diff --git a/README.md b/README.md
index 8c26bca..dfa5b9b 100644
--- a/README.md
+++ b/README.md
@@ -189,25 +189,30 @@ module "helm_release" {
service_account_namespace = "echo"
# IAM policy statements to add to the IAM role
- iam_policy_statements = {
- ListMyBucket = {
+ iam_policy = [{
+ statements = [{
+ sid = "ListMyBucket"
effect = "Allow"
actions = ["s3:ListBucket"]
resources = ["arn:aws:s3:::test"]
conditions = []
},
- WriteMyBucket = {
+ {
+ sid = "WriteMyBucket"
effect = "Allow"
actions = ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"]
resources = ["arn:aws:s3:::test/*"]
conditions = []
- },
- }
+ }]
+ }]
}
```
-If `var.service_account_name` is set, then `var.name` can be set to "" in order to achieve a shorter name for the IAM
-Role created for the ServiceAccount:
+Typically, the prefix for the full name of the created IAM role for the service account ends with the `name` value,
+supplied either via the `name` or the `context` input. If `service_account_name` is set to something other than `*`,
+the service account name is then appended to this prefix. In the case where `name` and `service_account_name`
+are the same, this leads to a repetition, for a name like `eg-echo-echo`. For this reason, we recommend setting
+`name` to "" when it would otherwise be the same as `service_account_name`:
```hcl
module "helm_release" {
@@ -261,7 +266,7 @@ Available targets:
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
+| [terraform](#requirement\_terraform) | >= 1.3.0 |
| [helm](#requirement\_helm) | >= 2.2 |
| [kubernetes](#requirement\_kubernetes) | >= 2.7.1 |
@@ -276,7 +281,7 @@ Available targets:
| Name | Source | Version |
|------|--------|---------|
-| [eks\_iam\_policy](#module\_eks\_iam\_policy) | cloudposse/iam-policy/aws | 1.0.1 |
+| [eks\_iam\_policy](#module\_eks\_iam\_policy) | cloudposse/iam-policy/aws | 2.0.0 |
| [eks\_iam\_role](#module\_eks\_iam\_role) | cloudposse/eks-iam-role/aws | 2.1.1 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
@@ -313,11 +318,13 @@ Available targets:
| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| [force\_update](#input\_force\_update) | Force resource update through delete/recreate if needed. Defaults to `false`. | `bool` | `null` | no |
+| [iam\_override\_policy\_documents](#input\_iam\_override\_policy\_documents) | List of IAM policy documents (as JSON strings) that are merged together into the exported document with higher precedence.
In merging, statements with non-blank SIDs will override statements with the same SID
from earlier documents in the list and from other "source" documents. | `list(string)` | `null` | no |
+| [iam\_policy](#input\_iam\_policy) | IAM policy as list of Terraform objects, compatible with Terraform `aws_iam_policy_document` data source
except that `source_policy_documents` and `override_policy_documents` are not included.
Use inputs `iam_source_policy_documents` and `iam_override_policy_documents` for that. | list(object({
policy_id = optional(string, null)
version = optional(string, null)
statements = list(object({
sid = optional(string, null)
effect = optional(string, null)
actions = optional(list(string), null)
not_actions = optional(list(string), null)
resources = optional(list(string), null)
not_resources = optional(list(string), null)
conditions = optional(list(object({
test = string
variable = string
values = list(string)
})), [])
principals = optional(list(object({
type = string
identifiers = list(string)
})), [])
not_principals = optional(list(object({
type = string
identifiers = list(string)
})), [])
}))
})) | `null` | no |
| [iam\_policy\_enabled](#input\_iam\_policy\_enabled) | Whether to create and attach an IAM policy to the created IAM role | `bool` | `true` | no |
-| [iam\_policy\_statements](#input\_iam\_policy\_statements) | DEPRECATED, use `iam_source_policy_documents` instead: IAM policy (as `map(string)`)for the service account. | `any` | `{}` | no |
+| [iam\_policy\_statements](#input\_iam\_policy\_statements) | Deprecated: Use `iam_policy` instead.
