Browse Source

tech/ de duplicate code for outputs

tags/1.1.0^2
Quentin Vallin 8 months ago
parent
commit
55193bf113
Signed by: quentin.vallin <quentin.vallin@fxinnovation.com> GPG Key ID: 96D1C2CDC50558C3
18 changed files with 132 additions and 175 deletions
  1. +8
    -0
      CHANGELOG.md
  2. +4
    -3
      README.md
  3. +1
    -1
      data.tf
  4. +3
    -3
      examples/disable/README.md
  5. +6
    -6
      examples/disable/outputs.tf
  6. +3
    -3
      examples/external_kms_no_policy/README.md
  7. +1
    -1
      examples/external_kms_no_policy/main.tf
  8. +6
    -6
      examples/external_kms_no_policy/outputs.tf
  9. +3
    -3
      examples/no_kms/README.md
  10. +5
    -4
      examples/no_kms/main.tf
  11. +6
    -6
      examples/no_kms/outputs.tf
  12. +3
    -3
      examples/overwrite/README.md
  13. +6
    -6
      examples/overwrite/outputs.tf
  14. +3
    -3
      examples/standard/README.md
  15. +6
    -6
      examples/standard/outputs.tf
  16. +25
    -74
      main.tf
  17. +38
    -47
      outputs.tf
  18. +5
    -0
      variables.tf

+ 8
- 0
CHANGELOG.md View File

@@ -0,0 +1,8 @@
# CHANGELOG

## 1.1.0

* feat: allow default KMS key
* fix: KMS key outputs form list to string. WARNING, THIS IS A BREAKING CHANGE
* fix: module outputs plural now singular: `kms_key_arn`, `kms_key_id` and `kms_alias_arn`. WARNING, THIS IS A BREAKING CHANGE.
* fix: fix terraform pre-processor issue when use a `kms_key_id`

+ 4
- 3
README.md View File

@@ -36,6 +36,7 @@ It's not possible to convert `SecureString` into a `String`/`StringList` a value
| prefix | The prefix to be used for every SSM Parameters. The prefix must match [A-Za-z0-9/] | `string` | n/a | yes |
| tags | Global tags for resources | `map` | `{}` | no |
| types | List of types for parameters. | `list(string)` | n/a | yes |
| use\_default\_kms\_key | Use default kms\_key | `bool` | `false` | no |
| values | List of values for parameters. | `list(string)` | n/a | yes |

## Outputs
@@ -55,10 +56,10 @@ It's not possible to convert `SecureString` into a `String`/`StringList` a value
| iam\_policy\_read\_write\_name | The name of the read write policy |
| iam\_policy\_read\_write\_path | Path of the read write policy |
| iam\_policy\_read\_write\_policy | The policy document |
| kms\_alias\_arns | The Amazon Resource Name (ARN) of the key alias |
| kms\_alias\_arn | The Amazon Resource Name (ARN) of the key alias |
| kms\_alias\_target\_key\_arn | The Amazon Resource Name (ARN) of the target key identifier |
| kms\_key\_arns | The Amazon Resource Name (ARN) of the key |
| kms\_key\_ids | Globally unique identifier for the key |
| kms\_key\_arn | The Amazon Resource Name (ARN) of the key |
| kms\_key\_id | Globally unique identifier for the key |
| names | Names of SSM Parameters |
| types | Types of SSM parameters |
| versions | Versions of SSM parameters |


+ 1
- 1
data.tf View File

@@ -2,5 +2,5 @@ data "aws_caller_identity" "current" {
}

locals {
kms_key_needed = contains(var.types, "SecureString")
kms_key_needed = (var.kms_key_create || contains(var.types, "SecureString")) && ! var.use_default_kms_key
}

+ 3
- 3
examples/disable/README.md View File

@@ -41,10 +41,10 @@ No provider.
| iam\_policy\_read\_write\_name | n/a |
| iam\_policy\_read\_write\_path | n/a |
| iam\_policy\_read\_write\_policy | n/a |
| kms\_alias\_arns | n/a |
| kms\_alias\_arn | n/a |
| kms\_alias\_target\_key\_arn | n/a |
| kms\_key\_arns | n/a |
| kms\_key\_ids | n/a |
| kms\_key\_arn | n/a |
| kms\_key\_id | n/a |
| names | n/a |
| types | n/a |
| versions | n/a |


