Merges origin/trust-policy-templating (pull request #9)

Makefile

@@ -11,7 +11,7 @@ TF_MODULES  = $(sort $(dir $(wildcard $(CURRENT_DIR)modules/*/)))
 # -------------------------------------------------------------------------------------------------
 # Container versions
 # -------------------------------------------------------------------------------------------------
-TF_VERSION      = light
+TF_VERSION      = 0.12.31
 TFDOCS_VERSION  = 0.10.1
 FL_VERSION      = 0.3
 JL_VERSION      = latest-0.4
@@ -79,12 +79,9 @@ test: _pull-tf
 		echo "------------------------------------------------------------"; \
 		if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \
 			init \
-				-verify-plugins=true \
-				-lock=false \
 				-upgrade=true \
 				-reconfigure \
 				-input=false \
-				-get-plugins=true \
 				-get=true \
 				.; then \
 			echo "OK"; \

README.md

@@ -658,7 +658,8 @@ list(object({
     instance_profile     = string       # Name of the instance profile
     path                 = string       # Defaults to 'var.role_path' if variable is set to null
     desc                 = string       # Defaults to 'var.role_desc' if variable is set to null
-    trust_policy_file    = string       # Path to file of trust/assume policy
+    trust_policy_file    = string       # Path to file of trust/assume policy. Will be templated if vars are passed.
+    trust_policy_vars    = map(string)  # Policy template variables {key = val, ...}
     permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)
     policies             = list(string) # List of names of policies (must be defined in var.policies)
     policy_arns          = list(string) # List of existing policy ARN's

examples/groups-users-and-policies/README.md

@@ -36,7 +36,7 @@ No provider.
 | policies | A list of dictionaries defining all policies. | <pre>list(object({<br>    name = string      # Name of the policy<br>    path = string      # Defaults to 'var.policy_path' if variable is set to null<br>    desc = string      # Defaults to 'var.policy_desc' if variable is set to null<br>    file = string      # Path to json or json.tmpl file of policy<br>    vars = map(string) # Policy template variables {key: val, ...}<br>  }))</pre> | `[]` | no |
 | groups | A list of dictionaries defining all groups. | <pre>list(object({<br>    name        = string       # Name of the group<br>    path        = string       # Defaults to 'var.group_path' if variable is set to null<br>    policies    = list(string) # List of names of policies (must be defined in var.policies)<br>    policy_arns = list(string) # List of existing policy ARN's<br>    inline_policies = list(object({<br>      name = string      # Name of the inline policy<br>      file = string      # Path to json or json.tmpl file of policy<br>      vars = map(string) # Policy template variables {key = val, ...}<br>    }))<br>  }))</pre> | `[]` | no |
 | users | A list of dictionaries defining all users. | <pre>list(object({<br>    name   = string       # Name of the user<br>    path   = string       # Defaults to 'var.user_path' if variable is set to null<br>    groups = list(string) # List of group names to add this user to<br>    access_keys = list(object({<br>      name    = string # IaC identifier for first or second IAM access key (not used on AWS)<br>      pgp_key = string # Leave empty for non or provide a b64-enc pubkey or keybase username<br>      status  = string # 'Active' or 'Inactive'<br>    }))<br>    permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)<br>    policies             = list(string) # List of names of policies (must be defined in var.policies)<br>    policy_arns          = list(string) # List of existing policy ARN's<br>    inline_policies = list(object({<br>      name = string      # Name of the inline policy<br>      file = string      # Path to json or json.tmpl file of policy<br>      vars = map(string) # Policy template variables {key = val, ...}<br>    }))<br>  }))</pre> | `[]` | no |
-| roles | A list of dictionaries defining all roles. | <pre>list(object({<br>    name                 = string       # Name of the role<br>    instance_profile     = string       # Name of the instance profile<br>    path                 = string       # Defaults to 'var.role_path' if variable is set to null<br>    desc                 = string       # Defaults to 'var.role_desc' if variable is set to null<br>    trust_policy_file    = string       # Path to file of trust/assume policy<br>    permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)<br>    policies             = list(string) # List of names of policies (must be defined in var.policies)<br>    policy_arns          = list(string) # List of existing policy ARN's<br>    inline_policies = list(object({<br>      name = string      # Name of the inline policy<br>      file = string      # Path to json or json.tmpl file of policy<br>      vars = map(string) # Policy template variables {key = val, ...}<br>    }))<br>  }))</pre> | `[]` | no |
+| roles | A list of dictionaries defining all roles. | <pre>list(object({<br>    name                 = string       # Name of the role<br>    instance_profile     = string       # Name of the instance profile<br>    path                 = string       # Defaults to 'var.role_path' if variable is set to null<br>    desc                 = string       # Defaults to 'var.role_desc' if variable is set to null<br>    trust_policy_file    = string       # Path to file of trust/assume policy. Will be templated if vars are passed.<br>    trust_policy_vars    = map(string)  # Policy template variables {key = val, ...}<br>    permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)<br>    policies             = list(string) # List of names of policies (must be defined in var.policies)<br>    policy_arns          = list(string) # List of existing policy ARN's<br>    inline_policies = list(object({<br>      name = string      # Name of the inline policy<br>      file = string      # Path to json or json.tmpl file of policy<br>      vars = map(string) # Policy template variables {key = val, ...}<br>    }))<br>  }))</pre> | `[]` | no |
 | policy\_path | The default path under which to create the policy if not specified in the policies list. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division\_abc/subdivision\_xyz/product\_1234/engineering/ to match your company's organizational structure. | `string` | `"/"` | no |
 | policy\_desc | The default description of the policy. | `string` | `"Managed by Terraform"` | no |
 | group\_path | The path under which to create the group. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division\_abc/subdivision\_xyz/product\_1234/engineering/ to match your company's organizational structure. | `string` | `"/"` | no |

