Browse Source

Adapting file to terraform 0.12

These files were automatically converted
tags/1.0.0
parent
commit
060ea1dea9
Signed by untrusted user: christophe.vkerchove <christophe.vkerchove@fxinnovation.com> GPG Key ID: 4D89B3BBD1603CB8
27 changed files with 274 additions and 147 deletions
  1. +5
    -1
      .pre-commit-config.yaml
  2. +3
    -3
      README.md
  3. +3
    -2
      data.tf
  4. +3
    -3
      examples/disable/main.tf
  5. +8
    -8
      examples/disable/outputs.tf
  6. +2
    -2
      examples/disable/variables.tf
  7. +4
    -0
      examples/disable/versions.tf
  8. +12
    -10
      examples/external_kms_no_policy/main.tf
  9. +8
    -8
      examples/external_kms_no_policy/outputs.tf
  10. +2
    -2
      examples/external_kms_no_policy/variables.tf
  11. +4
    -0
      examples/external_kms_no_policy/versions.tf
  12. +4
    -4
      examples/no_kms/main.tf
  13. +8
    -8
      examples/no_kms/outputs.tf
  14. +2
    -2
      examples/no_kms/variables.tf
  15. +4
    -0
      examples/no_kms/versions.tf
  16. +4
    -4
      examples/overwrite/main.tf
  17. +8
    -8
      examples/overwrite/outputs.tf
  18. +2
    -2
      examples/overwrite/variables.tf
  19. +4
    -0
      examples/overwrite/versions.tf
  20. +4
    -4
      examples/standard/main.tf
  21. +8
    -8
      examples/standard/outputs.tf
  22. +2
    -2
      examples/standard/variables.tf
  23. +4
    -0
      examples/standard/versions.tf
  24. +95
    -53
      main.tf
  25. +62
    -8
      outputs.tf
  26. +5
    -5
      variables.tf
  27. +4
    -0
      versions.tf

+ 5
- 1
.pre-commit-config.yaml View File

@@ -1,6 +1,6 @@
repos:
- repo: git://github.com/antonbabenko/pre-commit-terraform
rev: v1.8.1
rev: v1.17.0
hooks:
- id: terraform_fmt
- id: terraform_docs
@@ -8,3 +8,7 @@ repos:
rev: v2.1.0
hooks:
- id: check-merge-conflict
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-added-large-files
- id: detect-private-key

+ 3
- 3
README.md View File

@@ -25,13 +25,13 @@ It's not possible to convert `SecureString` into a `String`/`StringList` a value
| kms\_key\_id | ID of the kms key if toggle kms_key_create is disable. | string | `""` | no |
| kms\_key\_name | Name of the kms key if toggle kms_key_create is set | string | `""` | no |
| kms\_tags | Tags that will be merged with variable tags for the kms key | map | `{}` | no |
| names | List of names for parameters. | list | n/a | yes |
| names | List of names for parameters. | list(string) | n/a | yes |
| overwrite | Overwrite an existing parameter | string | `"false"` | no |
| prefix | The prefix to be used for every SSM Parameters. The prefix must match [A-Za-z0-9/] | string | n/a | yes |
| ssm\_parameter\_count | Number of parameters to add | string | n/a | yes |
| tags | Global tags for resources | map | `{}` | no |
| types | List of types for parameters. | list | n/a | yes |
| values | List of values for parameters. | list | n/a | yes |
| types | List of types for parameters. | list(string) | n/a | yes |
| values | List of values for parameters. | list(string) | n/a | yes |

## Outputs



+ 3
- 2
data.tf View File

@@ -1,5 +1,6 @@
data "aws_caller_identity" "current" {}
data "aws_caller_identity" "current" {
}

locals {
kms_key_needed = "${contains(var.types, "SecureString")}"
kms_key_needed = contains(var.types, "SecureString")
}

