pull out role calling due to count

CHANGELOG.md

@@ -125,3 +125,4 @@
     - change versions.tf to add trevx/ldap
   - flowlogs-role
     - source aws-iam-role?ref=tf-upgrade
+     -remove module call, incorporate necessary role code

flowlogs-role/README.md

@@ -32,16 +32,16 @@ module "role_flowlogs" {
 
 ## Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_flowlogs"></a> [flowlogs](#module\_flowlogs) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
+No modules.
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_iam_policy.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -57,6 +57,8 @@ module "role_flowlogs" {
 | <a name="input_attached_policies"></a> [attached\_policies](#input\_attached\_policies) | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_regions"></a> [regions](#input\_regions) | List of AWS Regions for which to grant Kinesis stream access | `list(string)` | `[]` | no |
+| <a name="input_role_description"></a> [role\_description](#input\_role\_description) | Role/application description | `string` | `""` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Role/application name without prefix | `string` | `"inf-flowlogs"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 
 ## Outputs

flowlogs-role/main.tf

@@ -31,20 +31,52 @@ locals {
   format("arn:%v:kinesis:%v:%v:stream/%vvpc*", data.aws_arn.current.partition, r, data.aws_caller_identity.current.account_id, local._prefixes["log-stream"])]
 }
 
-module "flowlogs" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+## remove this, use just a small role call as we don't need the full set of capabilties
+## module "flowlogs" {
+##   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+## 
+##   role_name              = "inf-flowlogs"
+##   enable_ldap_creation   = false
+##   assume_policy_document = data.aws_iam_policy_document.flowlogs_assume.json
+##   attached_policies      = var.attached_policies
+## 
+##   tags = merge(
+##     local.base_tags,
+##     var.tags
+##   )
+## }
 
-  role_name              = "inf-flowlogs"
-  enable_ldap_creation   = false
-  assume_policy_document = data.aws_iam_policy_document.flowlogs_assume.json
-  attached_policies      = var.attached_policies
+locals {
+  role_name        = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name)
+  role_description = var.role_description == "" ? format("%vRole for %v", local.saml_string, var.role_name) : var.role_description
+  policy_name      = format("%v%v", lookup(local._prefixes, "policy", ""), var.role_name)
+}
+
+resource "aws_iam_role" "role" {
+  name                  = local.role_name
+  description           = local.role_description
+  force_detach_policies = local._defaults["force_detach_policies"]
+  max_session_duration  = var.max_session_duration
+  assume_role_policy    = data.aws_iam_policy_document.flowlogs_assume.json
+
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
 
   tags = merge(
+    var.tags,
     local.base_tags,
-    var.tags
+    lookup(var.component_tags, "role", {}),
+    tomap({ Name = local.role_name })
   )
 }
 
+resource "aws_iam_role_policy_attachment" "role" {
+  for_each   = toset(var.attached_policies)
+  role       = aws_iam_role.role.name
+  policy_arn = each.value
+}
+
 #---
 # setup policy for flowlogs
 #  attach after creation of the role. This is because the policy references the role ARN
@@ -58,7 +90,7 @@ resource "aws_iam_policy" "flowlogs" {
 }
 
 resource "aws_iam_role_policy_attachment" "flowlogs" {
-  role       = module.flowlogs.role_name
+  role       = aws_iam_role.role.role_name
   policy_arn = aws_iam_policy.flowlogs.arn
 }
 
@@ -81,7 +113,7 @@ data "aws_iam_policy_document" "flowlogs" {
     sid       = "VPCFlowLogsKinesisPassRole"
     effect    = "Allow"
     actions   = ["iam:PassRole"]
-    resources = [module.flowlogs.role_arn]
+    resources = [aws_iam_role.role.arn]
   }
   statement {
     sid       = "VPCFlowLogsKinesis"

flowlogs-role/outputs.tf

@@ -1,4 +1,4 @@
 output "role_arn" {
   description = "Created flowlogs role ARN"
-  value       = module.flowlogs.role_arn
+  value       = aws_iarm_role.role.arn
 }

flowlogs-role/variables.tf

@@ -9,3 +9,15 @@ variable "regions" {
   type        = list(string)
   default     = []
 }
+
+variable "role_name" {
+  description = "Role/application name without prefix"
+  type        = string
+  default     = "inf-flowlogs"
+}
+
+variable "role_description" {
+  description = "Role/application description"
+  type        = string
+  default     = ""
+}