fix: change the name of the read write role and dropping the -rw suffix,

only the read and terraform state roles will have the suffix

.terraform-docs.yaml

@@ -0,0 +1,21 @@
+formatter: markdown
+#header-from: .header.md
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  html: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
+  lockfile: false
+
+sort:
+  enabled: true
+  by: required
+
+output:
+  file: README.md
+  mode: inject

.tflint.hcl

@@ -0,0 +1,63 @@
+plugin "aws" {
+  enabled = true
+  version = "0.30.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+config {
+  module = true
+  force  = false
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_module_pinned_source" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = false
+}
+
+rule "terraform_workspace_remote" {
+  enabled = true
+}

Makefile

@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2024  Appvia Ltd <info@appvia.io>
+#  
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+AUTHOR_EMAIL=info@appvia.io
+
+.PHONY: all security lint format documentation documentation-examples
+
+default: all
+
+all: 
+	$(MAKE) init
+	$(MAKE) validate
+	$(MAKE) security
+	$(MAKE) lint
+	$(MAKE) format
+	$(MAKE) documentation
+	$(MAKE) documentation-examples
+
+security: 
+	@echo "--> Running Security checks"
+	@tfsec .
+
+documentation: 
+	@echo "--> Generating documentation"
+	@terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
+
+documentation-examples:
+	@echo "--> Generating documentation examples"
+	@find examples -type d -mindepth 1 -maxdepth 1 -exec terraform-docs markdown table --output-file README.md --output-mode inject {} \;
+
+init: 
+	@echo "--> Running terraform init"
+	@terraform init -backend=false
+
+validate:
+	@echo "--> Running terraform validate"
+	@terraform validate
+
+lint:
+	@echo "--> Running tflint"
+	@tflint --init 
+	@tflint -f compact
+
+format: 
+	@echo "--> Running terraform fmt"
+	@terraform fmt -recursive -write=true

README.md

@@ -144,3 +144,31 @@ module "basic" {
   web_identity_token_file = "/tmp/web_identity_token_file"
 }
 ```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/provider/README.md

@@ -0,0 +1,28 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_common_provider_example"></a> [common\_provider\_example](#module\_common\_provider\_example) | appvia/oidc/aws//modules/provider | 0.0.16 |
+| <a name="module_custom_provider_example"></a> [custom\_provider\_example](#module\_custom\_provider\_example) | appvia/oidc/aws//modules/provider | 0.0.16 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/remote_state/README.md

@@ -0,0 +1,27 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_basic"></a> [basic](#module\_basic) | appvia/oidc/aws//modules/role | 0.0.16 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/role/README.md

@@ -0,0 +1,30 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_common_provider_example"></a> [common\_provider\_example](#module\_common\_provider\_example) | appvia/oidc/aws//modules/role | 0.0.16 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/role/providers.tf

@@ -0,0 +1,2 @@
+
+provider "aws" {}

examples/role/terraform.tf

@@ -0,0 +1,11 @@
+
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0.0"
+    }
+  }
+}

modules/role/README.md

@@ -139,6 +139,7 @@ No modules.
 | <a name="input_common_provider"></a> [common\_provider](#input\_common\_provider) | The name of a common OIDC provider to be used as the trust for the role | `string` | `""` | no |
 | <a name="input_custom_provider"></a> [custom\_provider](#input\_custom\_provider) | An object representing an `aws_iam_openid_connect_provider` resource | <pre>object({<br>    url                    = string<br>    audiences              = list(string)<br>    subject_reader_mapping = string<br>    subject_branch_mapping = string<br>    subject_tag_mapping    = string<br>  })</pre> | `null` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the role being created | `string` | n/a | yes |
+| <a name="input_disable_readwrite_suffix"></a> [disable\_readwrite\_suffix](#input\_disable\_readwrite\_suffix) | Indicates we should add a readwrite suffix to the role name | `bool` | `false` | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Flag to force detachment of policies attached to the IAM role. | `bool` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the role to create | `string` | n/a | yes |
 | <a name="input_permission_boundary"></a> [permission\_boundary](#input\_permission\_boundary) | The name of the policy that is used to set the permissions boundary for the IAM role | `string` | n/a | yes |

modules/role/main.tf

@@ -1,3 +1,13 @@
+
+locals {
+  ## The name of the iam role to create for the readonly 
+  readonly_role_name = format("%s-ro", var.name)
+  ## The name of the iam role to create for the readwrite
+  readwrite_role_name = var.name
+  ## The name of the iam role to create for the state reader 
+  state_reader_role_name = format("%s-sr", var.name)
+}
+
 data "aws_iam_openid_connect_provider" "this" {
   url = local.selected_provider.url
 }
@@ -36,15 +46,16 @@ data "aws_iam_policy_document" "ro" {
   }
 }
 
+## Provision the read only role
 resource "aws_iam_role" "ro" {
-  name               = format("%s-ro", var.name)
-  path               = var.role_path
-  description        = var.description
-  assume_role_policy = data.aws_iam_policy_document.ro.json
-
+  assume_role_policy    = data.aws_iam_policy_document.ro.json
+  description           = var.description
   force_detach_policies = var.force_detach_policies
   max_session_duration  = var.read_only_max_session_duration
+  name                  = local.readonly_role_name
+  path                  = var.role_path
   permissions_boundary  = local.permission_boundary_arn
+  tags                  = merge(var.tags, { Name = local.readonly_role_name })
 
   dynamic "inline_policy" {
     for_each = var.read_only_inline_policies
@@ -54,12 +65,9 @@ resource "aws_iam_role" "ro" {
       policy = inline_policy.value
     }
   }
-
-  tags = merge(var.tags, {
-    Name = format("%s-ro", var.name)
-  })
 }
 
+## Attach the read only policies to the read only role
 resource "aws_iam_role_policy_attachment" "ro" {
   for_each = toset(var.read_only_policy_arns)
 
@@ -112,14 +120,14 @@ data "aws_iam_policy_document" "rw" {
 }
 
 resource "aws_iam_role" "rw" {
-  name               = format("%s-rw", var.name)
-  path               = var.role_path
-  description        = var.description
-  assume_role_policy = data.aws_iam_policy_document.rw.json
-
+  assume_role_policy    = data.aws_iam_policy_document.rw.json
+  description           = var.description
   force_detach_policies = var.force_detach_policies
   max_session_duration  = var.read_write_max_session_duration
+  name                  = local.readwrite_role_name
+  path                  = var.role_path
   permissions_boundary  = local.permission_boundary_arn
+  tags                  = merge(var.tags, { Name = local.readwrite_role_name })
 
   dynamic "inline_policy" {
     for_each = var.read_write_inline_policies
@@ -129,10 +137,6 @@ resource "aws_iam_role" "rw" {
       policy = inline_policy.value
     }
   }
-
-  tags = merge(var.tags, {
-    Name = format("%s-rw", var.name)
-  })
 }
 
 resource "aws_iam_role_policy_attachment" "rw" {
@@ -178,12 +182,9 @@ data "aws_iam_policy_document" "sr" {
 }
 
 resource "aws_iam_role" "sr" {
-  name               = format("%s-sr", var.name)
-  path               = var.role_path
-  description        = format("Terraform state reader role for '%s' repo", local.repo_name)
   assume_role_policy = data.aws_iam_policy_document.sr.json
-
-  tags = merge(var.tags, {
-    Name = format("%s-sr", var.name)
-  })
+  description        = format("Terraform state reader role for '%s' repo", local.repo_name)
+  name               = local.state_reader_role_name
+  path               = var.role_path
+  tags               = merge(var.tags, { Name = local.state_reader_role_name })
 }