+ 3
- 3
examples/disable/main.tf View File

@@ -1,8 +1,8 @@
provider "aws" {
version = "~> 2.2.0"
version = "~> 2"
region = "eu-west-1"
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
access_key = var.access_key
secret_key = var.secret_key
}

module "disable" {


+ 8
- 8
examples/disable/outputs.tf View File

@@ -1,31 +1,31 @@
output "arns" {
value = "${module.disable.arns}"
value = module.disable.arns
}

output "names" {
value = "${module.disable.names}"
value = module.disable.names
}

output "iam_policy_read_only_id" {
value = "${module.disable.iam_policy_read_only_id}"
value = module.disable.iam_policy_read_only_id
}

output "iam_policy_read_only_arn" {
value = "${module.disable.iam_policy_read_only_arn}"
value = module.disable.iam_policy_read_only_arn
}

output "iam_policy_read_only_path" {
value = "${module.disable.iam_policy_read_only_path}"
value = module.disable.iam_policy_read_only_path
}

output "iam_policy_read_write_id" {
value = "${module.disable.iam_policy_read_write_id}"
value = module.disable.iam_policy_read_write_id
}

output "iam_policy_read_write_arn" {
value = "${module.disable.iam_policy_read_write_arn}"
value = module.disable.iam_policy_read_write_arn
}

output "iam_policy_read_write_path" {
value = "${module.disable.iam_policy_read_write_path}"
value = module.disable.iam_policy_read_write_path
}

+ 2
- 2
examples/disable/variables.tf View File

@@ -1,9 +1,9 @@
variable "access_key" {
description = "Credentials: AWS access key."
type = "string"
type = string
}

variable "secret_key" {
description = "Credentials: AWS secret key. Pass this as a variable, never write password in the code."
type = "string"
type = string
}

+ 4
- 0
examples/disable/versions.tf View File

@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

+ 12
- 10
examples/external_kms_no_policy/main.tf View File

@@ -1,8 +1,8 @@
provider "aws" {
version = "~> 2.2.0"
version = "~> 2"
region = "eu-west-1"
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
access_key = var.access_key
secret_key = var.secret_key
}

resource "random_string" "this" {
@@ -12,14 +12,16 @@ resource "random_string" "this" {
}

resource "aws_kms_key" "this" {
tags = "${merge(
map("Name", "tftestKmsKey${random_string.this.result}"),
)}"
tags = merge(
{
"Name" = "tftestKmsKey${random_string.this.result}"
},
)
}

resource "aws_kms_alias" "this" {
name = "alias/tftest${random_string.this.result}"
target_key_id = "${aws_kms_key.this.key_id}"
target_key_id = aws_kms_key.this.key_id
}

module "external_kms_no_policy" {
@@ -31,11 +33,11 @@ module "external_kms_no_policy" {
types = ["String", "SecureString", "StringList"]
values = ["foo was here", "bar was here", "baz was here"]
kms_key_create = false
kms_key_id = "${aws_kms_key.this.id}"
kms_key_arn = "${aws_kms_key.this.arn}"
kms_key_id = aws_kms_key.this.id
kms_key_arn = aws_kms_key.this.arn
iam_policy_create = false

tags {
tags = {
Name = "tftest"
}
}

+ 8
- 8
examples/external_kms_no_policy/outputs.tf View File

@@ -1,31 +1,31 @@
output "arns" {
value = "${module.external_kms_no_policy.arns}"
value = module.external_kms_no_policy.arns
}

output "names" {
value = "${module.external_kms_no_policy.names}"
value = module.external_kms_no_policy.names
}

output "iam_policy_read_only_id" {
value = "${module.external_kms_no_policy.iam_policy_read_only_id}"
value = module.external_kms_no_policy.iam_policy_read_only_id
}

output "iam_policy_read_only_arn" {
value = "${module.external_kms_no_policy.iam_policy_read_only_arn}"
value = module.external_kms_no_policy.iam_policy_read_only_arn
}

output "iam_policy_read_only_path" {
value = "${module.external_kms_no_policy.iam_policy_read_only_path}"
value = module.external_kms_no_policy.iam_policy_read_only_path
}

output "iam_policy_read_write_id" {
value = "${module.external_kms_no_policy.iam_policy_read_write_id}"
value = module.external_kms_no_policy.iam_policy_read_write_id
}

output "iam_policy_read_write_arn" {
value = "${module.external_kms_no_policy.iam_policy_read_write_arn}"
value = module.external_kms_no_policy.iam_policy_read_write_arn
}

output "iam_policy_read_write_path" {
value = "${module.external_kms_no_policy.iam_policy_read_write_path}"
value = module.external_kms_no_policy.iam_policy_read_write_path
}