examples/policies-with-custom-data-sources/README.md

@@ -193,7 +193,7 @@ No requirements.
 | policies | A list of dictionaries defining all policies. | <pre>list(object({<br>    name = string      # Name of the policy<br>    path = string      # Defaults to 'var.policy_path' if variable is set to null<br>    desc = string      # Defaults to 'var.policy_desc' if variable is set to null<br>    file = string      # Path to json or json.tmpl file of policy<br>    vars = map(string) # Policy template variables {key: val, ...}<br>  }))</pre> | `[]` | no |
 | groups | A list of dictionaries defining all groups. | <pre>list(object({<br>    name        = string       # Name of the group<br>    path        = string       # Defaults to 'var.group_path' if variable is set to null<br>    policies    = list(string) # List of names of policies (must be defined in var.policies)<br>    policy_arns = list(string) # List of existing policy ARN's<br>    inline_policies = list(object({<br>      name = string      # Name of the inline policy<br>      file = string      # Path to json or json.tmpl file of policy<br>      vars = map(string) # Policy template variables {key = val, ...}<br>    }))<br>  }))</pre> | `[]` | no |
 | users | A list of dictionaries defining all users. | <pre>list(object({<br>    name   = string       # Name of the user<br>    path   = string       # Defaults to 'var.user_path' if variable is set to null<br>    groups = list(string) # List of group names to add this user to<br>    access_keys = list(object({<br>      name    = string # IaC identifier for first or second IAM access key (not used on AWS)<br>      pgp_key = string # Leave empty for non or provide a b64-enc pubkey or keybase username<br>      status  = string # 'Active' or 'Inactive'<br>    }))<br>    permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)<br>    policies             = list(string) # List of names of policies (must be defined in var.policies)<br>    policy_arns          = list(string) # List of existing policy ARN's<br>    inline_policies = list(object({<br>      name = string      # Name of the inline policy<br>      file = string      # Path to json or json.tmpl file of policy<br>      vars = map(string) # Policy template variables {key = val, ...}<br>    }))<br>  }))</pre> | `[]` | no |
-| roles | A list of dictionaries defining all roles. | <pre>list(object({<br>    name                 = string       # Name of the role<br>    instance_profile     = string       # Name of the instance profile<br>    path                 = string       # Defaults to 'var.role_path' if variable is set to null<br>    desc                 = string       # Defaults to 'var.role_desc' if variable is set to null<br>    trust_policy_file    = string       # Path to file of trust/assume policy<br>    permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)<br>    policies             = list(string) # List of names of policies (must be defined in var.policies)<br>    policy_arns          = list(string) # List of existing policy ARN's<br>    inline_policies = list(object({<br>      name = string      # Name of the inline policy<br>      file = string      # Path to json or json.tmpl file of policy<br>      vars = map(string) # Policy template variables {key = val, ...}<br>    }))<br>  }))</pre> | `[]` | no |
+| roles | A list of dictionaries defining all roles. | <pre>list(object({<br>    name                 = string       # Name of the role<br>    instance_profile     = string       # Name of the instance profile<br>    path                 = string       # Defaults to 'var.role_path' if variable is set to null<br>    desc                 = string       # Defaults to 'var.role_desc' if variable is set to null<br>    trust_policy_file    = string       # Path to file of trust/assume policy. Will be templated if vars are passed.<br>    trust_policy_vars    = map(string)  # Policy template variables {key = val, ...}<br>    permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)<br>    policies             = list(string) # List of names of policies (must be defined in var.policies)<br>    policy_arns          = list(string) # List of existing policy ARN's<br>    inline_policies = list(object({<br>      name = string      # Name of the inline policy<br>      file = string      # Path to json or json.tmpl file of policy<br>      vars = map(string) # Policy template variables {key = val, ...}<br>    }))<br>  }))</pre> | `[]` | no |
