support for terraform 0.12

terraform-modules · Jul 7, 2019 · 0ca6229 · 0ca6229
1 parent 5321b2a
commit 0ca6229
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 32 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,2 +1,4 @@
 * v1.0.0	tag initial release
 
+* v2.0.0	terraform 0.12 support
+
diff --git a/main.tf b/main.tf
@@ -1,58 +1,63 @@
 /**
  * Usage:
 * 
+* for terraform 0.11, use v1.0.0 (tf-0.11)
+* for terraform 0.12, use v2.0.0 (or later), or branch tf-upgrade-0.12 (tf-0.12)
+*
 * module "scanner" {
 *   source = "../module/aws-security-audit"
+*   source = "git::https://vc1.csvd.census.gov/terraform-modules/aws-security-audit.git?ref=tf-upgrade-0.12
 * 
 *   group = "g-audit-group"
 *   users = [ "s-ois-scan" ]
 *   email_addresses = [ "ois.compliance.scanning.group@census.gov" ]
 *   create_access_keys = true
-*   pgp_key = "${file(filename.b64)}"
+*   pgp_key = file(filename.b64)
 * }
 */
 
 locals {
-  #  security-audit-policies = ["${data.aws_iam_policy.aws-managed-security-audit.arn}", "$(aws_iam_policy.audit.arn}"]
-  enable_access_keys = "${var.create_access_keys ? length(var.users) : 0 }"
+  #  security-audit-policies = [ data.aws_iam_policy.aws-managed-security-audit.arn, aws_iam_policy.audit.arn ]
+  enable_access_keys = var.create_access_keys ? length(var.users) : 0
 }
 
 #---
 # used to get the partition from arn
 #---
-data "aws_caller_identity" "current" {}
+data "aws_caller_identity" "current" {
+}
 
 data "aws_arn" "current" {
-  arn = "${data.aws_caller_identity.current.arn}"
+  arn = data.aws_caller_identity.current.arn
 }
 
 #---
 # user setup
 #---
 resource "aws_iam_user" "audit" {
-  count = "${length(var.users)}"
-  name  = "${var.users[count.index]}"
+  count = length(var.users)
+  name  = var.users[count.index]
   tags = {
-    "EmailAddress" = "${var.email_addresses[count.index]}"
+    "EmailAddress" = var.email_addresses[count.index]
   }
 }
 
 #---
 # group setup
 #---
 resource "aws_iam_group" "audit" {
-  name = "${var.group}"
+  name = var.group
 }
 
 #---
 # group membership
 #---
 resource "aws_iam_group_membership" "audit" {
-  count      = "${length(var.users)}"
-  name       = "${var.group}"
-  group      = "${aws_iam_group.audit.name}"
-  users      = ["${var.users}"]
-  depends_on = ["aws_iam_user.audit"]
+  count      = length(var.users)
+  name       = var.group
+  group      = aws_iam_group.audit.name
+  users      = var.users
+  depends_on = [aws_iam_user.audit]
 }
 
 #---
@@ -69,10 +74,10 @@ data "aws_iam_policy_document" "audit" {
 }
 
 resource "aws_iam_policy" "audit" {
-  name        = "${var.policy}"
+  name        = var.policy
   path        = "/"
   description = "Policy for Security Auditing"
-  policy      = "${data.aws_iam_policy_document.audit.json}"
+  policy      = data.aws_iam_policy_document.audit.json
 }
 
 data "aws_iam_policy" "aws-managed-security-audit" {
@@ -86,21 +91,21 @@ data "aws_iam_policy" "aws-managed-security-audit" {
 #}
 
 resource "aws_iam_group_policy_attachment" "audit-0" {
-  group      = "${aws_iam_group.audit.name}"
-  policy_arn = "${aws_iam_policy.audit.arn}"
+  group      = aws_iam_group.audit.name
+  policy_arn = aws_iam_policy.audit.arn
 }
 
 resource "aws_iam_group_policy_attachment" "audit-1" {
-  group      = "${aws_iam_group.audit.name}"
-  policy_arn = "${data.aws_iam_policy.aws-managed-security-audit.arn}"
+  group      = aws_iam_group.audit.name
+  policy_arn = data.aws_iam_policy.aws-managed-security-audit.arn
 }
 
 #---
 # access key (not for rotation)
 #---
 resource "aws_iam_access_key" "audit" {
-  #  count = "${length(var.users)}"
-  count   = "${local.enable_access_keys}"
-  user    = "${aws_iam_user.audit.*.name[count.index]}"
-  pgp_key = "${var.pgp_key}"
+  count   = local.enable_access_keys
+  user    = aws_iam_user.audit[count.index].name
+  pgp_key = var.pgp_key
 }
+
diff --git a/outputs.tf b/outputs.tf
@@ -1,23 +1,24 @@
 output "user" {
   description = "Users created"
-  value       = ["${aws_iam_user.audit.*.name}"]
+  value       = [aws_iam_user.audit.*.name]
 }
 
 output "aws_access_key_id" {
   description = "Access Key IDs for Users"
-  value       = "${aws_iam_access_key.audit.*.id}"
+  value       = aws_iam_access_key.audit.*.id
 }
 
 locals {
-  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.encrypted_secret)}"
+  encrypted_secret = join(",", aws_iam_access_key.audit.*.encrypted_secret)
 
   #  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
   #  notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
   #  secret              = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}"
-  secret = "${local.encrypted_secret}"
+  secret = local.encrypted_secret
 }
 
 output "aws_secret_access_key" {
   description = "Access Secret Key IDs for Users"
-  value       = ["${split(",",local.secret)}"]
+  value       = [split(",", local.secret)]
 }
+
diff --git a/variables.tf b/variables.tf
@@ -6,14 +6,14 @@ variable "group" {
 variable "users" {
   description = "Security Audit IAM user name(s)"
 
-  type    = "list"
+  type    = list(string)
   default = ["s-inf-security-audit"]
 }
 
 variable "email_addresses" {
   description = "Security Audit IAM Email Contact List(s)"
 
-  type    = "list"
+  type    = list(string)
   default = ["ois.compliance.scanning.group@census.gov"]
 }
 
@@ -31,6 +31,6 @@ variable "create_access_keys" {
 // Typical use to use "${file("filename.b64")}"
 variable "pgp_key" {
   description = "PGP key used to encrypt access key"
-
   #  default     = ""
 }
+
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}