Skip to content
Jump to bottom

add create flag to trigger resource create #8

Merged
merged 8 commits into from
Jan 14, 2022
Merged

add create flag to trigger resource create #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
9b27fae
add variable create to permit conditional create of the module resources
badra001 Jan 13, 2022
e733ca6
fix
badra001 Jan 13, 2022
56c5dc7
fix
badra001 Jan 13, 2022
dcb561b
fix
badra001 Jan 13, 2022
63fcc46
fix
badra001 Jan 13, 2022
8a62944
fix
badra001 Jan 13, 2022
4f5c520
ignore version tag
badra001 Jan 14, 2022
e7761c3
ignore lifecycle change on version tag
badra001 Jan 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 8 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,10 @@
* 1.3.5 -- 20220110
- add output instance_profile_name

* 1.4.0 -- 20220113
- add flag create to trigger creating or not creating the module resources
- ignore boc:tf_module_version tag in lifecycle change

## version 2.x

branch: compat-tf-0.13
Expand All @@ -72,3 +76,7 @@ tag: 2.0.1

* 2.1.1 -- 20220110
- add output instance_profile_name

* 2.2.0 -- 20220113
- add flag create to trigger creating or not creating the module resources
- ignore boc:tf_module_version tag in lifecycle change
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ No modules.
| <a name="input_assume_policy_document"></a> [assume\_policy\_document](#input\_assume\_policy\_document) | JSON policy document for role to assume (i.e., the SAML assume document) | `string` | `""` | no |
| <a name="input_attached_policies"></a> [attached\_policies](#input\_attached\_policies) | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no |
| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (role, policy) | `map(map(string))` | <pre>{<br> "policy": {},<br> "role": {}<br>}</pre> | no |
| <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
| <a name="input_enable_instance_profile"></a> [enable\_instance\_profile](#input\_enable\_instance\_profile) | Flag to enable/disable instance profile on role | `bool` | `false` | no |
| <a name="input_enable_ldap_creation"></a> [enable\_ldap\_creation](#input\_enable\_ldap\_creation) | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `bool` | `false` | no |
| <a name="input_inline_policies"></a> [inline\_policies](#input\_inline\_policies) | List of IAM Policy Document objects to include in this role. Format is {name=name,policy=policy-json} | `list(object({ name = string, policy = string }))` | `[]` | no |
Expand Down
52 changes: 35 additions & 17 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,14 +118,14 @@ locals {
# ec2_role_name = format("%v-ec2-%v", lookup(local._prefixes, "role", ""), local._ec2_role_name)
# ec2_policy_name = format("%v-ec2-%v", lookup(local._prefixes, "policy", ""), local._ec2_role_name)

ldap_exists = fileexists("${path.root}/setup/${aws_iam_role.role.name}.ldif")
ldap_exists = fileexists("${path.root}/setup/${local.role_name}.ldif")
bocappdata_auth = local.account_environment == "gov" ? "Cloud_AWSGovCloud_Auth" : "Cloud_AWS_Auth"
bocappdata_fullauth = format("gov.census.tco:%v=%v,%v", local.bocappdata_auth, aws_iam_role.role.arn, var.saml_provider_arn)
bocappdata_fullauth = format("gov.census.tco:%v=%v,%v", local.bocappdata_auth, var.create ? aws_iam_role.role[0].arn : "", var.saml_provider_arn)
bocappdata_approval = format("gov.census.tco:%v=%v", "CPASS_ApprovalGroup", "cn=CloudServices_Approvers,ou=CloudServices,ou=Administration,ou=eCustomers,o=U.S. Census Bureau,c=US")

ldap_provider_exists = data.external.ldap_provider_bin.result.status == "0" ? true : false
enable_ldap = var.enable_ldap_creation && var.ldap_user != "" && var.ldap_password != "" && var.saml_provider_arn != "" && local.ldap_provider_exists
ldap_dn = format("cn=%s,ou=%s,ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US", aws_iam_role.role.name, local.account_id)
ldap_dn = format("cn=%s,ou=%s,ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US", var.create ? aws_iam_role.role[0].name : "", local.account_id)

base_tags = {
"boc:tf_module_version" = local._module_version
Expand All @@ -134,6 +134,7 @@ locals {
}

resource "aws_iam_role" "role" {
count = var.create ? 1 : 0
name = local.role_name
description = local.role_description
force_detach_policies = local._defaults["force_detach_policies"]
Expand All @@ -150,6 +151,10 @@ resource "aws_iam_role" "role" {
}
}

lifecycle {
ignore_changes = [tags["boc:tf_module_version"]]
}

tags = merge(
var.tags,
local.base_tags,
Expand All @@ -159,45 +164,58 @@ resource "aws_iam_role" "role" {
}