List or Map of IAM policy statements to use in the policy.
This can be used with `iam_source_policy_documents` and `iam_override_policy_documents`
and with or instead of `iam_source_json_url`. | `any` | `{}` | no |
| [iam\_role\_enabled](#input\_iam\_role\_enabled) | Whether to create an IAM role. Setting this to `true` will also replace any occurrences of `{service_account_role_arn}` in `var.values_template_path` with the ARN of the IAM role created by this module. | `bool` | `false` | no |
-| [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source json policy to download. The downloaded policy will be combined with `iam_source_policy_statements`. | `string` | `null` | no |
-| [iam\_source\_policy\_documents](#input\_iam\_source\_policy\_documents) | List of JSON IAM policy documents that are merged together into role's policy. Statements defined in `source_policy_documents` or `source_json` must have unique sids. | `list(string)` | `null` | no |
+| [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | URL of the IAM policy (in JSON format) to download and use as `source_json` argument.
This is useful when using a 3rd party service that provides their own policy.
Statements in this policy will be overridden by statements with the same SID in `iam_override_policy_documents`. | `string` | `null` | no |
+| [iam\_source\_policy\_documents](#input\_iam\_source\_policy\_documents) | List of IAM policy documents (as JSON strings) that are merged together into the exported document.
Statements defined in `iam_source_policy_documents` must have unique SIDs and be distinct from SIDs
in `iam_policy` and deprecated `iam_policy_statements`.
Statements in these documents will be overridden by statements with the same SID in `iam_override_policy_documents`. | `list(string)` | `null` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
| [keyring](#input\_keyring) | Location of public keys used for verification. Used only if `verify` is true. Defaults to `/.gnupg/pubring.gpg` in the location set by `home`. | `string` | `null` | no |
| [kubernetes\_namespace](#input\_kubernetes\_namespace) | The namespace to install the release into. Defaults to `default`. | `string` | `null` | no |
@@ -391,6 +398,7 @@ Are you using this project or any of our other projects? Consider [leaving a tes
Check out these related projects.
+- [terraform-aws-iam-policy](https://github.com/cloudposse/terraform-aws-iam-policy/) - Terraform module to create an IAM Policy document from Terraform inputs.
- [terraform-aws-eks-iam-role](https://github.com/cloudposse/terraform-aws-eks-iam-role/) - Terraform module to provision an EKS IAM Role for Service Account.
- [terraform-null-label](https://github.com/cloudposse/terraform-null-label) - Terraform module designed to generate consistent names and tags for resources. Use terraform-null-label to implement a strict naming convention.
diff --git a/README.yaml b/README.yaml
index 1e5b041..837f572 100644
--- a/README.yaml
+++ b/README.yaml
@@ -36,6 +36,9 @@ badges:
# List any related terraform modules that this module may be used with or that this module depends on.
related:
+ - name: "terraform-aws-iam-policy"
+ description: "Terraform module to create an IAM Policy document from Terraform inputs."
+ url: "https://github.com/cloudposse/terraform-aws-iam-policy/"
- name: "terraform-aws-eks-iam-role"
description: "Terraform module to provision an EKS IAM Role for Service Account."
