diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1c49de1..b3be069 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -125,3 +125,4 @@
- change versions.tf to add trevx/ldap
- flowlogs-role
- source aws-iam-role?ref=tf-upgrade
+ -remove module call, incorporate necessary role code
diff --git a/flowlogs-role/README.md b/flowlogs-role/README.md
index 39bb54b..57e7a59 100644
--- a/flowlogs-role/README.md
+++ b/flowlogs-role/README.md
@@ -32,16 +32,16 @@ module "role_flowlogs" {
## Modules
-| Name | Source | Version |
-|------|--------|---------|
-| [flowlogs](#module\_flowlogs) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | tf-upgrade |
+No modules.
## Resources
| Name | Type |
|------|------|
| [aws_iam_policy.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -57,6 +57,8 @@ module "role_flowlogs" {
| [attached\_policies](#input\_attached\_policies) | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [regions](#input\_regions) | List of AWS Regions for which to grant Kinesis stream access | `list(string)` | `[]` | no |
+| [role\_description](#input\_role\_description) | Role/application description | `string` | `""` | no |
+| [role\_name](#input\_role\_name) | Role/application name without prefix | `string` | `"inf-flowlogs"` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
## Outputs
diff --git a/flowlogs-role/main.tf b/flowlogs-role/main.tf
index 7f0b54c..1d8ac05 100644
--- a/flowlogs-role/main.tf
+++ b/flowlogs-role/main.tf
@@ -31,20 +31,52 @@ locals {
format("arn:%v:kinesis:%v:%v:stream/%vvpc*", data.aws_arn.current.partition, r, data.aws_caller_identity.current.account_id, local._prefixes["log-stream"])]
}
-module "flowlogs" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+## remove this, use just a small role call as we don't need the full set of capabilties
+## module "flowlogs" {
+## source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+##
+## role_name = "inf-flowlogs"
+## enable_ldap_creation = false
+## assume_policy_document = data.aws_iam_policy_document.flowlogs_assume.json
+## attached_policies = var.attached_policies
+##
+## tags = merge(
+## local.base_tags,
+## var.tags
+## )
+## }
- role_name = "inf-flowlogs"
- enable_ldap_creation = false
- assume_policy_document = data.aws_iam_policy_document.flowlogs_assume.json
- attached_policies = var.attached_policies
+locals {
+ role_name = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name)
+ role_description = var.role_description == "" ? format("%vRole for %v", local.saml_string, var.role_name) : var.role_description
+ policy_name = format("%v%v", lookup(local._prefixes, "policy", ""), var.role_name)
+}
+
+resource "aws_iam_role" "role" {
+ name = local.role_name
+ description = local.role_description
+ force_detach_policies = local._defaults["force_detach_policies"]
+ max_session_duration = var.max_session_duration
+ assume_role_policy = data.aws_iam_policy_document.flowlogs_assume.json
+
+ lifecycle {
+ ignore_changes = [tags["boc:tf_module_version"]]
+ }
tags = merge(
+ var.tags,
local.base_tags,
- var.tags
+ lookup(var.component_tags, "role", {}),
+ tomap({ Name = local.role_name })
)
}
+resource "aws_iam_role_policy_attachment" "role" {
+ for_each = toset(var.attached_policies)
+ role = aws_iam_role.role.name
+ policy_arn = each.value
+}
+
#---
# setup policy for flowlogs
# attach after creation of the role. This is because the policy references the role ARN
@@ -58,7 +90,7 @@ resource "aws_iam_policy" "flowlogs" {
}
resource "aws_iam_role_policy_attachment" "flowlogs" {
- role = module.flowlogs.role_name
+ role = aws_iam_role.role.role_name
policy_arn = aws_iam_policy.flowlogs.arn
}
@@ -81,7 +113,7 @@ data "aws_iam_policy_document" "flowlogs" {
sid = "VPCFlowLogsKinesisPassRole"
effect = "Allow"
actions = ["iam:PassRole"]
- resources = [module.flowlogs.role_arn]
+ resources = [aws_iam_role.role.arn]
}
statement {
sid = "VPCFlowLogsKinesis"
diff --git a/flowlogs-role/outputs.tf b/flowlogs-role/outputs.tf
index 515aafe..fa1e8c1 100644
--- a/flowlogs-role/outputs.tf
+++ b/flowlogs-role/outputs.tf
@@ -1,4 +1,4 @@
output "role_arn" {
description = "Created flowlogs role ARN"
- value = module.flowlogs.role_arn
+ value = aws_iarm_role.role.arn
}
diff --git a/flowlogs-role/variables.tf b/flowlogs-role/variables.tf
index c419c06..803036d 100644
--- a/flowlogs-role/variables.tf
+++ b/flowlogs-role/variables.tf
@@ -9,3 +9,15 @@ variable "regions" {
type = list(string)
default = []
}
+
+variable "role_name" {
+ description = "Role/application name without prefix"
+ type = string
+ default = "inf-flowlogs"
+}
+
+variable "role_description" {
+ description = "Role/application description"
+ type = string
+ default = ""
+}