+ 6
- 6
examples/disable/outputs.tf View File

@@ -14,16 +14,16 @@ output "versions" {
value = module.disable.versions
}

output "kms_key_arns" {
value = module.disable.kms_key_arns
output "kms_key_arn" {
value = module.disable.kms_key_arn
}

output "kms_key_ids" {
value = module.disable.kms_key_ids
output "kms_key_id" {
value = module.disable.kms_key_id
}

output "kms_alias_arns" {
value = module.disable.kms_alias_arns
output "kms_alias_arn" {
value = module.disable.kms_alias_arn
}

output "kms_alias_target_key_arn" {


+ 3
- 3
examples/external_kms_no_policy/README.md View File

@@ -44,10 +44,10 @@ $ terraform apply
| iam\_policy\_read\_write\_name | n/a |
| iam\_policy\_read\_write\_path | n/a |
| iam\_policy\_read\_write\_policy | n/a |
| kms\_alias\_arns | n/a |
| kms\_alias\_arn | n/a |
| kms\_alias\_target\_key\_arn | n/a |
| kms\_key\_arns | n/a |
| kms\_key\_ids | n/a |
| kms\_key\_arn | n/a |
| kms\_key\_id | n/a |
| names | n/a |
| types | n/a |
| versions | n/a |


+ 1
- 1
examples/external_kms_no_policy/main.tf View File

@@ -34,7 +34,7 @@ module "external_kms_no_policy" {
kms_key_create = false
kms_key_id = aws_kms_key.this.id
kms_key_arn = aws_kms_key.this.arn
iam_policy_create = false
iam_policy_create = true

tags = {
Name = "tftest"


+ 6
- 6
examples/external_kms_no_policy/outputs.tf View File

@@ -14,16 +14,16 @@ output "versions" {
value = module.external_kms_no_policy.versions
}

output "kms_key_arns" {
value = module.external_kms_no_policy.kms_key_arns
output "kms_key_arn" {
value = module.external_kms_no_policy.kms_key_arn
}

output "kms_key_ids" {
value = module.external_kms_no_policy.kms_key_ids
output "kms_key_id" {
value = module.external_kms_no_policy.kms_key_id
}

output "kms_alias_arns" {
value = module.external_kms_no_policy.kms_alias_arns
output "kms_alias_arn" {
value = module.external_kms_no_policy.kms_alias_arn
}

output "kms_alias_target_key_arn" {


+ 3
- 3
examples/no_kms/README.md View File

@@ -43,10 +43,10 @@ $ terraform apply
| iam\_policy\_read\_write\_name | n/a |
| iam\_policy\_read\_write\_path | n/a |
| iam\_policy\_read\_write\_policy | n/a |
| kms\_alias\_arns | n/a |
| kms\_alias\_arn | n/a |
| kms\_alias\_target\_key\_arn | n/a |
| kms\_key\_arns | n/a |
| kms\_key\_ids | n/a |
| kms\_key\_arn | n/a |
| kms\_key\_id | n/a |
| names | n/a |
| types | n/a |
| versions | n/a |


+ 5
- 4
examples/no_kms/main.tf View File

@@ -15,11 +15,12 @@ module "no_kms" {
source = "../../"

prefix = "tftestSsmParam/${random_string.this.result}"
names = ["/foo"]
types = ["String"]
values = ["foo was here"]
descriptions = ["Know if foo was there"]
names = ["/foo", "/bar"]
types = ["String", "SecureString"]
values = ["foo was here", "bar was here"]
descriptions = ["Know if foo was there", "Know if bar was there"]
kms_key_create = false
use_default_kms_key = true
iam_policy_create = true
iam_policy_name_prefix_read_only = "tftestPolicyReadSsm${random_string.this.result}"
iam_policy_name_prefix_read_write = "tftestPolicyWriteSsm${random_string.this.result}"


+ 6
- 6
examples/no_kms/outputs.tf View File

@@ -14,16 +14,16 @@ output "versions" {
value = module.no_kms.versions
}

output "kms_key_arns" {
value = module.no_kms.kms_key_arns
output "kms_key_arn" {
value = module.no_kms.kms_key_arn
}

output "kms_key_ids" {
value = module.no_kms.kms_key_ids
output "kms_key_id" {
value = module.no_kms.kms_key_id
}

output "kms_alias_arns" {
value = module.no_kms.kms_alias_arns
output "kms_alias_arn" {
value = module.no_kms.kms_alias_arn
}

output "kms_alias_target_key_arn" {


+ 3
- 3
examples/overwrite/README.md View File

@@ -43,10 +43,10 @@ $ terraform apply
| iam\_policy\_read\_write\_name | n/a |
| iam\_policy\_read\_write\_path | n/a |
| iam\_policy\_read\_write\_policy | n/a |
| kms\_alias\_arns | n/a |
| kms\_alias\_arn | n/a |
| kms\_alias\_target\_key\_arn | n/a |
| kms\_key\_arns | n/a |
| kms\_key\_ids | n/a |
| kms\_key\_arn | n/a |
| kms\_key\_id | n/a |
| names | n/a |
| types | n/a |
| versions | n/a |