url: "https://github.com/cloudposse/terraform-aws-eks-iam-role/"
@@ -161,25 +164,30 @@ usage: |-
service_account_namespace = "echo"
# IAM policy statements to add to the IAM role
- iam_policy_statements = {
- ListMyBucket = {
+ iam_policy = [{
+ statements = [{
+ sid = "ListMyBucket"
effect = "Allow"
actions = ["s3:ListBucket"]
resources = ["arn:aws:s3:::test"]
conditions = []
},
- WriteMyBucket = {
+ {
+ sid = "WriteMyBucket"
effect = "Allow"
actions = ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"]
resources = ["arn:aws:s3:::test/*"]
conditions = []
- },
- }
+ }]
+ }]
}
```
- If `var.service_account_name` is set, then `var.name` can be set to "" in order to achieve a shorter name for the IAM
- Role created for the ServiceAccount:
+ Typically, the prefix for the full name of the created IAM role for the service account ends with the `name` value,
+ supplied either via the `name` or the `context` input. If `service_account_name` is set to something other than `*`,
+ the service account name is then appended to this prefix. In the case where `name` and `service_account_name`
+ are the same, this leads to a repetition, for a name like `eg-echo-echo`. For this reason, we recommend setting
+ `name` to "" when it would otherwise be the same as `service_account_name`:
```hcl
module "helm_release" {
diff --git a/docs/terraform.md b/docs/terraform.md
index 09debe7..4c5de9c 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -3,7 +3,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
+| [terraform](#requirement\_terraform) | >= 1.3.0 |
| [helm](#requirement\_helm) | >= 2.2 |
| [kubernetes](#requirement\_kubernetes) | >= 2.7.1 |
@@ -18,7 +18,7 @@
| Name | Source | Version |
|------|--------|---------|
-| [eks\_iam\_policy](#module\_eks\_iam\_policy) | cloudposse/iam-policy/aws | 1.0.1 |
+| [eks\_iam\_policy](#module\_eks\_iam\_policy) | cloudposse/iam-policy/aws | 2.0.0 |
| [eks\_iam\_role](#module\_eks\_iam\_role) | cloudposse/eks-iam-role/aws | 2.1.1 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
@@ -55,11 +55,13 @@
| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| [force\_update](#input\_force\_update) | Force resource update through delete/recreate if needed. Defaults to `false`. | `bool` | `null` | no |
+| [iam\_override\_policy\_documents](#input\_iam\_override\_policy\_documents) | List of IAM policy documents (as JSON strings) that are merged together into the exported document with higher precedence.
In merging, statements with non-blank SIDs will override statements with the same SID
from earlier documents in the list and from other "source" documents. | `list(string)` | `null` | no |
+| [iam\_policy](#input\_iam\_policy) | IAM policy as list of Terraform objects, compatible with Terraform `aws_iam_policy_document` data source
except that `source_policy_documents` and `override_policy_documents` are not included.
Use inputs `iam_source_policy_documents` and `iam_override_policy_documents` for that. | list(object({
policy_id = optional(string, null)
version = optional(string, null)
statements = list(object({
sid = optional(string, null)
effect = optional(string, null)
actions = optional(list(string), null)
not_actions = optional(list(string), null)
resources = optional(list(string), null)
not_resources = optional(list(string), null)
conditions = optional(list(object({
test = string
variable = string
values = list(string)
})), [])
principals = optional(list(object({
type = string
identifiers = list(string)
})), [])
not_principals = optional(list(object({
type = string
identifiers = list(string)
})), [])
}))
})) | `null` | no |
| [iam\_policy\_enabled](#input\_iam\_policy\_enabled) | Whether to create and attach an IAM policy to the created IAM role | `bool` | `true` | no |
-| [iam\_policy\_statements](#input\_iam\_policy\_statements) | DEPRECATED, use `iam_source_policy_documents` instead: IAM policy (as `map(string)`)for the service account. | `any` | `{}` | no |
+| [iam\_policy\_statements](#input\_iam\_policy\_statements) | Deprecated: Use `iam_policy` instead.
List or Map of IAM policy statements to use in the policy.
This can be used with `iam_source_policy_documents` and `iam_override_policy_documents`
and with or instead of `iam_source_json_url`. | `any` | `{}` | no |
| [iam\_role\_enabled](#input\_iam\_role\_enabled) | Whether to create an IAM role. Setting this to `true` will also replace any occurrences of `{service_account_role_arn}` in `var.values_template_path` with the ARN of the IAM role created by this module. | `bool` | `false` | no |
-| [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source json policy to download. The downloaded policy will be combined with `iam_source_policy_statements`. | `string` | `null` | no |
-| [iam\_source\_policy\_documents](#input\_iam\_source\_policy\_documents) | List of JSON IAM policy documents that are merged together into role's policy. Statements defined in `source_policy_documents` or `source_json` must have unique sids. | `list(string)` | `null` | no |
+| [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | URL of the IAM policy (in JSON format) to download and use as `source_json` argument.
