update

terraform-modules · Mar 21, 2023 · 3dd2ef9 · 3dd2ef9
1 parent 84bff5c
commit 3dd2ef9
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 2 deletions.
diff --git a/tag-shared-vpc-resources/README.md b/tag-shared-vpc-resources/README.md
@@ -200,6 +200,8 @@ No modules.
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
 | <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_profile"></a> [profile](#input\_profile) | AWS profile of the account in which this is running | `string` | n/a | yes |
+| <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | AWS Role ARN of the target account, the network account where the shared VPC resources are configured, from which to pull tag data | `string` | n/a | yes |
 | <a name="input_tag_enabled_dhcp_options"></a> [tag\_enabled\_dhcp\_options](#input\_tag\_enabled\_dhcp\_options) | Flag to tag or not tag shared VPC DHCP option sets | `bool` | `true` | no |
 | <a name="input_tag_enabled_network_acls"></a> [tag\_enabled\_network\_acls](#input\_tag\_enabled\_network\_acls) | Flag to tag or not tag shared Network ACLs | `bool` | `true` | no |
 | <a name="input_tag_enabled_route_tables"></a> [tag\_enabled\_route\_tables](#input\_tag\_enabled\_route\_tables) | Flag to tag or not tag shared VPC route tables | `bool` | `true` | no |

diff --git a/tag-shared-vpc-resources/bin/assume_role_wrapper.sh b/tag-shared-vpc-resources/bin/assume_role_wrapper.sh
@@ -0,0 +1 @@
+../../bin/assume_role_wrapper.sh
diff --git a/tag-shared-vpc-resources/tag-network-acls.tf b/tag-shared-vpc-resources/tag-network-acls.tf
@@ -18,6 +18,8 @@ data "aws_network_acls" "network_acls" {
 
 # there is no aws_network_acl data resource. Fake this out with null_resource
 #  aws --profile "057445207498-ent-gov-network-sa" --region $(get-region) ec2 describe-network-acls --network-acl-id "acl-0c19a5f3ea6a86d51"  > X.json
+# there is still no aws_network_acl, but there is an issue for it
+#   https://github.com/hashicorp/terraform-provider-aws/issues/19754
 
 resource "null_resource" "network_acl" {
   for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
@@ -34,10 +36,11 @@ resource "null_resource" "network_acl" {
 
   provisioner "local-exec" {
     working_dir = "${path.root}/${self.triggers.directory}"
-    command     = "aws ec2 describe-network-acls --network-acl-id ${each.key} --output json > ${self.triggers.filename}"
+    command     = "${path.module}/bin/assume_role_wrapper.sh aws ec2 describe-network-acls --network-acl-id ${each.key} --output json > ${self.triggers.filename}"
     environment = {
-      AWS_PROFILE = var.network_account_profile
+      AWS_PROFILE = var.profile
       AWS_REGION  = local.region
+      ROLE_ARN    = var.network_role_arn
     }
   }
 }

diff --git a/tag-shared-vpc-resources/variables.tf b/tag-shared-vpc-resources/variables.tf
@@ -38,3 +38,13 @@ variable "tag_enabled_transit_gateway" {
   type        = bool
   default     = true
 }
+
+variable "profile" {
+  description = "AWS profile of the account in which this is running"
+  type        = string
+}
+
+variable "role_arn" {
+  description = "AWS Role ARN of the target account, the network account where the shared VPC resources are configured, from which to pull tag data"
+  type        = string
+}