+ 6
- 6
examples/overwrite/outputs.tf View File

@@ -14,16 +14,16 @@ output "versions" {
value = module.overwrite.versions
}

output "kms_key_arns" {
value = module.overwrite.kms_key_arns
output "kms_key_arn" {
value = module.overwrite.kms_key_arn
}

output "kms_key_ids" {
value = module.overwrite.kms_key_ids
output "kms_key_id" {
value = module.overwrite.kms_key_id
}

output "kms_alias_arns" {
value = module.overwrite.kms_alias_arns
output "kms_alias_arn" {
value = module.overwrite.kms_alias_arn
}

output "kms_alias_target_key_arn" {


+ 3
- 3
examples/standard/README.md View File

@@ -43,10 +43,10 @@ $ terraform apply
| iam\_policy\_read\_write\_name | n/a |
| iam\_policy\_read\_write\_path | n/a |
| iam\_policy\_read\_write\_policy | n/a |
| kms\_alias\_arns | n/a |
| kms\_alias\_arn | n/a |
| kms\_alias\_target\_key\_arn | n/a |
| kms\_key\_arns | n/a |
| kms\_key\_ids | n/a |
| kms\_key\_arn | n/a |
| kms\_key\_id | n/a |
| names | n/a |
| types | n/a |
| versions | n/a |


+ 6
- 6
examples/standard/outputs.tf View File

@@ -14,16 +14,16 @@ output "versions" {
value = module.standard.versions
}

output "kms_key_arns" {
value = module.standard.kms_key_arns
output "kms_key_arn" {
value = module.standard.kms_key_arn
}

output "kms_key_ids" {
value = module.standard.kms_key_ids
output "kms_key_id" {
value = module.standard.kms_key_id
}

output "kms_alias_arns" {
value = module.standard.kms_alias_arns
output "kms_alias_arn" {
value = module.standard.kms_alias_arn
}

output "kms_alias_target_key_arn" {


+ 25
- 74
main.tf View File

@@ -10,7 +10,7 @@ resource "aws_ssm_parameter" "overwrite" {
type = element(var.types, count.index)
value = element(var.values, count.index)

key_id = element(var.types, count.index) == "SecureString" ? var.kms_key_create ? element(concat(aws_kms_key.this.*.id, [""]), 0) : var.kms_key_id != null ? var.kms_key_id : null : null
key_id = element(var.types, count.index) == "SecureString" ? var.kms_key_create ? element(concat(aws_kms_key.this.*.id, [""]), 0) : var.kms_key_id != "" ? var.kms_key_id : null : null
overwrite = true
allowed_pattern = element(concat(var.allowed_patterns, [""]), count.index)

@@ -46,7 +46,7 @@ resource "aws_ssm_parameter" "no_overwrite" {
}

resource "aws_kms_key" "this" {
count = var.enabled && var.kms_key_create ? 1 : 0
count = var.enabled && var.kms_key_create && ! var.use_default_kms_key ? 1 : 0

description = "KMS Key for ${var.prefix} SSM secure strings parameters encryption."

@@ -63,7 +63,7 @@ resource "aws_kms_key" "this" {
}

resource "aws_kms_alias" "this" {
count = var.enabled && var.kms_key_create ? 1 : 0
count = var.enabled && var.kms_key_create && ! var.use_default_kms_key ? 1 : 0

name = "alias/${var.kms_key_alias_name}"
target_key_id = aws_kms_key.this[0].key_id
@@ -73,7 +73,11 @@ resource "aws_kms_alias" "this" {
# IAM Policy
####

data "aws_iam_policy_document" "read" {
data "aws_iam_policy_document" "read_only" {
count = var.enabled && var.iam_policy_create ? 1 : 0

source_json = local.kms_key_needed ? element(concat(data.aws_iam_policy_document.kms_key_read_only.*.json, [""]), 0) : null

statement {
sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterAccess"