This is useful when using a 3rd party service that provides their own policy.
Statements in this policy will be overridden by statements with the same SID in `iam_override_policy_documents`. | `string` | `null` | no |
+| [iam\_source\_policy\_documents](#input\_iam\_source\_policy\_documents) | List of IAM policy documents (as JSON strings) that are merged together into the exported document.
Statements defined in `iam_source_policy_documents` must have unique SIDs and be distinct from SIDs
in `iam_policy` and deprecated `iam_policy_statements`.
Statements in these documents will be overridden by statements with the same SID in `iam_override_policy_documents`. | `list(string)` | `null` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
| [keyring](#input\_keyring) | Location of public keys used for verification. Used only if `verify` is true. Defaults to `/.gnupg/pubring.gpg` in the location set by `home`. | `string` | `null` | no |
| [kubernetes\_namespace](#input\_kubernetes\_namespace) | The namespace to install the release into. Defaults to `default`. | `string` | `null` | no |
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
index 5f84a2b..f08864e 100644
--- a/examples/complete/versions.tf
+++ b/examples/complete/versions.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.0"
+ required_version = ">= 1.3.0"
required_providers {
aws = {
diff --git a/main.tf b/main.tf
index ec889e1..5a3dd77 100644
--- a/main.tf
+++ b/main.tf
@@ -13,13 +13,17 @@ locals {
module "eks_iam_policy" {
source = "cloudposse/iam-policy/aws"
- version = "1.0.1"
+ version = "2.0.0"
enabled = local.iam_policy_enabled
- iam_source_policy_documents = var.iam_source_policy_documents
- iam_source_json_url = var.iam_source_json_url
- iam_policy_statements = var.iam_policy_statements
+ iam_policy = var.iam_policy
+ iam_source_policy_documents = var.iam_source_policy_documents
+ iam_override_policy_documents = var.iam_override_policy_documents
+ iam_source_json_url = var.iam_source_json_url
+
+ # iam_policy_statements is deprecated, can be list or map
+ iam_policy_statements = var.iam_policy_statements
context = module.this.context
}
diff --git a/test/src/go.mod b/test/src/go.mod
index 849a4a6..24dd598 100644
--- a/test/src/go.mod
+++ b/test/src/go.mod
@@ -2,20 +2,11 @@ module github.com/cloudposse/terraform-aws-helm-release
go 1.20
-
require (
- github.com/gruntwork-io/terratest v0.41.25
+ github.com/gruntwork-io/terratest v0.42.0
github.com/stretchr/testify v1.8.3
// Nominally, the version of apimachinery should match the kubernetes_version of the EKS cluster
- k8s.io/apimachinery v0.26.5
-)
-
-// As of v1.25, `k8s/apimachinery` no longer has a `clock` package
-// See https://github.com/kubernetes/kubernetes/pull/109752
-// But current Terratest (v0.41.25) uses v0.20.6, so we need replace it.
