From b195f3e678f9237369fff3e80a01f76604975642 Mon Sep 17 00:00:00 2001 From: PePe Amengual <jose.amengual@gmail.com> Date: Fri, 8 Apr 2022 14:42:33 -0700 Subject: [PATCH 1/4] adding policy boundary to roles and optional tags --- modules/account-settings/main.tf | 4 +++- modules/account-settings/variables.tf | 12 ++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/modules/account-settings/main.tf b/modules/account-settings/main.tf index 8a94a8e..b64d840 100644 --- a/modules/account-settings/main.tf +++ b/modules/account-settings/main.tf @@ -28,7 +28,7 @@ data "aws_iam_policy_document" "api_gateway_permissions" { module "role" { source = "cloudposse/iam-role/aws" - version = "0.14.0" + version = "0.16.0" enabled = local.create_iam_role #name = module.iam_role_label.id @@ -46,6 +46,8 @@ module "role" { policy_document_count = 1 policy_description = "Allow API Gateway to send logs to CloudWatch IAM policy" role_description = "Allow API Gateway to send logs to CloudWatch" + permission_boundary = var.permission_boundary + role_tags_enabled = var.role_tags_enabled context = module.this.context } diff --git a/modules/account-settings/variables.tf b/modules/account-settings/variables.tf index ff489ed..06e56d4 100644 --- a/modules/account-settings/variables.tf +++ b/modules/account-settings/variables.tf @@ -3,3 +3,15 @@ variable "iam_role_arn" { description = "ARN of the IAM role for API Gateway to use. If not specified, a new role will be created." default = null } + +variable "role_tags_enabled" { + type = string + description = "Enable/disable tags on IAM roles" + default = true +} + +variable "permissions_boundary" { + type = string + default = "" + description = "ARN of the policy that is used to set the permissions boundary for the role" +} \ No newline at end of file From 92d3bfc9d4c8b1fa68795200bdf9ad228007b3d0 Mon Sep 17 00:00:00 2001 From: PePe Amengual <jose.amengual@gmail.com> Date: Fri, 8 Apr 2022 14:55:27 -0700 Subject: [PATCH 2/4] Adding permission boundary --- main.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 86c38a6..8623613 100644 --- a/main.tf +++ b/main.tf @@ -26,8 +26,10 @@ resource "aws_api_gateway_rest_api_policy" "this" { } module "cloudwatch_log_group" { - source = "cloudposse/cloudwatch-logs/aws" - version = "0.6.2" + # source = "cloudposse/cloudwatch-logs/aws" + # version = "0.6.2" + source = "git::https://github.com/cloudposse/terraform-aws-cloudwatch-logs.git?ref=add_policy_boundary" + enabled = local.create_log_group context = module.this.context From 7bd4816f4fb321e991cd8b43ff6270a7d6ae287e Mon Sep 17 00:00:00 2001 From: PePe Amengual <jose.amengual@gmail.com> Date: Fri, 8 Apr 2022 15:07:25 -0700 Subject: [PATCH 3/4] fixing typo --- modules/account-settings/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/account-settings/main.tf b/modules/account-settings/main.tf index b64d840..3258ec4 100644 --- a/modules/account-settings/main.tf +++ b/modules/account-settings/main.tf @@ -46,7 +46,7 @@ module "role" { policy_document_count = 1 policy_description = "Allow API Gateway to send logs to CloudWatch IAM policy" role_description = "Allow API Gateway to send logs to CloudWatch" - permission_boundary = var.permission_boundary + permissions_boundary = var.permissions_boundary role_tags_enabled = var.role_tags_enabled context = module.this.context From 28acf68cfc5f7e98b4f1079d94ae0c0fe7d48b0e Mon Sep 17 00:00:00 2001 From: PePe Amengual <jose.amengual@gmail.com> Date: Wed, 13 Apr 2022 20:14:29 -0700 Subject: [PATCH 4/4] Update cloudwatch-log module and add permission boundary and iam_tags var --- README.md | 4 +++- docs/terraform.md | 4 +++- main.tf | 11 ++++++----- modules/account-settings/main.tf | 6 +++--- modules/account-settings/variables.tf | 2 +- variables.tf | 12 ++++++++++++ 6 files changed, 28 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index c936563..ddc6722 100644 --- a/README.md +++ b/README.md @@ -155,7 +155,7 @@ Available targets: | Name | Source | Version | |------|--------|---------| -| <a name="module_cloudwatch_log_group"></a> [cloudwatch\_log\_group](#module\_cloudwatch\_log\_group) | cloudposse/cloudwatch-logs/aws | 0.6.2 | +| <a name="module_cloudwatch_log_group"></a> [cloudwatch\_log\_group](#module\_cloudwatch\_log\_group) | cloudposse/cloudwatch-logs/aws | 0.6.5 | | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources @@ -182,6 +182,7 @@ Available targets: | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The type of the endpoint. One of - PUBLIC, PRIVATE, REGIONAL | `string` | `"REGIONAL"` | no | | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| <a name="input_iam_tags_enabled"></a> [iam\_tags\_enabled](#input\_iam\_tags\_enabled) | Enable/disable tags on IAM roles and policies | `string` | `true` | no | | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no | | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no | | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | @@ -192,6 +193,7 @@ Available targets: | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | | <a name="input_openapi_config"></a> [openapi\_config](#input\_openapi\_config) | The OpenAPI specification for the API | `any` | `{}` | no | +| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `""` | no | | <a name="input_private_link_target_arns"></a> [private\_link\_target\_arns](#input\_private\_link\_target\_arns) | A list of target ARNs for VPC Private Link | `list(string)` | `[]` | no | | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | <a name="input_rest_api_policy"></a> [rest\_api\_policy](#input\_rest\_api\_policy) | The IAM policy document for the API. | `string` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 2171d9b..4a3e8ba 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -16,7 +16,7 @@ | Name | Source | Version | |------|--------|---------| -| <a name="module_cloudwatch_log_group"></a> [cloudwatch\_log\_group](#module\_cloudwatch\_log\_group) | cloudposse/cloudwatch-logs/aws | 0.6.2 | +| <a name="module_cloudwatch_log_group"></a> [cloudwatch\_log\_group](#module\_cloudwatch\_log\_group) | cloudposse/cloudwatch-logs/aws | 0.6.5 | | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources @@ -43,6 +43,7 @@ | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The type of the endpoint. One of - PUBLIC, PRIVATE, REGIONAL | `string` | `"REGIONAL"` | no | | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| <a name="input_iam_tags_enabled"></a> [iam\_tags\_enabled](#input\_iam\_tags\_enabled) | Enable/disable tags on IAM roles and policies | `string` | `true` | no | | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no | | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no | | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | @@ -53,6 +54,7 @@ | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | | <a name="input_openapi_config"></a> [openapi\_config](#input\_openapi\_config) | The OpenAPI specification for the API | `any` | `{}` | no | +| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `""` | no | | <a name="input_private_link_target_arns"></a> [private\_link\_target\_arns](#input\_private\_link\_target\_arns) | A list of target ARNs for VPC Private Link | `list(string)` | `[]` | no | | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | <a name="input_rest_api_policy"></a> [rest\_api\_policy](#input\_rest\_api\_policy) | The IAM policy document for the API. | `string` | `null` | no | diff --git a/main.tf b/main.tf index 8623613..e9acd1c 100644 --- a/main.tf +++ b/main.tf @@ -26,12 +26,13 @@ resource "aws_api_gateway_rest_api_policy" "this" { } module "cloudwatch_log_group" { - # source = "cloudposse/cloudwatch-logs/aws" - # version = "0.6.2" - source = "git::https://github.com/cloudposse/terraform-aws-cloudwatch-logs.git?ref=add_policy_boundary" - + source = "cloudposse/cloudwatch-logs/aws" + version = "0.6.5" + + enabled = local.create_log_group + iam_tags_enabled = var.iam_tags_enabled + permissions_boundary = var.permissions_boundary - enabled = local.create_log_group context = module.this.context } diff --git a/modules/account-settings/main.tf b/modules/account-settings/main.tf index 3258ec4..af39802 100644 --- a/modules/account-settings/main.tf +++ b/modules/account-settings/main.tf @@ -28,7 +28,7 @@ data "aws_iam_policy_document" "api_gateway_permissions" { module "role" { source = "cloudposse/iam-role/aws" - version = "0.16.0" + version = "0.16.1" enabled = local.create_iam_role #name = module.iam_role_label.id @@ -46,8 +46,8 @@ module "role" { policy_document_count = 1 policy_description = "Allow API Gateway to send logs to CloudWatch IAM policy" role_description = "Allow API Gateway to send logs to CloudWatch" - permissions_boundary = var.permissions_boundary - role_tags_enabled = var.role_tags_enabled + permissions_boundary = var.permissions_boundary + tags_enabled = var.iam_tags_enabled context = module.this.context } diff --git a/modules/account-settings/variables.tf b/modules/account-settings/variables.tf index 06e56d4..b17ea3f 100644 --- a/modules/account-settings/variables.tf +++ b/modules/account-settings/variables.tf @@ -4,7 +4,7 @@ variable "iam_role_arn" { default = null } -variable "role_tags_enabled" { +variable "iam_tags_enabled" { type = string description = "Enable/disable tags on IAM roles" default = true diff --git a/variables.tf b/variables.tf index 75f95c5..805298a 100644 --- a/variables.tf +++ b/variables.tf @@ -109,3 +109,15 @@ variable "private_link_target_arns" { description = "A list of target ARNs for VPC Private Link" default = [] } + +variable "iam_tags_enabled" { + type = string + description = "Enable/disable tags on IAM roles and policies" + default = true +} + +variable "permissions_boundary" { + type = string + default = "" + description = "ARN of the policy that is used to set the permissions boundary for the IAM role" +} \ No newline at end of file