+ 2
- 2
examples/external_kms_no_policy/variables.tf View File

@@ -1,9 +1,9 @@
variable "access_key" {
description = "Credentials: AWS access key."
type = "string"
type = string
}

variable "secret_key" {
description = "Credentials: AWS secret key. Pass this as a variable, never write password in the code."
type = "string"
type = string
}

+ 4
- 0
examples/external_kms_no_policy/versions.tf View File

@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

+ 4
- 4
examples/no_kms/main.tf View File

@@ -1,8 +1,8 @@
provider "aws" {
version = "~> 2.2.0"
version = "~> 2"
region = "eu-west-1"
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
access_key = var.access_key
secret_key = var.secret_key
}

resource "random_string" "this" {
@@ -25,7 +25,7 @@ module "no_kms" {
iam_policy_name_prefix_read_only = "tftestPolicyReadSsm${random_string.this.result}"
iam_policy_name_prefix_read_write = "tftestPolicyWriteSsm${random_string.this.result}"

tags {
tags = {
Name = "tftest"
}
}

+ 8
- 8
examples/no_kms/outputs.tf View File

@@ -1,31 +1,31 @@
output "arns" {
value = "${module.no_kms.arns}"
value = module.no_kms.arns
}

output "names" {
value = "${module.no_kms.names}"
value = module.no_kms.names
}

output "iam_policy_read_only_id" {
value = "${module.no_kms.iam_policy_read_only_id}"
value = module.no_kms.iam_policy_read_only_id
}

output "iam_policy_read_only_arn" {
value = "${module.no_kms.iam_policy_read_only_arn}"
value = module.no_kms.iam_policy_read_only_arn
}

output "iam_policy_read_only_path" {
value = "${module.no_kms.iam_policy_read_only_path}"
value = module.no_kms.iam_policy_read_only_path
}

output "iam_policy_read_write_id" {
value = "${module.no_kms.iam_policy_read_write_id}"
value = module.no_kms.iam_policy_read_write_id
}

output "iam_policy_read_write_arn" {
value = "${module.no_kms.iam_policy_read_write_arn}"
value = module.no_kms.iam_policy_read_write_arn
}

output "iam_policy_read_write_path" {
value = "${module.no_kms.iam_policy_read_write_path}"
value = module.no_kms.iam_policy_read_write_path
}

+ 2
- 2
examples/no_kms/variables.tf View File

@@ -1,9 +1,9 @@
variable "access_key" {
description = "Credentials: AWS access key."
type = "string"
type = string
}

variable "secret_key" {
description = "Credentials: AWS secret key. Pass this as a variable, never write password in the code."
type = "string"
type = string
}

+ 4
- 0
examples/no_kms/versions.tf View File

@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

+ 4
- 4
examples/overwrite/main.tf View File

@@ -1,8 +1,8 @@
provider "aws" {
version = "~> 2.2.0"
version = "~> 2"
region = "eu-west-1"
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
access_key = var.access_key
secret_key = var.secret_key
}

resource "random_string" "this" {
@@ -27,7 +27,7 @@ module "overwrite" {
iam_policy_name_prefix_read_only = "tftestPolicyReadSsm${random_string.this.result}"
iam_policy_name_prefix_read_write = "tftestPolicyWriteSsm${random_string.this.result}"

tags {
tags = {
Name = "tftest"
}
}

+ 8
- 8
examples/overwrite/outputs.tf View File

@@ -1,31 +1,31 @@
output "arns" {
value = "${module.overwrite.arns}"
value = module.overwrite.arns
}

output "names" {
value = "${module.overwrite.names}"
value = module.overwrite.names
}

output "iam_policy_read_only_id" {
value = "${module.overwrite.iam_policy_read_only_id}"
value = module.overwrite.iam_policy_read_only_id
}

output "iam_policy_read_only_arn" {
value = "${module.overwrite.iam_policy_read_only_arn}"
value = module.overwrite.iam_policy_read_only_arn
}

output "iam_policy_read_only_path" {
value = "${module.overwrite.iam_policy_read_only_path}"
value = module.overwrite.iam_policy_read_only_path
}

output "iam_policy_read_write_id" {
value = "${module.overwrite.iam_policy_read_write_id}"
value = module.overwrite.iam_policy_read_write_id
}

output "iam_policy_read_write_arn" {
value = "${module.overwrite.iam_policy_read_write_arn}"
value = module.overwrite.iam_policy_read_write_arn
}

output "iam_policy_read_write_path" {
value = "${module.overwrite.iam_policy_read_write_path}"
value = module.overwrite.iam_policy_read_write_path
}