-replace (
- k8s.io/api v0.20.6 => k8s.io/api v0.26.5
- k8s.io/client-go v0.20.6 => k8s.io/client-go v0.26.5
+ k8s.io/apimachinery v0.26.6
)
require (
@@ -31,12 +22,12 @@ require (
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
- github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+ github.com/emicklei/go-restful/v3 v3.10.0 // indirect
github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect
github.com/go-logr/logr v1.2.3 // indirect
- github.com/go-openapi/jsonpointer v0.19.5 // indirect
- github.com/go-openapi/jsonreference v0.20.0 // indirect
- github.com/go-openapi/swag v0.19.14 // indirect
+ github.com/go-openapi/jsonpointer v0.19.6 // indirect
+ github.com/go-openapi/jsonreference v0.20.1 // indirect
+ github.com/go-openapi/swag v0.22.3 // indirect
github.com/go-sql-driver/mysql v1.4.1 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -62,7 +53,7 @@ require (
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.15.11 // indirect
- github.com/mailru/easyjson v0.7.6 // indirect
+ github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
@@ -92,16 +83,16 @@ require (
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20230320184635-7606e756e683 // indirect
google.golang.org/grpc v1.53.0 // indirect
- google.golang.org/protobuf v1.29.1 // indirect
+ google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
- k8s.io/api v0.26.5 // indirect
- k8s.io/client-go v0.20.6 // indirect
+ k8s.io/api v0.26.6 // indirect
+ k8s.io/client-go v0.26.6 // indirect
k8s.io/klog/v2 v2.90.1 // indirect
- k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
- k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
- sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+ k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
+ k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect
+ sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
)
diff --git a/test/src/go.sum b/test/src/go.sum
index 36801c1..2856402 100644
--- a/test/src/go.sum
+++ b/test/src/go.sum
@@ -233,6 +233,8 @@ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3
github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1 h1:yY9rWGoXv1U5pl4gxqlULARMQD7x0QG85lqEXTWysik=
github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/emicklei/go-restful/v3 v3.10.0 h1:X4gma4HM7hFm6WMeAsTfqA0GOfdNoCzBIkHGoRLGXuM=
+github.com/emicklei/go-restful/v3 v3.10.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -255,14 +257,12 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2
github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
-github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA=
-github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
-github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8=
+github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
@@ -374,8 +374,8 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad
github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro=
github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78=
-github.com/gruntwork-io/terratest v0.41.25 h1:VueNLhppdvkn+JvOowgVfvhBCjLvwTyqroOdz9cnmmA=
-github.com/gruntwork-io/terratest v0.41.25/go.mod h1:O6gajNBjO1wvc7Wl9WtbO+ORcdnhAV2GQiBE71ycwIk=
+github.com/gruntwork-io/terratest v0.42.0 h1:j3HKRzZ7p4f1iweP2stDSYz+am4+JIbraTehiEWc77s=
+github.com/gruntwork-io/terratest v0.42.0/go.mod h1:O6gajNBjO1wvc7Wl9WtbO+ORcdnhAV2GQiBE71ycwIk=
github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
@@ -427,10 +427,8 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
-github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
@@ -458,8 +456,6 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
github.com/onsi/ginkgo/v2 v2.4.0 h1:+Ig9nvqgS5OBSACXNk15PLdp0U9XPYROt9CFzVdFGIs=
github.com/onsi/gomega v1.23.0 h1:/oxKu9c2HVap+F3PfKort2Hw5DEU+HGlW8n+tguWsys=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -1033,13 +1029,13 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.29.1 h1:7QBf+IK2gx70Ap/hDsOmam3GE0v9HicjfEdAxE62UoM=
-google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
@@ -1061,23 +1057,23 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.26.5 h1:Npao/+sMSng6nkEcNydgH3BNo4s5YoBg7iw35HM7Hcw=
-k8s.io/api v0.26.5/go.mod h1:O7ICW7lj6+ZQQQ3cxekgCoW+fnGo5kWT0nTHkLZ5grc=
-k8s.io/apimachinery v0.26.5 h1:hTQVhJao2piX7vSgCn4Lwd6E0o/+TJIH4NqRf+q4EmE=
-k8s.io/apimachinery v0.26.5/go.mod h1:HUvk6wrOP4v22AIYqeCGSQ6xWCHo41J9d6psb3temAg=
-k8s.io/client-go v0.26.5 h1:e8Z44pafL/c6ayF/6qYEypbJoDSakaFxhJ9lqULEJEo=
