diff --git a/tag-shared-vpc-resources/README.md b/tag-shared-vpc-resources/README.md
index 39019de..c5785a4 100644
--- a/tag-shared-vpc-resources/README.md
+++ b/tag-shared-vpc-resources/README.md
@@ -200,6 +200,8 @@ No modules.
| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [profile](#input\_profile) | AWS profile of the account in which this is running | `string` | n/a | yes |
+| [role\_arn](#input\_role\_arn) | AWS Role ARN of the target account, the network account where the shared VPC resources are configured, from which to pull tag data | `string` | n/a | yes |
| [tag\_enabled\_dhcp\_options](#input\_tag\_enabled\_dhcp\_options) | Flag to tag or not tag shared VPC DHCP option sets | `bool` | `true` | no |
| [tag\_enabled\_network\_acls](#input\_tag\_enabled\_network\_acls) | Flag to tag or not tag shared Network ACLs | `bool` | `true` | no |
| [tag\_enabled\_route\_tables](#input\_tag\_enabled\_route\_tables) | Flag to tag or not tag shared VPC route tables | `bool` | `true` | no |
diff --git a/tag-shared-vpc-resources/bin/assume_role_wrapper.sh b/tag-shared-vpc-resources/bin/assume_role_wrapper.sh
new file mode 120000
index 0000000..e8a1994
--- /dev/null
+++ b/tag-shared-vpc-resources/bin/assume_role_wrapper.sh
@@ -0,0 +1 @@
+../../bin/assume_role_wrapper.sh
\ No newline at end of file
diff --git a/tag-shared-vpc-resources/tag-network-acls.tf b/tag-shared-vpc-resources/tag-network-acls.tf
index 6ca4045..acbd9c7 100644
--- a/tag-shared-vpc-resources/tag-network-acls.tf
+++ b/tag-shared-vpc-resources/tag-network-acls.tf
@@ -18,6 +18,8 @@ data "aws_network_acls" "network_acls" {
# there is no aws_network_acl data resource. Fake this out with null_resource
# aws --profile "057445207498-ent-gov-network-sa" --region $(get-region) ec2 describe-network-acls --network-acl-id "acl-0c19a5f3ea6a86d51" > X.json
+# there is still no aws_network_acl, but there is an issue for it
+# https://github.com/hashicorp/terraform-provider-aws/issues/19754
resource "null_resource" "network_acl" {
for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
@@ -34,10 +36,11 @@ resource "null_resource" "network_acl" {
provisioner "local-exec" {
working_dir = "${path.root}/${self.triggers.directory}"
- command = "aws ec2 describe-network-acls --network-acl-id ${each.key} --output json > ${self.triggers.filename}"
+ command = "${path.module}/bin/assume_role_wrapper.sh aws ec2 describe-network-acls --network-acl-id ${each.key} --output json > ${self.triggers.filename}"
environment = {
- AWS_PROFILE = var.network_account_profile
+ AWS_PROFILE = var.profile
AWS_REGION = local.region
+ ROLE_ARN = var.network_role_arn
}
}
}
diff --git a/tag-shared-vpc-resources/variables.tf b/tag-shared-vpc-resources/variables.tf
index b6bfe90..7b15850 100644
--- a/tag-shared-vpc-resources/variables.tf
+++ b/tag-shared-vpc-resources/variables.tf
@@ -38,3 +38,13 @@ variable "tag_enabled_transit_gateway" {
type = bool
default = true
}
+
+variable "profile" {
+ description = "AWS profile of the account in which this is running"
+ type = string
+}
+
+variable "role_arn" {
+ description = "AWS Role ARN of the target account, the network account where the shared VPC resources are configured, from which to pull tag data"
+ type = string
+}