@@ -94,6 +98,10 @@ data "aws_iam_policy_document" "read" {
var.names,
)
}
}

data "aws_iam_policy_document" "kms_key_read_only" {
count = var.enabled && var.iam_policy_create ? 1 : 0

statement {
sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterKMSAccess"
@@ -111,30 +119,10 @@ data "aws_iam_policy_document" "read" {
}
}

data "aws_iam_policy_document" "read_no_kms" {
statement {
sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterAccess"

effect = "Allow"

actions = [
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetParameter",
"ssm:GetParameters",
]

resources = formatlist(
"arn:aws:ssm:*:%s:parameter/%s%s",
data.aws_caller_identity.current.account_id,
var.prefix,
var.names,
)
}
}

data "aws_iam_policy_document" "read_write" {
count = var.enabled && var.iam_policy_create ? 1 : 0

source_json = local.kms_key_needed ? element(concat(data.aws_iam_policy_document.kms_key_read_write.*.json, [""]), 0) : null
statement {
sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterAccess"

@@ -156,6 +144,10 @@ data "aws_iam_policy_document" "read_write" {
var.names,
)
}
}

data "aws_iam_policy_document" "kms_key_read_write" {
count = var.enabled && var.iam_policy_create ? 1 : 0

statement {
sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterKMSAccess"
@@ -174,62 +166,21 @@ data "aws_iam_policy_document" "read_write" {
}
}

data "aws_iam_policy_document" "read_write_no_kms" {
statement {
sid = "Allow${replace(replace(var.prefix, "-", ""), "/", "")}SSMParameterAccess"

effect = "Allow"

actions = [
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter",
]

resources = formatlist(
"arn:aws:ssm:*:%s:parameter/%s%s",
data.aws_caller_identity.current.account_id,
var.prefix,
var.names,
)
}
}

resource "aws_iam_policy" "read_kms" {
count = var.enabled && var.iam_policy_create && (var.kms_key_create || var.kms_key_id != "") ? 1 : 0

name_prefix = var.iam_policy_name_prefix_read_only
path = var.iam_policy_path
policy = data.aws_iam_policy_document.read.json
description = "Read only policy to get access to ${var.prefix} SSM parameters."
}

resource "aws_iam_policy" "read_write_kms" {
count = var.enabled && var.iam_policy_create && (var.kms_key_create || var.kms_key_id != "") ? 1 : 0

name_prefix = var.iam_policy_name_prefix_read_write
path = var.iam_policy_path
policy = data.aws_iam_policy_document.read_write.json
description = "Read write policy to get access to ${var.prefix} SSM parameters."
}

resource "aws_iam_policy" "read_no_kms" {
count = var.enabled && var.iam_policy_create && false == var.kms_key_create && var.kms_key_id == "" ? 1 : 0
resource "aws_iam_policy" "read_only" {
count = var.enabled && var.iam_policy_create ? 1 : 0

name_prefix = var.iam_policy_name_prefix_read_only
path = var.iam_policy_path
policy = data.aws_iam_policy_document.read_no_kms.json
policy = element(concat(data.aws_iam_policy_document.read_only.*.json, [""]), 0)
description = "Read only policy to get access to ${var.prefix} SSM parameters."
}

resource "aws_iam_policy" "read_write_no_kms" {
count = var.enabled && var.iam_policy_create && false == var.kms_key_create && var.kms_key_id == "" ? 1 : 0
resource "aws_iam_policy" "read_write" {
count = var.enabled && var.iam_policy_create ? 1 : 0

name_prefix = var.iam_policy_name_prefix_read_write
path = var.iam_policy_path
policy = data.aws_iam_policy_document.read_write_no_kms.json
policy = element(concat(data.aws_iam_policy_document.read_write.*.json, [""]), 0)
description = "Read write policy to get access to ${var.prefix} SSM parameters."
}

+ 38
- 47
outputs.tf View File

@@ -20,18 +20,6 @@ output "names" {
)
}

output "iam_policy_read_only_id" {
description = "ID of the read only policy"
value = element(
concat(
aws_iam_policy.read_kms.*.id,
aws_iam_policy.read_no_kms.*.id,
[""],
),
0,
)
}

output "types" {
description = "Types of SSM parameters"
value = compact(
@@ -54,43 +42,50 @@ output "versions" {
)
}

output "kms_key_arns" {
output "kms_key_arn" {
description = "The Amazon Resource Name (ARN) of the key"
value = compact(
value = element(
concat(
aws_kms_key.this.*.arn,
[""],
)
)
), 0)
}

output "kms_key_ids" {
output "kms_key_id" {
description = "Globally unique identifier for the key"
value = compact(
value = element(
concat(
aws_kms_key.this.*.key_id,
[""],
)
)
), 0)
}