-k8s.io/client-go v0.26.5/go.mod h1:/CYyNt+ZLMvWqMF8h1SvkUXz2ujFWQLwdDrdiQlZ5X0=
+k8s.io/api v0.26.6 h1:RZsJGP5p/qdWuFVqj/JFyt+6ttfgL+8/K8gtyi7riuo=
+k8s.io/api v0.26.6/go.mod h1:Z+i6M3de4+LJiXtIiWSz/yLpnG+YjxAkeW6cgZqoxn4=
+k8s.io/apimachinery v0.26.6 h1:OT04J9US8G+AqfqvcJZZ8s3WUQkWbc3t6ePPWieDN6I=
+k8s.io/apimachinery v0.26.6/go.mod h1:qYzLkrQ9lhrZRh0jNKo2cfvf/R1/kQONnSiyB7NUJU0=
+k8s.io/client-go v0.26.6 h1:CtC0wOxkAwjYyG2URGzdEKo0nLILopSDYn5AmzOkdi4=
+k8s.io/client-go v0.26.6/go.mod h1:HDjbQGY7XzFYFUWOPAfAsIYhvFXyc9l6Ne0pO0bOQ7o=
k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw=
k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E=
-k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
-k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs=
-k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
+k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
+k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY=
+k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
diff --git a/variables.tf b/variables.tf
index 0b1a2bc..2a152f9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -16,22 +16,80 @@ variable "iam_policy_enabled" {
variable "iam_source_policy_documents" {
type = list(string)
- description = "List of JSON IAM policy documents that are merged together into role's policy. Statements defined in `source_policy_documents` or `source_json` must have unique sids."
+ description = <<-EOT
+ List of IAM policy documents (as JSON strings) that are merged together into the exported document.
+ Statements defined in `iam_source_policy_documents` must have unique SIDs and be distinct from SIDs
+ in `iam_policy` and deprecated `iam_policy_statements`.
+ Statements in these documents will be overridden by statements with the same SID in `iam_override_policy_documents`.
+ EOT
+ default = null
+}
+
+variable "iam_override_policy_documents" {
+ type = list(string)
+ description = <<-EOT
+ List of IAM policy documents (as JSON strings) that are merged together into the exported document with higher precedence.
+ In merging, statements with non-blank SIDs will override statements with the same SID
+ from earlier documents in the list and from other "source" documents.
+ EOT
default = null
}
variable "iam_source_json_url" {
type = string
- description = "IAM source json policy to download. The downloaded policy will be combined with `iam_source_policy_statements`."
+ description = <<-EOT
+ URL of the IAM policy (in JSON format) to download and use as `source_json` argument.
+ This is useful when using a 3rd party service that provides their own policy.
+ Statements in this policy will be overridden by statements with the same SID in `iam_override_policy_documents`.
+ EOT
default = null
}
variable "iam_policy_statements" {
type = any
- description = "DEPRECATED, use `iam_source_policy_documents` instead: IAM policy (as `map(string)`)for the service account."
+ description = <<-EOT
+ Deprecated: Use `iam_policy` instead.
+ List or Map of IAM policy statements to use in the policy.
+ This can be used with `iam_source_policy_documents` and `iam_override_policy_documents`
+ and with or instead of `iam_source_json_url`.
+ EOT
default = {}
}
+variable "iam_policy" {
+ type = list(object({
+ policy_id = optional(string, null)
+ version = optional(string, null)
+ statements = list(object({
+ sid = optional(string, null)
+ effect = optional(string, null)
+ actions = optional(list(string), null)
+ not_actions = optional(list(string), null)
+ resources = optional(list(string), null)
+ not_resources = optional(list(string), null)
+ conditions = optional(list(object({
+ test = string
+ variable = string
+ values = list(string)
+ })), [])
+ principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })), [])
+ not_principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })), [])
+ }))
+ }))
+ description = <<-EOT
+ IAM policy as list of Terraform objects, compatible with Terraform `aws_iam_policy_document` data source
+ except that `source_policy_documents` and `override_policy_documents` are not included.
+ Use inputs `iam_source_policy_documents` and `iam_override_policy_documents` for that.
+ EOT
+ default = null
+}
+
## eks_iam_role
variable "aws_account_number" {
diff --git a/versions.tf b/versions.tf
index 71b5c5b..b7beb9c 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.0"
+ required_version = ">= 1.3.0"
required_providers {
# Update these to reflect the actual requirements of your module