+ 2
- 2
examples/overwrite/variables.tf View File

@@ -1,9 +1,9 @@
variable "access_key" {
description = "Credentials: AWS access key."
type = "string"
type = string
}

variable "secret_key" {
description = "Credentials: AWS secret key. Pass this as a variable, never write password in the code."
type = "string"
type = string
}

+ 4
- 0
examples/overwrite/versions.tf View File

@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

+ 4
- 4
examples/standard/main.tf View File

@@ -1,8 +1,8 @@
provider "aws" {
version = "~> 2.2.0"
version = "~> 2"
region = "eu-west-1"
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
access_key = var.access_key
secret_key = var.secret_key
}

resource "random_string" "this" {
@@ -28,7 +28,7 @@ module "standard" {
iam_policy_name_prefix_read_only = "tftestPolicyReadSsm${random_string.this.result}"
iam_policy_name_prefix_read_write = "tftestPolicyWriteSsm${random_string.this.result}"

tags {
tags = {
Name = "tftest"
}
}

+ 8
- 8
examples/standard/outputs.tf View File

@@ -1,31 +1,31 @@
output "arns" {
value = "${module.standard.arns}"
value = module.standard.arns
}

output "names" {
value = "${module.standard.names}"
value = module.standard.names
}

output "iam_policy_read_only_id" {
value = "${module.standard.iam_policy_read_only_id}"
value = module.standard.iam_policy_read_only_id
}

output "iam_policy_read_only_arn" {
value = "${module.standard.iam_policy_read_only_arn}"
value = module.standard.iam_policy_read_only_arn
}

output "iam_policy_read_only_path" {
value = "${module.standard.iam_policy_read_only_path}"
value = module.standard.iam_policy_read_only_path
}

output "iam_policy_read_write_id" {
value = "${module.standard.iam_policy_read_write_id}"
value = module.standard.iam_policy_read_write_id
}

output "iam_policy_read_write_arn" {
value = "${module.standard.iam_policy_read_write_arn}"
value = module.standard.iam_policy_read_write_arn
}

output "iam_policy_read_write_path" {
value = "${module.standard.iam_policy_read_write_path}"
value = module.standard.iam_policy_read_write_path
}

+ 2
- 2
examples/standard/variables.tf View File

@@ -1,9 +1,9 @@
variable "access_key" {
description = "Credentials: AWS access key."
type = "string"
type = string
}

variable "secret_key" {
description = "Credentials: AWS secret key. Pass this as a variable, never write password in the code."
type = "string"
type = string
}

+ 4
- 0
examples/standard/versions.tf View File

@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

+ 95
- 53
main.tf View File

@@ -3,64 +3,70 @@
####

resource "aws_ssm_parameter" "overwrite" {
count = "${var.enabled && var.overwrite ? var.ssm_parameter_count : 0}"
count = var.enabled && var.overwrite ? var.ssm_parameter_count : 0

name = "/${var.prefix}${element(var.names, count.index)}"
description = "${element(concat(var.descriptions, list("")), count.index)}"
type = "${element(var.types, count.index)}"
value = "${element(var.values, count.index)}"
description = element(concat(var.descriptions, [""]), count.index)
type = element(var.types, count.index)
value = element(var.values, count.index)

key_id = "${element(var.types, count.index) == "SecureString" ? (var.kms_key_create ? element(concat(aws_kms_key.this.*.id, list("")), 0) : var.kms_key_id) : ""}"
key_id = element(var.types, count.index) == "SecureString" ? var.kms_key_create ? element(concat(aws_kms_key.this.*.id, [""]), 0) : var.kms_key_id : ""
overwrite = true
allowed_pattern = "${element(concat(var.allowed_patterns, list("")), count.index)}"
allowed_pattern = element(concat(var.allowed_patterns, [""]), count.index)

