From e12cf7d26d90442c93e8e83c1cb83dc28c15d854 Mon Sep 17 00:00:00 2001 From: dennislapchenko Date: Wed, 9 Aug 2023 11:44:56 +0300 Subject: [PATCH] feat: Add iam_policy_enabled to allow IAM roles without policies (#47) --- README.md | 5 +---- docs/terraform.md | 1 + main.tf | 9 +++++---- variables.tf | 6 ++++++ 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 464f7df..5d425b5 100644 --- a/README.md +++ b/README.md @@ -89,10 +89,6 @@ We highly recommend that in your code you pin the version to the exact version y using so that your infrastructure remains stable, and update versions in a systematic way so that they do not catch you by surprise. -Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)), -the registry shows many of our inputs as required when in fact they are optional. -The table below correctly indicates which inputs are required. - This module deploys a [Helm chart](https://helm.sh/docs/topics/charts/) with @@ -317,6 +313,7 @@ Available targets: | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | | [force\_update](#input\_force\_update) | Force resource update through delete/recreate if needed. Defaults to `false`. | `bool` | `null` | no | +| [iam\_policy\_enabled](#input\_iam\_policy\_enabled) | Whether to create and attach an IAM policy to the created IAM role | `bool` | `true` | no | | [iam\_policy\_statements](#input\_iam\_policy\_statements) | DEPRECATED, use `iam_source_policy_documents` instead: IAM policy (as `map(string)`)for the service account. | `any` | `{}` | no | | [iam\_role\_enabled](#input\_iam\_role\_enabled) | Whether to create an IAM role. Setting this to `true` will also replace any occurrences of `{service_account_role_arn}` in `var.values_template_path` with the ARN of the IAM role created by this module. | `bool` | `false` | no | | [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source json policy to download. The downloaded policy will be combined with `iam_source_policy_statements`. | `string` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 05a663b..c6e2f78 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -55,6 +55,7 @@ | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | | [force\_update](#input\_force\_update) | Force resource update through delete/recreate if needed. Defaults to `false`. | `bool` | `null` | no | +| [iam\_policy\_enabled](#input\_iam\_policy\_enabled) | Whether to create and attach an IAM policy to the created IAM role | `bool` | `true` | no | | [iam\_policy\_statements](#input\_iam\_policy\_statements) | DEPRECATED, use `iam_source_policy_documents` instead: IAM policy (as `map(string)`)for the service account. | `any` | `{}` | no | | [iam\_role\_enabled](#input\_iam\_role\_enabled) | Whether to create an IAM role. Setting this to `true` will also replace any occurrences of `{service_account_role_arn}` in `var.values_template_path` with the ARN of the IAM role created by this module. | `bool` | `false` | no | | [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source json policy to download. The downloaded policy will be combined with `iam_source_policy_statements`. | `string` | `null` | no | diff --git a/main.tf b/main.tf index 5305c96..5b01037 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,7 @@ locals { - enabled = module.this.enabled - iam_role_enabled = local.enabled && var.iam_role_enabled + enabled = module.this.enabled + iam_role_enabled = local.enabled && var.iam_role_enabled + iam_policy_enabled = local.iam_role_enabled && var.iam_policy_enabled create_namespace = local.enabled && coalesce(var.create_namespace_with_kubernetes, var.create_namespace, false) create_namespace_via_k8s = local.enabled && (var.create_namespace_with_kubernetes == true) # true && null yields error @@ -14,7 +15,7 @@ module "eks_iam_policy" { source = "cloudposse/iam-policy/aws" version = "1.0.1" - enabled = local.iam_role_enabled + enabled = local.iam_policy_enabled iam_source_policy_documents = var.iam_source_policy_documents iam_source_json_url = var.iam_source_json_url @@ -30,7 +31,7 @@ module "eks_iam_role" { enabled = local.iam_role_enabled aws_account_number = var.aws_account_number - aws_iam_policy_document = local.iam_role_enabled ? [module.eks_iam_policy.json] : ["{}"] + aws_iam_policy_document = local.iam_policy_enabled ? [module.eks_iam_policy.json] : [] aws_partition = var.aws_partition eks_cluster_oidc_issuer_url = var.eks_cluster_oidc_issuer_url service_account_name = var.service_account_name diff --git a/variables.tf b/variables.tf index bb01009..0b1a2bc 100644 --- a/variables.tf +++ b/variables.tf @@ -8,6 +8,12 @@ variable "iam_role_enabled" { ## eks_iam_policy +variable "iam_policy_enabled" { + type = bool + description = "Whether to create and attach an IAM policy to the created IAM role" + default = true +} + variable "iam_source_policy_documents" { type = list(string) description = "List of JSON IAM policy documents that are merged together into role's policy. Statements defined in `source_policy_documents` or `source_json` must have unique sids."