resource "aws_iam_role_policy_attachment" "role" {
for_each = toset(var.attached_policies)
role = aws_iam_role.role.name
for_each = var.create ? toset(var.attached_policies) : toset([])
role = var.create ? aws_iam_role.role[0].name : ""
policy_arn = each.value
}

resource "aws_iam_instance_profile" "role" {
count = var.enable_instance_profile ? 1 : 0
name = aws_iam_role.role.name
role = aws_iam_role.role.name
path = var.instance_profile_path
count = var.enable_instance_profile && var.create ? 1 : 0
# name = aws_iam_role.role.name
name = var.create ? aws_iam_role.role[0].name : ""
# role = aws_iam_role.role.name
role = var.create ? aws_iam_role.role[0].name : ""
path = var.instance_profile_path
}

data "template_file" "role" {
count = local.enable_ldap ? 1 : 0
count = local.enable_ldap && var.create ? 1 : 0
template = file("${path.module}/templates/iam-role-ldif.${local.account_environment}.tpl")
vars = {
role_name = aws_iam_role.role.name
role_arn = aws_iam_role.role.arn
# role_name = aws_iam_role.role.name
role_name = var.create ? aws_iam_role.role[0].name : ""
# role_arn = aws_iam_role.role.arn
role_arn = var.create ? aws_iam_role.role[0].arn : ""
account_id = local.account_id
saml_provider_arn = var.saml_provider_arn
aws_environment = local.account_environment
}
}

resource "null_resource" "role_ldif" {
count = local.enable_ldap ? 1 : 0
count = var.create && local.enable_ldap ? 1 : 0
triggers = {
name = local.role_name
}

provisioner "local-exec" {
command = "test -d ${path.root}/setup || mkdir ${path.root}/setup"
}
provisioner "local-exec" {
command = "echo '${data.template_file.role[0].rendered}' > ${path.root}/setup/${aws_iam_role.role.name}.ldif"
command = "echo '${data.template_file.role[0].rendered}' > ${path.root}/setup/${local.role_name}.ldif"
}
# does not work in 0.12
# provisioner "local-exec" {
# when = destroy
# command = format("rm -f %v/setup/%v.ldif", path.root, self.triggers.name)
# }
provisioner "local-exec" {
command = "echo 'Once complete, execute tf-apply again to create LDAP group'"
}
}

resource "ldap_object" "role" {
count = local.ldap_exists && local.enable_ldap ? 1 : 0
count = var.create && local.ldap_exists && local.enable_ldap ? 1 : 0
# count = local.enable_ldap ? 1 : 0
provider = ldap
dn = local.ldap_dn
Expand All @@ -207,8 +225,8 @@ resource "ldap_object" "role" {
"groupOfNames",
]
attributes = [
{ description = format("%s account=%s type=%s", aws_iam_role.role.name, local.account_id, local.account_environment) },
{ cn = aws_iam_role.role.name },
{ description = format("%s account=%s type=%s", var.create ? aws_iam_role.role[0].name : "", local.account_id, local.account_environment) },
{ cn = var.create ? aws_iam_role.role[0].name : "" },
{ bocApplicationData = format("gov.census.tco:CPASS_FullPath=Cloud/%s/%s", local.account_environment, local.account_id) },
{ bocApplicationData = "gov.census.tco:CPASS_APP=CloudServices" },
{ bocApplicationData = local.bocappdata_fullauth },
Expand Down
10 changes: 5 additions & 5 deletions outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,25 @@

output "role_arn" {
description = "Created role ARN"
value = aws_iam_role.role.arn
value = var.create ? aws_iam_role.role[0].arn : ""
}

output "role_name" {
description = "Created role name"
value = aws_iam_role.role.name
value = var.create ? aws_iam_role.role[0].name : ""
}

output "ldap_dn" {
description = "Created LDAP DN for role (empty if ldap is not enabled)"
value = local.enable_ldap ? local.ldap_dn : ""
value = local.enable_ldap && var.create ? local.ldap_dn : ""
}

output "instance_profile_arn" {
description = "Created instance profile ARN, if enabled"
value = var.enable_instance_profile ? aws_iam_instance_profile.role[0].arn : ""
value = var.create && var.enable_instance_profile ? aws_iam_instance_profile.role[0].arn : ""
}

output "instance_profile_name" {
description = "Created instance profile name, if enabled"
value = var.enable_instance_profile ? aws_iam_instance_profile.role[0].name : ""
value = var.create && var.enable_instance_profile ? aws_iam_instance_profile.role[0].name : ""
}
6 changes: 6 additions & 0 deletions variables.create.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
variable "create" {
description = "Flag to indicate whether to create the resources or not (default: true)"
type = bool
default = true
}

4 changes: 2 additions & 2 deletions version.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
locals {
_module_version = "1.3.5"
# _module_version = "2.1.1"
_module_version = "1.4.0"
# _module_version = "2.2.0"
}