2_role_name              = "my-role-other"
-  enable_instance_role       = false
-  ec2_assume_policy_document = "X"
-  ec2_attached_policies      = []
   ldap_host                  = "ldap.e.tco.census.gov"
   ldap_port                  = 389
 }
@@ -33,6 +45,7 @@ No requirements.
 | Name | Version |
 |------|---------|
 | aws | n/a |
+| external | n/a |
 | ldap | n/a |
 | null | n/a |
 | template | n/a |
@@ -51,6 +64,7 @@ No Modules.
 | [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
 | [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) |
 | [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
+| [external_external](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) |
 | [ldap_object](https://registry.terraform.io/providers/hashicorp/ldap/latest/docs/resources/object) |
 | [null_resource](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) |
 | [template_file](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) |
@@ -64,10 +78,6 @@ No Modules.
 | assume\_policy\_document | JSON policy document for role to assume (i.e., the SAML assume document) | `string` | `""` | no |
 | attached\_policies | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no |
 | component\_tags | Additional tags for Components (role, policy) | `map(map(string))` | <pre>{<br>  "policy": {},<br>  "role": {}<br>}</pre> | no |
-| ec2\_assume\_policy\_document | JSON policy document for EC2 instance role (default is sts:AssumeRole for ec2 service) | `string` | `""` | no |
-| ec2\_attached\_policies | List of IAM Policy ARNs to attach to this EC2 instance role | `list(string)` | `[]` | no |
-| ec2\_role\_name | EC2 instace Role/application name without prefix | `string` | `""` | no |
-| enable\_instance\_role | Flag to enable the creation of a partner EC2 instance role with specific policies and optionally a different name | `bool` | `false` | no |
 | enable\_ldap\_creation | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `bool` | `false` | no |
 | ldap\_host | LDAP Hostname (default is for eBOCAS) | `string` | `"ldap.e.tco.census.gov"` | no |
 | ldap\_password | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no |
@@ -80,3 +90,6 @@ No Modules.
 
 ## Outputs
 
+| Name | Description |
+|------|-------------|
+| role\_arn | Created role ARN |

main.tf

@@ -1,6 +1,22 @@
 /*
 * # About aws-iam-role
+*
+* This module will create an IAM role.  Its primary purpose is for a SAML-enbled role, and to create the
+* necessary LDAP object in eBOCAS, provided credentials and the provider exists (it checks for this).
+* The [ldap-provider](https://github.e.it.census.gov/terraform/support/tree/master/providers/terraform-provider-ldap) binary is
+* expected to be in your `$PATH`.
 * 
+* There are some quirks to the `ldap-provider` (we use [this](https://github.com/Pryz/terraform-provider-ldap) one), where if any
+* details change in the DN or the DN cannot be constructed due to missing data, a *tcp connection closed* message occurs.
+*
+* Because of this quirk, this is a two-step apply.  The first step creates the IAM role and creates an LDIF file in 
+* `setup/{role-name}.ldif`.  It uses the presence of this file to create the LDAP object in the second step.  Example:
+*
+* ```shell
+* terraform apply -target=module.myrole
+* terraform apply -target=module.myrole
+* ```
+*
 * # Usage
 * 
 * ```hcl
@@ -16,34 +32,36 @@
 *   ldap_password              = "password1234$$"
 * 
 *   # optional
-*   ec2_role_name              = "my-role-other"
-*   enable_instance_role       = false
-*   ec2_assume_policy_document = "X"
-*   ec2_attached_policies      = []
 *   ldap_host                  = "ldap.e.tco.census.gov"
 *   ldap_port                  = 389
 * }
 * ```
 */
 
+#*   ec2_role_name              = "my-role-other"
+#*   enable_instance_role       = false
+#*   ec2_assume_policy_document = "X"
+#*   ec2_attached_policies      = []
+
 locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   region              = data.aws_region.current.name
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
 