output "kms_alias_arns" {
output "kms_alias_arn" {
description = "The Amazon Resource Name (ARN) of the key alias"
value = compact(
value = element(
concat(
aws_kms_alias.this.*.arn,
[""],
)
)
), 0)
}

output "kms_alias_target_key_arn" {
description = "The Amazon Resource Name (ARN) of the target key identifier"
value = compact(
value = element(
concat(
aws_kms_alias.this.*.target_key_arn,
[""],
)
), 0)
}

output "iam_policy_read_only_id" {
description = "ID of the read only policy"
value = element(
concat(
aws_iam_policy.read_only.*.id,
[""],
),
0,
)
}

@@ -98,8 +93,7 @@ output "iam_policy_read_only_arn" {
description = "ARN of the read only policy"
value = element(
concat(
aws_iam_policy.read_kms.*.arn,
aws_iam_policy.read_no_kms.*.arn,
aws_iam_policy.read_only.*.arn,
[""],
),
0,
@@ -110,8 +104,7 @@ output "iam_policy_read_only_description" {
description = "The description of the read only policy"
value = element(
concat(
aws_iam_policy.read_kms.*.description,
aws_iam_policy.read_no_kms.*.description,
aws_iam_policy.read_only.*.description,
[""],
),
0,
@@ -122,8 +115,7 @@ output "iam_policy_read_only_name" {
description = "The name of the read only policy"
value = element(
concat(
aws_iam_policy.read_kms.*.name,
aws_iam_policy.read_no_kms.*.name,
aws_iam_policy.read_only.*.name,
[""],
),
0,
@@ -134,8 +126,7 @@ output "iam_policy_read_only_path" {
description = "Path of the read only policy"
value = element(
concat(
aws_iam_policy.read_kms.*.path,
aws_iam_policy.read_no_kms.*.path,
aws_iam_policy.read_only.*.path,
[""],
),
0,
@@ -144,15 +135,20 @@ output "iam_policy_read_only_path" {

output "iam_policy_read_only_policy" {
description = "The policy document"
value = element(concat(aws_iam_policy.read_kms.*.policy, aws_iam_policy.read_no_kms.*.policy, list("")), 0)
value = element(
concat(
aws_iam_policy.read_only.*.policy,
[""]
),
0,
)
}

output "iam_policy_read_write_id" {
description = "ID of the read write policy"
value = element(
concat(
aws_iam_policy.read_write_kms.*.id,
aws_iam_policy.read_write_no_kms.*.id,
aws_iam_policy.read_write.*.id,
[""],
),
0,
@@ -163,8 +159,7 @@ output "iam_policy_read_write_arn" {
description = "ARN of the read write policy"
value = element(
concat(
aws_iam_policy.read_write_kms.*.arn,
aws_iam_policy.read_write_no_kms.*.arn,
aws_iam_policy.read_write.*.arn,
[""],
),
0,
@@ -175,8 +170,7 @@ output "iam_policy_read_write_description" {
description = "The description of the read write policy"
value = element(
concat(
aws_iam_policy.read_write_kms.*.description,
aws_iam_policy.read_write_no_kms.*.description,
aws_iam_policy.read_write.*.description,
[""]
),
0
@@ -187,8 +181,7 @@ output "iam_policy_read_write_name" {
description = "The name of the read write policy"
value = element(
concat(
aws_iam_policy.read_write_kms.*.name,
aws_iam_policy.read_write_no_kms.*.name,
aws_iam_policy.read_write.*.name,
[""]
),
0,
@@ -199,8 +192,7 @@ output "iam_policy_read_write_path" {
description = "Path of the read write policy"
value = element(
concat(
aws_iam_policy.read_write_kms.*.path,
aws_iam_policy.read_write_no_kms.*.path,
aws_iam_policy.read_write.*.path,
[""],
),
0,
@@ -211,8 +203,7 @@ output "iam_policy_read_write_policy" {
description = "The policy document"
value = element(
concat(
aws_iam_policy.read_write_kms.*.policy,
aws_iam_policy.read_write_no_kms.*.policy,
aws_iam_policy.read_write.*.policy,
[""],
),
0


+ 5
- 0
variables.tf View File

@@ -85,6 +85,11 @@ variable "kms_key_alias_name" {
default = ""
}

variable "use_default_kms_key" {
description = "Use default kms_key"
default = false
}

#####
# IAM Policy
#####


Loading…
Cancel
Save