feat: passing the tags to the iam policies

appvia · Apr 23, 2024 · 7a012cb · 7a012cb
1 parent 37fcf02
commit 7a012cb
Show file tree

Hide file tree

Showing 7 changed files with 64 additions and 98 deletions.
diff --git a/examples/provider/.terraform.lock.hcl b/examples/provider/.terraform.lock.hcl
diff --git a/examples/remote_state/.terraform.lock.hcl b/examples/remote_state/.terraform.lock.hcl
diff --git a/examples/role/.terraform.lock.hcl b/examples/role/.terraform.lock.hcl
diff --git a/modules/role/data.tf b/modules/role/data.tf
@@ -1,5 +1,11 @@
 
 ## Retrieve the current AWS account identity 
 data "aws_caller_identity" "current" {}
+
 ## Retrieve the current AWS region
 data "aws_region" "current" {}
+
+## Retrieve the OpenID Connect provider ARN 
+data "aws_iam_openid_connect_provider" "this" {
+  url = local.selected_provider.url
+}
diff --git a/modules/role/locals.tf b/modules/role/locals.tf
@@ -1,3 +1,4 @@
+
 locals {
   common_providers = {
     github = {

diff --git a/modules/role/main.tf b/modules/role/main.tf
@@ -8,10 +8,7 @@ locals {
   state_reader_role_name = format("%s-sr", var.name)
 }
 
-data "aws_iam_openid_connect_provider" "this" {
-  url = local.selected_provider.url
-}
-
+## Craft a assume role policy document
 data "aws_iam_policy_document" "ro" {
   statement {
     actions = [
@@ -75,6 +72,7 @@ resource "aws_iam_role_policy_attachment" "ro" {
   role       = aws_iam_role.ro.name
 }
 
+## Craft the read write policy document
 data "aws_iam_policy_document" "rw" {
   statement {
     actions = [
@@ -119,6 +117,7 @@ data "aws_iam_policy_document" "rw" {
   }
 }
 
+## Provision the read write role 
 resource "aws_iam_role" "rw" {
   assume_role_policy    = data.aws_iam_policy_document.rw.json
   description           = var.description
@@ -139,13 +138,15 @@ resource "aws_iam_role" "rw" {
   }
 }
 
+## Attach the read write policies to the read write role
 resource "aws_iam_role_policy_attachment" "rw" {
   for_each = toset(var.read_write_policy_arns)
 
   policy_arn = each.key
   role       = aws_iam_role.rw.name
 }
 
+## Craft the state reader policy
 data "aws_iam_policy_document" "sr" {
   statement {
     actions = [
@@ -181,6 +182,7 @@ data "aws_iam_policy_document" "sr" {
   }
 }
 
+## Provision the state reader role
 resource "aws_iam_role" "sr" {
   assume_role_policy = data.aws_iam_policy_document.sr.json
   description        = format("Terraform state reader role for '%s' repo", local.repo_name)

diff --git a/modules/role/policies.tf b/modules/role/policies.tf
@@ -52,6 +52,7 @@ resource "aws_iam_policy" "tfstate_plan" {
   name        = format("%s-tfstate-plan", var.name)
   description = "Policy allowing read access to the Terraform state bucket and DynamoDB table for the ${var.name} role"
   policy      = data.aws_iam_policy_document.tfstate_plan.json
+  tags        = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "tfstate_plan" {
@@ -83,6 +84,7 @@ resource "aws_iam_policy" "tfstate_apply" {
   name        = format("%s-tfstate-apply", var.name)
   description = "Policy allowing write access to the Terraform state bucket and DynamoDB table for the ${var.name} role"
   policy      = data.aws_iam_policy_document.tfstate_apply.json
+  tags        = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "tfstate_apply" {
@@ -101,6 +103,7 @@ resource "aws_iam_policy" "tfstate_remote" {
   name        = format("%s-tfstate-remote", var.name)
   description = "Policy allowing read access to the Terraform state bucket for the ${var.name} role"
   policy      = data.aws_iam_policy_document.tfstate_remote.json
+  tags        = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "tfstate_remote" {