-  _ec2_role_name   = var.ec2_role_name != "" ? var.ec2_role_name : var.role_name
+  #  _ec2_role_name   = var.ec2_role_name != "" ? var.ec2_role_name : var.role_name
   role_name        = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name)
   saml_string      = var.saml_provider_arn != "" ? "SAML " : ""
   role_description = format("%vRole for %v", local.saml_string, var.role_name)
   policy_name      = format("%v%v", lookup(local._prefixes, "policy", ""), var.role_name)
-  ec2_role_name    = format("%v-ec2-%v", lookup(local._prefixes, "role", ""), local._ec2_role_name)
-  ec2_policy_name  = format("%v-ec2-%v", lookup(local._prefixes, "policy", ""), local._ec2_role_name)
+  #  ec2_role_name    = format("%v-ec2-%v", lookup(local._prefixes, "role", ""), local._ec2_role_name)
+  #  ec2_policy_name  = format("%v-ec2-%v", lookup(local._prefixes, "policy", ""), local._ec2_role_name)
 
   ldap_exists         = fileexists("${path.root}/setup/${aws_iam_role.role.name}.ldif")
   bocappdata_auth     = local.account_environment == "gov" ? "Cloud_AWSGovCloud_Auth" : "Cloud_AWS_Auth"
   bocappdata_fullauth = format("gov.census.tco:%v=%v,%v", local.bocappdata_auth, aws_iam_role.role.arn, var.saml_provider_arn)
 
-  enable_ldap = var.enable_ldap_creation && var.ldap_user != "" && var.ldap_password != "" && var.saml_provider_arn != ""
+  ldap_provider_exists = data.external.ldap_provider_bin.result.status == 0 ? true : false
+  enable_ldap          = var.enable_ldap_creation && var.ldap_user != "" && var.ldap_password != "" && var.saml_provider_arn != "" && local.ldap_provider_exists
 
   base_tags = {
     "boc:tf_module_version" = local._module_version
@@ -117,3 +135,12 @@ resource "ldap_object" "role" {
     ignore_changes = [object_classes, attributes]
   }
 }
+
+# data.external.ldap_provider_bin.result.path
+# data.external.ldap_provider_bin.result.status
+data "external" "ldap_provider_bin" {
+  program = ["bash", "${path.root}/bin/find_binary.sh"]
+  query = {
+    "program" = "terraform-provider-ldap"
+  }
+}

variables.tf

@@ -1,25 +1,8 @@
-#---
-# application stuff
-#---
-#locals {
-#  app_name        = "ced-edde"
-#  role_name       = format("r-%v", local.app_name)
-#  policy_name     = format("p-%v", local.app_name)
-#  ec2_role_name   = format("r-ec2-%v", local.app_name)
-#  ec2_policy_name = format("p-ec2-%v-%v", local.app_name, "transcribe")
-#}
-
 variable "role_name" {
   description = "Role/application name without prefix"
   type        = string
 }
 
-variable "ec2_role_name" {
-  description = "EC2 instace Role/application name without prefix"
-  type        = string
-  default     = ""
-}
-
 variable "saml_provider_arn" {
   description = "ARN of SAML Provider"
   type        = string
@@ -32,36 +15,18 @@ variable "enable_ldap_creation" {
   default     = false
 }
 
-variable "enable_instance_role" {
-  description = "Flag to enable the creation of a partner EC2 instance role with specific policies and optionally a different name"
-  type        = bool
-  default     = false
-}
-
 variable "assume_policy_document" {
   description = "JSON policy document for role to assume (i.e., the SAML assume document)"
   type        = string
   default     = ""
 }
 
-variable "ec2_assume_policy_document" {
-  description = "JSON policy document for EC2 instance role (default is sts:AssumeRole for ec2 service)"
-  type        = string
-  default     = ""
-}
-
 variable "attached_policies" {
   description = "List of IAM Policy ARNs to attach to this role"
   type        = list(string)
   default     = []
 }
 
-variable "ec2_attached_policies" {
-  description = "List of IAM Policy ARNs to attach to this EC2 instance role"
-  type        = list(string)
-  default     = []
-}
-
 #---
 # ldap 
 #---
@@ -95,3 +60,31 @@ variable "component_tags" {
   default     = { "role" = {}, "policy" = {} }
 }
 
+
+## #---
+## # instance role
+## #---
+## variable "ec2_role_name" {
+##   description = "EC2 instace Role/application name without prefix"
+##   type        = string
+##   default     = ""
+## }
+## 
+## variable "enable_instance_role" {
+##   description = "Flag to enable the creation of a partner EC2 instance role with specific policies and optionally a different name"
+##   type        = bool
+##   default     = false
+## }
+## 
+## variable "ec2_assume_policy_document" {
+##   description = "JSON policy document for EC2 instance role (default is sts:AssumeRole for ec2 service)"
+##   type        = string
+##   default     = ""
+## }
+## 
+## variable "ec2_attached_policies" {
+##   description = "List of IAM Policy ARNs to attach to this EC2 instance role"
+##   type        = list(string)
+##   default     = []
+## }
+## 

version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.0"
+  _module_version = "1.0.1"
 }