 | policy\_path | The default path under which to create the policy if not specified in the policies list. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division\_abc/subdivision\_xyz/product\_1234/engineering/ to match your company's organizational structure. | `string` | `"/"` | no |
 | policy\_desc | The default description of the policy. | `string` | `"Managed by Terraform"` | no |
 | group\_path | The path under which to create the group. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division\_abc/subdivision\_xyz/product\_1234/engineering/ to match your company's organizational structure. | `string` | `"/"` | no |

examples/roles/README.md

@@ -86,7 +86,7 @@ No provider.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | policies | A list of dictionaries defining all policies. | <pre>list(object({<br>    name = string      # Name of the policy<br>    path = string      # Defaults to 'var.policy_path' if variable is set to null<br>    desc = string      # Defaults to 'var.policy_desc' if variable is set to null<br>    file = string      # Path to json or json.tmpl file of policy<br>    vars = map(string) # Policy template variables {key: val, ...}<br>  }))</pre> | `[]` | no |
-| roles | A list of dictionaries defining all roles. | <pre>list(object({<br>    name                 = string       # Name of the role<br>    instance_profile     = string       # Name of the instance profile (attach the role to an instance profile)<br>    path                 = string       # Defaults to 'var.role_path' if variable is set to null<br>    desc                 = string       # Defaults to 'var.role_desc' if variable is set to null<br>    trust_policy_file    = string       # Path to file of trust/assume policy<br>    permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)<br>    policies             = list(string) # List of names of policies (must be defined in var.policies)<br>    policy_arns          = list(string) # List of existing policy ARN's<br>    inline_policies = list(object({<br>      name = string      # Name of the inline policy<br>      file = string      # Path to json or json.tmpl file of policy<br>      vars = map(string) # Policy template variables {key = val, ...}<br>    }))<br>  }))</pre> | `[]` | no |
+| roles | A list of dictionaries defining all roles. | <pre>list(object({<br>    name                 = string       # Name of the role<br>    instance_profile     = string       # Name of the instance profile (attach the role to an instance profile)<br>    path                 = string       # Defaults to 'var.role_path' if variable is set to null<br>    desc                 = string       # Defaults to 'var.role_desc' if variable is set to null<br>    trust_policy_file    = string       # Path to file of trust/assume policy. Will be templated if vars are passed<br>    trust_policy_vars    = map(string)  # Policy template variables {key = val, ...}<br>    permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)<br>    policies             = list(string) # List of names of policies (must be defined in var.policies)<br>    policy_arns          = list(string) # List of existing policy ARN's<br>    inline_policies = list(object({<br>      name = string      # Name of the inline policy<br>      file = string      # Path to json or json.tmpl file of policy<br>      vars = map(string) # Policy template variables {key = val, ...}<br>    }))<br>  }))</pre> | `[]` | no |
 
