update docs

terraform-modules · Mar 21, 2023 · 4601543 · 4601543
1 parent c2cc2db
commit 4601543
Show file tree

Hide file tree

Showing 6 changed files with 86 additions and 21 deletions.
diff --git a/tag-shared-vpc-resources/README.md b/tag-shared-vpc-resources/README.md
@@ -38,9 +38,28 @@ to apply tags on the local network ACLs.  There are enhancements issues for this
 # Usage
 
 ```hcl
+# use of `tf-control` wrappers sets this value to your Linux username $USER
+variable "os_username" {
+  type    = string
+  default = null
+}
+
+provider "aws" {
+  alias   = "network_account"
+  region  = var.region
+  profile = var.profile
+  assume_role {
+    role_arn     = "arn:aws-us-gov:iam::057405694017:role/r-inf-tf-remote-shared-vpc"
+    session_name = var.os_username
+  }
+}
+
 module "tag_shared" {
   source                  = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//tag-shared-vpc-resources?ref=tf-upgrade"
-  network_account_profile = "057445207498-ent-gov-network-sa"
+  providers {
+    aws = aws
+    aws.network_account = aws.network_account
+  }
 
   ## optional, with defaults
   ###  tag_enabled_vpcs = true
@@ -62,18 +81,17 @@ indicating the AWS CLI has been run to obtain the data, and the second to tag th
 You need to have these AWS CLI IAM profiles and accounts available:
 
 * AWS Profile for account where VPC resources are shared (primarily the ability to tag resoruces)
-* AWS Profile for account from which VPC resoruces are shared (read access to specific VPC resouces, `ec2:Describe*`)
+* The ability from your current profile to assume the role `r-inf-tf-remote-shared-vpc` in the Network account (this would be a different
+account for SA, Lab, or EW; that will be updated once such stuff is available).   A provider alias will be defined as shown
+in the example (though the role ARN may differ in partition or account).
 
 ## Application Requirements
 
 This requires the `aws` CLI v2.
 
 ## Input Variables
 
-* network\_account\_profile
-
-Use the appropriate source account where the VPC resource were shared as the `network_account_profile` input variable.
-The Account ID is obtained from that remote account.
+* tag\_enbled\_*
 
 ## Output Variables
 
@@ -124,7 +142,7 @@ COMMAND tf-directory-setup.py -l s3
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
 | <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0.0 |
@@ -181,7 +199,6 @@ No modules.
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
 | <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
-| <a name="input_network_account_profile"></a> [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tag_enabled_dhcp_options"></a> [tag\_enabled\_dhcp\_options](#input\_tag\_enabled\_dhcp\_options) | Flag to tag or not tag shared VPC DHCP option sets | `bool` | `true` | no |
 | <a name="input_tag_enabled_network_acls"></a> [tag\_enabled\_network\_acls](#input\_tag\_enabled\_network\_acls) | Flag to tag or not tag shared Network ACLs | `bool` | `true` | no |

diff --git a/tag-shared-vpc-resources/main.tf b/tag-shared-vpc-resources/main.tf
@@ -39,9 +39,28 @@
 * # Usage
 * 
 * ```hcl
+* # use of `tf-control` wrappers sets this value to your Linux username $USER
+* variable "os_username" {
+*   type    = string
+*   default = null
+* }
+*
+* provider "aws" {
+*   alias   = "network_account"
+*   region  = var.region
+*   profile = var.profile
+*   assume_role {
+*     role_arn     = "arn:aws-us-gov:iam::057405694017:role/r-inf-tf-remote-shared-vpc"
+*     session_name = var.os_username
+*   }
+* }
+* 
 * module "tag_shared" {
 *   source                  = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//tag-shared-vpc-resources?ref=tf-upgrade"
-*   network_account_profile = "057445207498-ent-gov-network-sa"
+*   providers {
+*     aws = aws
+*     aws.network_account = aws.network_account
+*   }
 * 
 *   ## optional, with defaults
 *   ###  tag_enabled_vpcs = true
@@ -63,18 +82,17 @@
 * You need to have these AWS CLI IAM profiles and accounts available:
 * 
 * * AWS Profile for account where VPC resources are shared (primarily the ability to tag resoruces)
-* * AWS Profile for account from which VPC resoruces are shared (read access to specific VPC resouces, `ec2:Describe*`)
+* * The ability from your current profile to assume the role `r-inf-tf-remote-shared-vpc` in the Network account (this would be a different
+* account for SA, Lab, or EW; that will be updated once such stuff is available).   A provider alias will be defined as shown
+* in the example (though the role ARN may differ in partition or account).
 * 
 * ## Application Requirements
 * 
 * This requires the `aws` CLI v2.
 * 
 * ## Input Variables
 * 
-* * network_account_profile
-* 
-* Use the appropriate source account where the VPC resource were shared as the `network_account_profile` input variable.
-* The Account ID is obtained from that remote account.
+* * tag_enbled_*
 * 
 * ## Output Variables
 * 

diff --git a/...-resources/network_account.credentials.tf → ...ources/network_account.credentials.tf.off b/...-resources/network_account.credentials.tf → ...ources/network_account.credentials.tf.off
diff --git a/tag-shared-vpc-resources/variables.auto.tfvars.example b/tag-shared-vpc-resources/variables.auto.tfvars.example
@@ -1,2 +1,2 @@
-#  network_account_profile = "057405694017-ent-gov-network-prod"
-network_account_profile = "057445207498-ent-gov-network-sa"
+# network_account_profile = "057405694017-ent-gov-network-prod"
+# network_account_profile = "057445207498-ent-gov-network-sa"
diff --git a/tag-shared-vpc-resources/variables.tf b/tag-shared-vpc-resources/variables.tf
@@ -1,7 +1,7 @@
-variable "network_account_profile" {
-  description = "AWS profile of the source account sharing the VPC resources"
-  type        = string
-}
+## variable "network_account_profile" {
+##   description = "AWS profile of the source account sharing the VPC resources"
+##   type        = string
+## }
 
 variable "tag_enabled_vpcs" {
   description = "Flag to tag or not tag shared VPCs"

diff --git a/tag-shared-vpc-resources/versions.tf b/tag-shared-vpc-resources/versions.tf
diff --git a/tag-shared-vpc-resources/versions.tf b/tag-shared-vpc-resources/versions.tf
@@ -0,0 +1,31 @@
+terraform {
+  #  experiments = [module_variable_optional_attrs]
+  required_version = ">= 1.0.0"
+  required_providers {
+    aws = {
+      source                = "hashicorp/aws"
+      version               = ">= 3.66.0"
+      configuration_aliases = [aws.network_account]
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0"
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = ">= 2.0"
+    }
+    ldap = {
+      source  = "trevex/ldap"
+      version = ">= 0.5.4"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = ">= 1.0.0"
+    }
+  }
+}