From 97e843562d32302bc90c21853b778a9dfa9e6c25 Mon Sep 17 00:00:00 2001 From: Rohith Jayawardene Date: Fri, 29 Mar 2024 12:40:33 +0000 Subject: [PATCH 1/5] feat: changing the boundary parameter to a name rather than full arn --- examples/role/main.tf | 2 +- modules/role/data.tf | 3 +++ modules/role/locals.tf | 2 ++ modules/role/main.tf | 4 ++-- modules/role/variables.tf | 6 ++---- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/examples/role/main.tf b/examples/role/main.tf index 5725304..4372204 100644 --- a/examples/role/main.tf +++ b/examples/role/main.tf @@ -13,7 +13,7 @@ module "common_provider_example" { repository = "appvia/something" // Set the permission boundary for both the read-only and read-write role - permission_boundary_arn = "arn:aws:iam::aws:policy/AdministratorAccess" + permission_boundary = "AdministratorAccess" // List of policy ARNs to attach to the read-only role read_only_policy_arns = [ diff --git a/modules/role/data.tf b/modules/role/data.tf index 038d1e2..50fb39e 100644 --- a/modules/role/data.tf +++ b/modules/role/data.tf @@ -1,2 +1,5 @@ + +## Retrieve the current AWS account identity data "aws_caller_identity" "current" {} +## Retrieve the current AWS region data "aws_region" "current" {} diff --git a/modules/role/locals.tf b/modules/role/locals.tf index e43d798..583f47e 100644 --- a/modules/role/locals.tf +++ b/modules/role/locals.tf @@ -24,6 +24,8 @@ locals { subject_tag_mapping = "project_path:{repo}:ref_type:{type}:ref:{ref}" } } + # The full ARN of the permission boundary to attach to the role + permission_boundary_arn = format("arn:aws:iam::%s:policy/%s", data.aws_caller_identity.current.account_id, var.permission_boundary) } locals { diff --git a/modules/role/main.tf b/modules/role/main.tf index 8b04759..2a63062 100644 --- a/modules/role/main.tf +++ b/modules/role/main.tf @@ -44,7 +44,7 @@ resource "aws_iam_role" "ro" { force_detach_policies = var.force_detach_policies max_session_duration = var.read_only_max_session_duration - permissions_boundary = var.permission_boundary_arn + permissions_boundary = local.permission_boundary_arn dynamic "inline_policy" { for_each = var.read_only_inline_policies @@ -119,7 +119,7 @@ resource "aws_iam_role" "rw" { force_detach_policies = var.force_detach_policies max_session_duration = var.read_write_max_session_duration - permissions_boundary = var.permission_boundary_arn + permissions_boundary = local.permission_boundary_arn dynamic "inline_policy" { for_each = var.read_write_inline_policies diff --git a/modules/role/variables.tf b/modules/role/variables.tf index 606ead9..a234bb0 100644 --- a/modules/role/variables.tf +++ b/modules/role/variables.tf @@ -104,14 +104,12 @@ variable "force_detach_policies" { description = "Flag to force detachment of policies attached to the IAM role." } -variable "permission_boundary_arn" { +variable "permission_boundary" { type = string - default = null - description = "The ARN of the policy that is used to set the permissions boundary for the IAM role" + description = "The name of the policy that is used to set the permissions boundary for the IAM role" } variable "tags" { type = map(string) - default = {} description = "Tags to apply resoures created by this module" } From b338fee9e9c0b89489a06d24bcd06fa4e803adf7 Mon Sep 17 00:00:00 2001 From: Rohith Jayawardene Date: Fri, 29 Mar 2024 12:45:51 +0000 Subject: [PATCH 2/5] docs: updating the docs --- modules/role/README.md | 93 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 91 insertions(+), 2 deletions(-) diff --git a/modules/role/README.md b/modules/role/README.md index d14c74a..f70b557 100644 --- a/modules/role/README.md +++ b/modules/role/README.md @@ -1,5 +1,93 @@ # AWS IAM OIDC Trust Role +## Description + +This module creates an two IAM roles with trust relationships to an OIDC provider. One role is read-only and the other is read-write. The read-only role is intended to be used by CI/CD pipelines to validate pull requests and changes, where as the read-write role applies the changes on the merge to main. In all cases the consumer must pass a IAM boundary policy to ensure that the roles are not able to escalate their permissions, or make changes to critical resources. + +## Update Documentation + +The `terraform-docs` utility is used to generate this README. Follow the below steps to update: + +1. Make changes to the `.terraform-docs.yml` file +2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/) +3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .` + +## Requirements + +| Name | Version | +| ------------------------------------------------------------------------ | ------- | +| [terraform](#requirement_terraform) | >= 1.0 | + +## Providers + +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [aws_iam_policy.tfstate_apply](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.tfstate_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.tfstate_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.sr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.tfstate_apply](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.tfstate_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.tfstate_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source | +| [aws_iam_policy_document.base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.dynamo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.tfstate_apply](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.tfstate_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.tfstate_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | :------: | +| [additional_audiences](#input_additional_audiences) | Additional audiences to be allowed in the OIDC federation mapping | `list(string)` | `[]` | no | +| [common_provider](#input_common_provider) | The name of a common OIDC provider to be used as the trust for the role | `string` | `""` | no | +| [custom_provider](#input_custom_provider) | An object representing an `aws_iam_openid_connect_provider` resource | 
object({
 url = string
 audiences = list(string)
 subject_reader_mapping = string
 subject_branch_mapping = string
 subject_tag_mapping = string
 })
| `null` | no | +| [description](#input_description) | Description of the role being created | `string` | n/a | yes | +| [force_detach_policies](#input_force_detach_policies) | Flag to force detachment of policies attached to the IAM role. | `bool` | `null` | no | +| [name](#input_name) | Name of the role to create | `string` | n/a | yes | +| [permission_boundary_arn](#input_permission_boundary_arn) | The ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no | +| [protected_branch](#input_protected_branch) | The name of the protected branch under which the read-write role can be assumed | `string` | `"main"` | no | +| [protected_tag](#input_protected_tag) | The name of the protected tag under which the read-write role can be assume | `string` | `"*"` | no | +| [read_only_inline_policies](#input_read_only_inline_policies) | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no | +| [read_only_max_session_duration](#input_read_only_max_session_duration) | The maximum session duration (in seconds) that you want to set for the specified role | `number` | `null` | no | +| [read_only_policy_arns](#input_read_only_policy_arns) | List of IAM policy ARNs to attach to the read-only role | `list(string)` | `[]` | no | +| [read_write_inline_policies](#input_read_write_inline_policies) | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no | +| [read_write_max_session_duration](#input_read_write_max_session_duration) | The maximum session duration (in seconds) that you want to set for the specified role | `number` | `null` | no | +| [read_write_policy_arns](#input_read_write_policy_arns) | List of IAM policy ARNs to attach to the read-write role | `list(string)` | `[]` | no | +| [repository](#input_repository) | List of repositories to be allowed i nthe OIDC federation mapping | `string` | n/a | yes | +| [role_path](#input_role_path) | Path under which to create IAM role. | `string` | `null` | no | +| [shared_repositories](#input_shared_repositories) | List of repositories to provide read access to the remote state | `list(string)` | `[]` | no | +| [tags](#input_tags) | Tags to apply resoures created by this module | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +| ----------------------------------------------------------------------- | ----------- | +| [read_only](#output_read_only) | n/a | +| [read_write](#output_read_write) | n/a | +| [state_reader](#output_state_reader) | n/a | + + ## Requirements | Name | Version | @@ -53,7 +141,7 @@ No modules. | [description](#input\_description) | Description of the role being created | `string` | n/a | yes | | [force\_detach\_policies](#input\_force\_detach\_policies) | Flag to force detachment of policies attached to the IAM role. | `bool` | `null` | no | | [name](#input\_name) | Name of the role to create | `string` | n/a | yes | -| [permission\_boundary\_arn](#input\_permission\_boundary\_arn) | The ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no | +| [permission\_boundary](#input\_permission\_boundary) | The name of the policy that is used to set the permissions boundary for the IAM role | `string` | n/a | yes | | [protected\_branch](#input\_protected\_branch) | The name of the protected branch under which the read-write role can be assumed | `string` | `"main"` | no | | [protected\_tag](#input\_protected\_tag) | The name of the protected tag under which the read-write role can be assume | `string` | `"*"` | no | | [read\_only\_inline\_policies](#input\_read\_only\_inline\_policies) | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no | @@ -65,7 +153,7 @@ No modules. | [repository](#input\_repository) | List of repositories to be allowed i nthe OIDC federation mapping | `string` | n/a | yes | | [role\_path](#input\_role\_path) | Path under which to create IAM role. | `string` | `null` | no | | [shared\_repositories](#input\_shared\_repositories) | List of repositories to provide read access to the remote state | `list(string)` | `[]` | no | -| [tags](#input\_tags) | Tags to apply resoures created by this module | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Tags to apply resoures created by this module | `map(string)` | n/a | yes | ## Outputs @@ -74,3 +162,4 @@ No modules. | [read\_only](#output\_read\_only) | n/a | | [read\_write](#output\_read\_write) | n/a | | [state\_reader](#output\_state\_reader) | n/a | + \ No newline at end of file From c6b295d52e1e8425d25233cfdb64a34aa7262c93 Mon Sep 17 00:00:00 2001 From: Rohith Jayawardene Date: Fri, 29 Mar 2024 12:54:56 +0000 Subject: [PATCH 3/5] chore: updating a few things in the module --- .github/workflows/terraform.yml | 20 +++++++--- .gitignore | 34 ++++++++++++++++- .terraform.lock.hcl | 43 ++++++++++++++++++++++ modules/provider/.terraform.lock.hcl | 43 ++++++++++++++++++++++ modules/provider/README.md | 45 ++++++++++++++++++++++- modules/remote_state/.terraform.lock.hcl | 24 ++++++++++++ modules/remote_state/README.md | 47 +++++++++++++++++++++++- modules/remote_state/main.tf | 4 +- modules/role/.terraform.lock.hcl | 24 ++++++++++++ 9 files changed, 273 insertions(+), 11 deletions(-) create mode 100644 .terraform.lock.hcl create mode 100644 modules/provider/.terraform.lock.hcl create mode 100644 modules/remote_state/.terraform.lock.hcl create mode 100644 modules/role/.terraform.lock.hcl diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index a6a9019..d3e7a97 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -9,10 +9,20 @@ on: - main jobs: - module-validation: + role-validation: uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main - name: Module Validation - secrets: - infracost-api-key: ${{ secrets.ORG_INFRACOST_API_KEY }} + name: OIDC Role Module with: - working-directory: . + working-directory: modules/role + + remote-state-validation: + uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main + name: Remote State Module + with: + working-directory: modules/remote-state + + provider-validation: + uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main + name: Provider Module + with: + working-directory: modules/provider diff --git a/.gitignore b/.gitignore index cc5778c..5f401a8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,32 @@ -.terraform/ -.terraform.lock.hcl +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc + +# Other +.DS_Store +todo.md + diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..cb2ae11 --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,43 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.43.0" + hashes = [ + "h1:3w6NCYy+mbc9odXmM7K5Xag2ggtapraacZqJR3WpJKc=", + "zh:07fb2abb9cf4d2042b41b2b2c642d4c4bd2feccbd856cd7040a7d15158fed478", + "zh:1373339e796d8d8473c267c0ecddb701559fce454c2cdd192cf8b0eadf759b48", + "zh:1644b4e0fd2e0b28d465bb5cf08b1f594a623324d176e879e5052f78cd2ea8cb", + "zh:385943b8d4170c5269b8e13e876636b7edc0ad2576edc7eb5d81cd4286a461d8", + "zh:48cf103f4fa866b67b686e8c085ac15264d6f020b6ad4a90f496b7283d31faa6", + "zh:4a4c4b4236542089d1bdb688c248e0b7c941ce42887da87e487bfb15038dcaf9", + "zh:5d84f3e12100bdd62a8c295b56358b82afc130642dca80d104bd868fdc28ed7c", + "zh:68294a601ce588a8838bcf4e136bb5ed8d2b1ee410f8871d88e35ce4861cf33f", + "zh:7ae1af6e9b95bd6c33dd0922216ac2b59f2f5b22fedbeab1db7a80b2f4358919", + "zh:89c718d41b2eeeaefd1acdbd839f1326a8c866bd49752648b0b32d3dd4a38163", + "zh:96e54ccb0f5ddf60465edf5c9f46e64f7d2f392507b851f102723797b4a15d09", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b102ce204ebbbf32d68ff47b5224eeb60873bef5b58a7fd7790f6b4020801578", + "zh:cae4cb16d15ac4b15c8de5bc9dddc2032583e12c4f31e23b3a7ef22da60657dc", + "zh:fecbcbd63111c9518de261bcb37482cb06ee149e7298f567d45b2a55674faa75", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.5" + hashes = [ + "h1:zeG5RmggBZW/8JWIVrdaeSJa0OG62uFX5HY1eE8SjzY=", + "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", + "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32", + "zh:1a8ddba2b1550c5d02003ea5d6cdda2eef6870ece86c5619f33edd699c9dc14b", + "zh:1e3bb505c000adb12cdf60af5b08f0ed68bc3955b0d4d4a126db5ca4d429eb4a", + "zh:6636401b2463c25e03e68a6b786acf91a311c78444b1dc4f97c539f9f78de22a", + "zh:76858f9d8b460e7b2a338c477671d07286b0d287fd2d2e3214030ae8f61dd56e", + "zh:a13b69fb43cb8746793b3069c4d897bb18f454290b496f19d03c3387d1c9a2dc", + "zh:a90ca81bb9bb509063b736842250ecff0f886a91baae8de65c8430168001dad9", + "zh:c4de401395936e41234f1956ebadbd2ed9f414e6908f27d578614aaa529870d4", + "zh:c657e121af8fde19964482997f0de2d5173217274f6997e16389e7707ed8ece8", + "zh:d68b07a67fbd604c38ec9733069fbf23441436fecf554de6c75c032f82e1ef19", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/modules/provider/.terraform.lock.hcl b/modules/provider/.terraform.lock.hcl new file mode 100644 index 0000000..cb2ae11 --- /dev/null +++ b/modules/provider/.terraform.lock.hcl @@ -0,0 +1,43 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.43.0" + hashes = [ + "h1:3w6NCYy+mbc9odXmM7K5Xag2ggtapraacZqJR3WpJKc=", + "zh:07fb2abb9cf4d2042b41b2b2c642d4c4bd2feccbd856cd7040a7d15158fed478", + "zh:1373339e796d8d8473c267c0ecddb701559fce454c2cdd192cf8b0eadf759b48", + "zh:1644b4e0fd2e0b28d465bb5cf08b1f594a623324d176e879e5052f78cd2ea8cb", + "zh:385943b8d4170c5269b8e13e876636b7edc0ad2576edc7eb5d81cd4286a461d8", + "zh:48cf103f4fa866b67b686e8c085ac15264d6f020b6ad4a90f496b7283d31faa6", + "zh:4a4c4b4236542089d1bdb688c248e0b7c941ce42887da87e487bfb15038dcaf9", + "zh:5d84f3e12100bdd62a8c295b56358b82afc130642dca80d104bd868fdc28ed7c", + "zh:68294a601ce588a8838bcf4e136bb5ed8d2b1ee410f8871d88e35ce4861cf33f", + "zh:7ae1af6e9b95bd6c33dd0922216ac2b59f2f5b22fedbeab1db7a80b2f4358919", + "zh:89c718d41b2eeeaefd1acdbd839f1326a8c866bd49752648b0b32d3dd4a38163", + "zh:96e54ccb0f5ddf60465edf5c9f46e64f7d2f392507b851f102723797b4a15d09", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b102ce204ebbbf32d68ff47b5224eeb60873bef5b58a7fd7790f6b4020801578", + "zh:cae4cb16d15ac4b15c8de5bc9dddc2032583e12c4f31e23b3a7ef22da60657dc", + "zh:fecbcbd63111c9518de261bcb37482cb06ee149e7298f567d45b2a55674faa75", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.5" + hashes = [ + "h1:zeG5RmggBZW/8JWIVrdaeSJa0OG62uFX5HY1eE8SjzY=", + "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", + "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32", + "zh:1a8ddba2b1550c5d02003ea5d6cdda2eef6870ece86c5619f33edd699c9dc14b", + "zh:1e3bb505c000adb12cdf60af5b08f0ed68bc3955b0d4d4a126db5ca4d429eb4a", + "zh:6636401b2463c25e03e68a6b786acf91a311c78444b1dc4f97c539f9f78de22a", + "zh:76858f9d8b460e7b2a338c477671d07286b0d287fd2d2e3214030ae8f61dd56e", + "zh:a13b69fb43cb8746793b3069c4d897bb18f454290b496f19d03c3387d1c9a2dc", + "zh:a90ca81bb9bb509063b736842250ecff0f886a91baae8de65c8430168001dad9", + "zh:c4de401395936e41234f1956ebadbd2ed9f414e6908f27d578614aaa529870d4", + "zh:c657e121af8fde19964482997f0de2d5173217274f6997e16389e7707ed8ece8", + "zh:d68b07a67fbd604c38ec9733069fbf23441436fecf554de6c75c032f82e1ef19", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/modules/provider/README.md