 ## Outputs
 

examples/roles/data/trust-policy-file.json

@@ -6,7 +6,7 @@
       "Action": "sts:AssumeRole",
       "Principal": {
         "AWS": [
-          "arn:aws:iam::1234567890:role/federation/LOGIN-ROLE"
+          "arn:aws:iam::1234567890123:role/federation/LOGIN-ROLE"
         ]
       },
       "Condition": {}

examples/roles/data/trust-policy-template.json.tmpl

@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::${aws_account_id}:role/federation/LOGIN-ROLE"
+        ]
+      },
+      "Condition": {}
+    }
+  ]
+}

examples/roles/terraform.tfvars

@@ -15,17 +15,21 @@ roles = [
     path                 = null
     desc                 = null
     trust_policy_file    = "data/trust-policy-file.json"
+    trust_policy_vars    = null
     permissions_boundary = null
     policies             = ["billing-ro"]
     policy_arns          = []
     inline_policies      = []
   },
   {
-    name                 = "ROLE-POLICY-ARN"
-    instance_profile     = null
-    path                 = null
-    desc                 = null
-    trust_policy_file    = "data/trust-policy-file.json"
+    name              = "ROLE-POLICY-ARN"
+    instance_profile  = null
+    path              = null
+    desc              = null
+    trust_policy_file = "data/trust-policy-template.json.tmpl"
+    trust_policy_vars = {
+      aws_account_id = "123456789012"
+    }
     permissions_boundary = null
     policies             = []
     policy_arns          = ["arn:aws:iam::aws:policy/PowerUserAccess"]
@@ -37,6 +41,7 @@ roles = [
     path                 = null
     desc                 = null
     trust_policy_file    = "data/trust-policy-file.json"
+    trust_policy_vars    = null
     permissions_boundary = null
     policies             = []
     policy_arns          = []
@@ -55,6 +60,7 @@ roles = [
     path                 = null
     desc                 = null
     trust_policy_file    = "data/trust-policy-file.json"
+    trust_policy_vars    = null
     permissions_boundary = null
     policies             = []
     policy_arns = [
@@ -81,6 +87,7 @@ roles = [
     path                 = null
     desc                 = null
     trust_policy_file    = "data/trust-policy-file.json"
+    trust_policy_vars    = null
     permissions_boundary = "arn:aws:iam::aws:policy/PowerUserAccess"
     policies             = []
     policy_arns          = ["arn:aws:iam::aws:policy/AdministratorAccess"]
@@ -92,6 +99,7 @@ roles = [
     path                 = null
     desc                 = null
     trust_policy_file    = "data/trust-policy-file.json"
+    trust_policy_vars    = null
     permissions_boundary = null
     policies             = []
     policy_arns          = ["arn:aws:iam::aws:policy/PowerUserAccess"]

examples/roles/variables.tf

@@ -17,7 +17,8 @@ variable "roles" {
     instance_profile     = string       # Name of the instance profile (attach the role to an instance profile)
     path                 = string       # Defaults to 'var.role_path' if variable is set to null
     desc                 = string       # Defaults to 'var.role_desc' if variable is set to null
-    trust_policy_file    = string       # Path to file of trust/assume policy
+    trust_policy_file    = string       # Path to file of trust/assume policy. Will be templated if vars are passed
+    trust_policy_vars    = map(string)  # Policy template variables {key = val, ...}
     permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)
     policies             = list(string) # List of names of policies (must be defined in var.policies)
     policy_arns          = list(string) # List of existing policy ARN's