tags = "${merge(
map("Terraform", "true"),
var.tags
)}"
tags = merge(
{
"Terraform" = "true"
},
var.tags,
)
}

resource "aws_ssm_parameter" "no_overwrite" {
count = "${var.enabled && ! var.overwrite ? var.ssm_parameter_count : 0}"
count = var.enabled && false == var.overwrite ? var.ssm_parameter_count : 0

name = "/${var.prefix}${element(var.names, count.index)}"
description = "${element(concat(var.descriptions, list("")), count.index)}"
type = "${element(var.types, count.index)}"
value = "${element(var.values, count.index)}"
description = element(concat(var.descriptions, [""]), count.index)
type = element(var.types, count.index)
value = element(var.values, count.index)

key_id = "${element(var.types, count.index) == "SecureString" ? (var.kms_key_create ? element(concat(aws_kms_key.this.*.id, list("")), 0) : var.kms_key_id) : ""}"
allowed_pattern = "${element(concat(var.allowed_patterns, list("")), count.index)}"
key_id = element(var.types, count.index) == "SecureString" ? var.kms_key_create ? element(concat(aws_kms_key.this.*.id, [""]), 0) : var.kms_key_id : ""
allowed_pattern = element(concat(var.allowed_patterns, [""]), count.index)

lifecycle {
ignore_changes = [
"value",
]
ignore_changes = [value]
}

tags = "${merge(
map("Terraform", "true"),
var.tags
)}"
tags = merge(
{
"Terraform" = "true"
},
var.tags,
)
}

resource "aws_kms_key" "this" {
count = "${var.enabled && var.kms_key_create ? 1 : 0}"
count = var.enabled && var.kms_key_create ? 1 : 0

description = "KMS Key for ${var.prefix} SSM secure strings parameters encryption."

tags = "${merge(
map("Terraform", "true"),
map("Name", var.kms_key_name),
tags = merge(
{
"Terraform" = "true"
},
{
"Name" = var.kms_key_name
},
var.tags,
var.kms_tags
)}"
var.kms_tags,
)
}

resource "aws_kms_alias" "this" {
count = "${var.enabled && var.kms_key_create ? 1 : 0}"
count = var.enabled && var.kms_key_create ? 1 : 0

name = "alias/${var.kms_key_alias_name}"
target_key_id = "${aws_kms_key.this.key_id}"
target_key_id = aws_kms_key.this[0].key_id
}

####
@@ -81,7 +87,12 @@ data "aws_iam_policy_document" "read" {
"ssm:GetParameters",
]

resources = ["${formatlist("arn:aws:ssm:*:%s:parameter/%s%s", data.aws_caller_identity.current.account_id, var.prefix, var.names)}"]
resources = formatlist(
"arn:aws:ssm:*:%s:parameter/%s%s",
data.aws_caller_identity.current.account_id,
var.prefix,
var.names,
)
}

statement {
@@ -96,7 +107,15 @@ data "aws_iam_policy_document" "read" {
"kms:DescribeKey",
]

resources = ["${var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, list("")), 0) : var.kms_key_arn}"]
# TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
# force an interpolation expression to be interpreted as a list by wrapping it
# in an extra set of list brackets. That form was supported for compatibility in
# v0.11, but is no longer supported in Terraform v0.12.
#
# If the expression in the following list itself returns a list, remove the
# brackets to avoid interpretation as a list of lists. If the expression
# returns a single list item then leave it as-is and remove this TODO comment.
resources = [var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.kms_key_arn]
}
}

@@ -114,7 +133,12 @@ data "aws_iam_policy_document" "read_no_kms" {
"ssm:GetParameters",
]

resources = ["${formatlist("arn:aws:ssm:*:%s:parameter/%s%s", data.aws_caller_identity.current.account_id, var.prefix, var.names)}"]
resources = formatlist(
"arn:aws:ssm:*:%s:parameter/%s%s",
data.aws_caller_identity.current.account_id,
var.prefix,
var.names,
)
}
}