b/modules/provider/README.md index d3df400..9459236 100644 --- a/modules/provider/README.md +++ b/modules/provider/README.md @@ -2,6 +2,46 @@ ## Requirements +| Name | Version | +| ------------------------------------------------------------------------ | ------- | +| [terraform](#requirement_terraform) | >= 1.0 | + +## Providers + +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | n/a | +| [tls](#provider_tls) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +| ----------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | +| [tls_certificate.thumbprint](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | :------: | +| [common_providers](#input_common_providers) | List of common well-known providers to enable, such as github, gitlab | `list(string)` | `[]` | no | +| [custom_providers](#input_custom_providers) | Map of custom provider configurations | 
map(object({
 name = optional(string, null)
 url = string
 client_id_list = list(string)
 thumbprint_list = optional(list(string), [])
 lookup_thumbprint = optional(bool, true)
 }))
| `{}` | no | +| [provider_tags](#input_provider_tags) | Nested map of tags to apply to specific providers. Top level keys should match provider names | `map(map(string))` | `{}` | no | +| [tags](#input_tags) | Map of tags to apply to all resources | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +| -------------------------------------------------------------- | ----------- | +| [providers](#output_providers) | n/a | + + +## Requirements + | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | @@ -10,8 +50,8 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | -| [tls](#provider\_tls) | n/a | +| [aws](#provider\_aws) | 5.43.0 | +| [tls](#provider\_tls) | 4.0.5 | ## Modules @@ -38,3 +78,4 @@ No modules. | Name | Description | |------|-------------| | [providers](#output\_providers) | n/a | + \ No newline at end of file diff --git a/modules/remote_state/.terraform.lock.hcl b/modules/remote_state/.terraform.lock.hcl new file mode 100644 index 0000000..8d6b4ea --- /dev/null +++ b/modules/remote_state/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.43.0" + hashes = [ + "h1:3w6NCYy+mbc9odXmM7K5Xag2ggtapraacZqJR3WpJKc=", + "zh:07fb2abb9cf4d2042b41b2b2c642d4c4bd2feccbd856cd7040a7d15158fed478", + "zh:1373339e796d8d8473c267c0ecddb701559fce454c2cdd192cf8b0eadf759b48", + "zh:1644b4e0fd2e0b28d465bb5cf08b1f594a623324d176e879e5052f78cd2ea8cb", + "zh:385943b8d4170c5269b8e13e876636b7edc0ad2576edc7eb5d81cd4286a461d8", + "zh:48cf103f4fa866b67b686e8c085ac15264d6f020b6ad4a90f496b7283d31faa6", + "zh:4a4c4b4236542089d1bdb688c248e0b7c941ce42887da87e487bfb15038dcaf9", + "zh:5d84f3e12100bdd62a8c295b56358b82afc130642dca80d104bd868fdc28ed7c", + "zh:68294a601ce588a8838bcf4e136bb5ed8d2b1ee410f8871d88e35ce4861cf33f", + "zh:7ae1af6e9b95bd6c33dd0922216ac2b59f2f5b22fedbeab1db7a80b2f4358919", + "zh:89c718d41b2eeeaefd1acdbd839f1326a8c866bd49752648b0b32d3dd4a38163", + "zh:96e54ccb0f5ddf60465edf5c9f46e64f7d2f392507b851f102723797b4a15d09", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b102ce204ebbbf32d68ff47b5224eeb60873bef5b58a7fd7790f6b4020801578", + "zh:cae4cb16d15ac4b15c8de5bc9dddc2032583e12c4f31e23b3a7ef22da60657dc", + "zh:fecbcbd63111c9518de261bcb37482cb06ee149e7298f567d45b2a55674faa75", + ] +} diff --git a/modules/remote_state/README.md b/modules/remote_state/README.md index 02066b7..db431ba 100644 --- a/modules/remote_state/README.md +++ b/modules/remote_state/README.md @@ -1,4 +1,47 @@ # AWS OIDC Remote State Reader + +## Requirements + +| Name | Version | +| ------------------------------------------------------------------------ | ------- | +| [terraform](#requirement_terraform) | >= 1.0 | + +## Providers + +| Name | Version | +| ------------------------------------------------------------------ | ------- | +| [aws](#provider_aws) | 5.41.0 | +| [terraform](#provider_terraform) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +| -------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [terraform_remote_state.this](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------- | -------- | ------- | :------: | +| [account_id](#input_account_id) | Account ID where the remote state bucket is located | `string` | `null` | no | +| [reader_role_arn](#input_reader_role_arn) | The ARN of the reader role to assume in order to read the remote state | `string` | n/a | yes | +| [region](#input_region) | The region name where the destination resources have been created | `string` | `null` | no | +| [repository](#input_repository) | The name of the repository to lookup remote state for | `string` | n/a | yes | +| [web_identity_token_file](#input_web_identity_token_file) | Path to the web identity token file | `string` | n/a | yes | + +## Outputs + +| Name | Description | +| -------------------------------------------------------- | ----------- | +| [outputs](#output_outputs) | n/a | + + ## Requirements | Name | Version | @@ -9,7 +52,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.41.0 | +| [aws](#provider\_aws) | 5.43.0 | | [terraform](#provider\_terraform) | n/a | ## Modules @@ -39,3 +82,5 @@ No modules. | Name | Description | |------|-------------| | [outputs](#output\_outputs) | n/a | + + diff --git a/modules/remote_state/main.tf b/modules/remote_state/main.tf index d20010e..66e7f26 100644 --- a/modules/remote_state/main.tf +++ b/modules/remote_state/main.tf @@ -4,9 +4,11 @@ locals { // Use provided region or default to the current region region = coalesce(var.region, data.aws_region.current.name) +} +locals { // Terraform state bucket name - tf_state_bucket = format("%s-%s", var.account_id, local.region) + tf_state_bucket = format("%s-%s", local.account, local.region) } data "terraform_remote_state" "this" { diff --git a/modules/role/.terraform.lock.hcl b/modules/role/.terraform.lock.hcl new file mode 100644 index 0000000..8d6b4ea --- /dev/null +++ b/modules/role/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.43.0" + hashes = [ + "h1:3w6NCYy+mbc9odXmM7K5Xag2ggtapraacZqJR3WpJKc=", + "zh:07fb2abb9cf4d2042b41b2b2c642d4c4bd2feccbd856cd7040a7d15158fed478", + "zh:1373339e796d8d8473c267c0ecddb701559fce454c2cdd192cf8b0eadf759b48", + "zh:1644b4e0fd2e0b28d465bb5cf08b1f594a623324d176e879e5052f78cd2ea8cb", + "zh:385943b8d4170c5269b8e13e876636b7edc0ad2576edc7eb5d81cd4286a461d8", + "zh:48cf103f4fa866b67b686e8c085ac15264d6f020b6ad4a90f496b7283d31faa6", + "zh:4a4c4b4236542089d1bdb688c248e0b7c941ce42887da87e487bfb15038dcaf9", + "zh:5d84f3e12100bdd62a8c295b56358b82afc130642dca80d104bd868fdc28ed7c", + "zh:68294a601ce588a8838bcf4e136bb5ed8d2b1ee410f8871d88e35ce4861cf33f", + "zh:7ae1af6e9b95bd6c33dd0922216ac2b59f2f5b22fedbeab1db7a80b2f4358919", + "zh:89c718d41b2eeeaefd1acdbd839f1326a8c866bd49752648b0b32d3dd4a38163", + "zh:96e54ccb0f5ddf60465edf5c9f46e64f7d2f392507b851f102723797b4a15d09", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b102ce204ebbbf32d68ff47b5224eeb60873bef5b58a7fd7790f6b4020801578", + "zh:cae4cb16d15ac4b15c8de5bc9dddc2032583e12c4f31e23b3a7ef22da60657dc", + "zh:fecbcbd63111c9518de261bcb37482cb06ee149e7298f567d45b2a55674faa75", + ] +} From 0f801c10d0b153deaa3b2e9a2b8122a23dd6ec7e Mon Sep 17 00:00:00 2001 From: Rohith Jayawardene Date: Fri, 29 Mar 2024 12:57:07 +0000 Subject: [PATCH 4/5] fix: the path to the module was incorrect --- .github/workflows/terraform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index d3e7a97..bb7040c 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -19,7 +19,7 @@ jobs: uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main name: Remote State Module with: - working-directory: modules/remote-state + working-directory: modules/remote_state provider-validation: uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main From e4173a653526837653f179dfceb48140c624b014 Mon Sep 17 00:00:00 2001 From: Rohith Jayawardene Date: Fri, 29 Mar 2024 12:57:40 +0000 Subject: [PATCH 5/5] docs: fixing the docs in the module --- modules/role/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/role/README.md b/modules/role/README.md index f70b557..ef0d6ff 100644 --- a/modules/role/README.md +++ b/modules/role/README.md @@ -98,7 +98,7 @@ No modules. | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | +| [aws](#provider\_aws) | 5.43.0 | ## Modules