@@ -133,7 +157,12 @@ data "aws_iam_policy_document" "read_write" {
"ssm:PutParameter",
]

resources = ["${formatlist("arn:aws:ssm:*:%s:parameter/%s%s", data.aws_caller_identity.current.account_id, var.prefix, var.names)}"]
resources = formatlist(
"arn:aws:ssm:*:%s:parameter/%s%s",
data.aws_caller_identity.current.account_id,
var.prefix,
var.names,
)
}

statement {
@@ -149,7 +178,15 @@ data "aws_iam_policy_document" "read_write" {
"kms:DescribeKey",
]

resources = ["${var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, list("")), 0) : var.kms_key_arn}"]
# TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
# force an interpolation expression to be interpreted as a list by wrapping it
# in an extra set of list brackets. That form was supported for compatibility in
# v0.11, but is no longer supported in Terraform v0.12.
#
# If the expression in the following list itself returns a list, remove the
# brackets to avoid interpretation as a list of lists. If the expression
# returns a single list item then leave it as-is and remove this TODO comment.
resources = [var.kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.kms_key_arn]
}
}

@@ -168,42 +205,47 @@ data "aws_iam_policy_document" "read_write_no_kms" {
"ssm:PutParameter",
]

resources = ["${formatlist("arn:aws:ssm:*:%s:parameter/%s%s", data.aws_caller_identity.current.account_id, var.prefix, var.names)}"]
resources = formatlist(
"arn:aws:ssm:*:%s:parameter/%s%s",
data.aws_caller_identity.current.account_id,
var.prefix,
var.names,
)
}
}

resource "aws_iam_policy" "read_kms" {
count = "${var.enabled && var.iam_policy_create && (var.kms_key_create || local.kms_key_needed) ? 1 : 0}"
count = var.enabled && var.iam_policy_create && var.kms_key_create || local.kms_key_needed ? 1 : 0

name_prefix = "${var.iam_policy_name_prefix_read_only}"
path = "${var.iam_policy_path}"
policy = "${data.aws_iam_policy_document.read.json}"
name_prefix = var.iam_policy_name_prefix_read_only
path = var.iam_policy_path
policy = data.aws_iam_policy_document.read.json
description = "Read only policy to get access to ${var.prefix} SSM parameters."
}

resource "aws_iam_policy" "read_write_kms" {
count = "${var.enabled && var.iam_policy_create && (var.kms_key_create || local.kms_key_needed) ? 1 : 0}"
count = var.enabled && var.iam_policy_create && var.kms_key_create || local.kms_key_needed ? 1 : 0

name_prefix = "${var.iam_policy_name_prefix_read_write}"
path = "${var.iam_policy_path}"
policy = "${data.aws_iam_policy_document.read_write.json}"
name_prefix = var.iam_policy_name_prefix_read_write
path = var.iam_policy_path
policy = data.aws_iam_policy_document.read_write.json
description = "Read write policy to get access to ${var.prefix} SSM parameters."
}

resource "aws_iam_policy" "read_no_kms" {
count = "${var.enabled && var.iam_policy_create && ! var.kms_key_create && ! local.kms_key_needed ? 1 : 0}"
count = var.enabled && var.iam_policy_create && false == var.kms_key_create && false == local.kms_key_needed ? 1 : 0

name_prefix = "${var.iam_policy_name_prefix_read_only}"
path = "${var.iam_policy_path}"
policy = "${data.aws_iam_policy_document.read_no_kms.json}"
name_prefix = var.iam_policy_name_prefix_read_only
path = var.iam_policy_path
policy = data.aws_iam_policy_document.read_no_kms.json
description = "Read only policy to get access to ${var.prefix} SSM parameters."
}

resource "aws_iam_policy" "read_write_no_kms" {
count = "${var.enabled && var.iam_policy_create && ! var.kms_key_create && ! local.kms_key_needed ? 1 : 0}"
count = var.enabled && var.iam_policy_create && false == var.kms_key_create && false == local.kms_key_needed ? 1 : 0

name_prefix = "${var.iam_policy_name_prefix_read_write}"
path = "${var.iam_policy_path}"
policy = "${data.aws_iam_policy_document.read_write_no_kms.json}"
name_prefix = var.iam_policy_name_prefix_read_write
path = var.iam_policy_path
policy = data.aws_iam_policy_document.read_write_no_kms.json
description = "Read write policy to get access to ${var.prefix} SSM parameters."
}

+ 62
- 8
outputs.tf View File

@@ -1,39 +1,93 @@
output "arns" {
description = "ARNs of SSM Parameters"
value = "${compact(concat(aws_ssm_parameter.overwrite.*.arn, aws_ssm_parameter.no_overwrite.*.arn, list("")))}"
value = compact(
concat(
aws_ssm_parameter.overwrite.*.arn,
aws_ssm_parameter.no_overwrite.*.arn,
[""],
),
)
}

output "names" {
description = "Names of SSM Parameters"
value = "${compact(concat(aws_ssm_parameter.overwrite.*.name, aws_ssm_parameter.no_overwrite.*.name, list("")))}"
value = compact(
concat(
aws_ssm_parameter.overwrite.*.name,
aws_ssm_parameter.no_overwrite.*.name,
[""],
),
)
}

output "iam_policy_read_only_id" {
description = "ID of the read only policy"
value = "${element(concat(aws_iam_policy.read_kms.*.id, aws_iam_policy.read_no_kms.*.id, list("")), 0)}"
value = element(
concat(
aws_iam_policy.read_kms.*.id,
aws_iam_policy.read_no_kms.*.id,
[""],
),
0,
)
}

output "iam_policy_read_only_arn" {
description = "ARN of the read only policy"
value = "${element(concat(aws_iam_policy.read_kms.*.arn, aws_iam_policy.read_no_kms.*.arn, list("")), 0)}"
value = element(
concat(
aws_iam_policy.read_kms.*.arn,
aws_iam_policy.read_no_kms.*.arn,
[""],
),
0,
)
}

output "iam_policy_read_only_path" {
description = "Path of the read only policy"
value = "${element(concat(aws_iam_policy.read_kms.*.path, aws_iam_policy.read_no_kms.*.path, list("")), 0)}"
value = element(
concat(
aws_iam_policy.read_kms.*.path,
aws_iam_policy.read_no_kms.*.path,
[""],
),
0,
)
}

output "iam_policy_read_write_id" {
description = "ID of the read write policy"
value = "${element(concat(aws_iam_policy.read_write_kms.*.id, aws_iam_policy.read_write_no_kms.*.id, list("")), 0)}"
value = element(
concat(
aws_iam_policy.read_write_kms.*.id,
aws_iam_policy.read_write_no_kms.*.id,
[""],
),
0,
)
}

output "iam_policy_read_write_arn" {
description = "ARN of the read write policy"
value = "${element(concat(aws_iam_policy.read_write_kms.*.arn, aws_iam_policy.read_write_no_kms.*.arn, list("")), 0)}"
value = element(
concat(
aws_iam_policy.read_write_kms.*.arn,
aws_iam_policy.read_write_no_kms.*.arn,
[""],
),
0,
)
}

output "iam_policy_read_write_path" {
description = "Path of the read write policy"
value = "${element(concat(aws_iam_policy.read_write_kms.*.path, aws_iam_policy.read_write_no_kms.*.path, list("")), 0)}"
value = element(
concat(
aws_iam_policy.read_write_kms.*.path,
aws_iam_policy.read_write_no_kms.*.path,
[""],
),
0,
)
}

+ 5
- 5
variables.tf View File

@@ -13,7 +13,7 @@ variable "tags" {
}

#####
# SSM parameters
# SSM parameters
#####

variable "ssm_parameter_count" {
@@ -22,12 +22,12 @@ variable "ssm_parameter_count" {

variable "prefix" {
description = "The prefix to be used for every SSM Parameters. The prefix must match [A-Za-z0-9/]"
type = "string"
type = string
}

variable "names" {
description = "List of names for parameters."
type = "list"
type = list(string)
}

variable "descriptions" {
@@ -37,12 +37,12 @@ variable "descriptions" {

variable "types" {
description = "List of types for parameters."
type = "list"
type = list(string)
}

variable "values" {
description = "List of values for parameters."
type = "list"
type = list(string)
}

variable "overwrite" {


+ 4
- 0
versions.tf View File

@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

Loading…
Cancel
Save