From 0fbb42c3a795b904217a73177c9a43d456fb914c Mon Sep 17 00:00:00 2001 From: PePe Amengual Date: Sun, 10 Apr 2022 14:39:43 -0700 Subject: [PATCH 1/2] Disabling all tags in all iam resources --- main.tf | 4 ++-- variables.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index aa37ef7..b06b693 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,7 @@ resource "aws_iam_role" "default" { max_session_duration = var.max_session_duration permissions_boundary = var.permissions_boundary path = var.path - tags = var.role_tags_enabled ? module.this.tags : null + tags = var.tags_enabled ? module.this.tags : null } data "aws_iam_policy_document" "default" { @@ -48,7 +48,7 @@ resource "aws_iam_policy" "default" { description = var.policy_description policy = join("", data.aws_iam_policy_document.default.*.json) path = var.path - tags = module.this.tags + tags = var.tags_enabled ? module.this.tags : null } resource "aws_iam_role_policy_attachment" "default" { diff --git a/variables.tf b/variables.tf index 7a80fb9..fed1f5f 100644 --- a/variables.tf +++ b/variables.tf @@ -83,8 +83,8 @@ variable "path" { default = "/" } -variable "role_tags_enabled" { +variable "tags_enabled" { type = string - description = "Enable/disable tags on IAM roles" + description = "Enable/disable tags on IAM roles and policies" default = true } \ No newline at end of file From 26f22ab02f6562d580ae011777b9121099dd47c9 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Sun, 10 Apr 2022 21:44:07 +0000 Subject: [PATCH 2/2] Auto Format --- README.md | 2 +- docs/terraform.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e3a8f42..4b1398e 100644 --- a/README.md +++ b/README.md @@ -236,9 +236,9 @@ For automated tests of the complete example using [bats](https://github.com/bats | [principals](#input\_principals) | Map of service name as key and a list of ARNs to allow assuming the role as value (e.g. map(`AWS`, list(`arn:aws:iam:::role/admin`))) | `map(list(string))` | `{}` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [role\_description](#input\_role\_description) | The description of the IAM role that is visible in the IAM role manager | `string` | n/a | yes | -| [role\_tags\_enabled](#input\_role\_tags\_enabled) | Enable/disable tags on IAM roles | `string` | `true` | no | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tags\_enabled](#input\_tags\_enabled) | Enable/disable tags on IAM roles and policies | `string` | `true` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | | [use\_fullname](#input\_use\_fullname) | If set to 'true' then the full ID for the IAM role name (e.g. `[var.namespace]-[var.environment]-[var.stage]`) will be used.

Otherwise, `var.name` will be used for the IAM role name. | `bool` | `true` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 0416828..ecea8c1 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -62,9 +62,9 @@ | [principals](#input\_principals) | Map of service name as key and a list of ARNs to allow assuming the role as value (e.g. map(`AWS`, list(`arn:aws:iam:::role/admin`))) | `map(list(string))` | `{}` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [role\_description](#input\_role\_description) | The description of the IAM role that is visible in the IAM role manager | `string` | n/a | yes | -| [role\_tags\_enabled](#input\_role\_tags\_enabled) | Enable/disable tags on IAM roles | `string` | `true` | no | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tags\_enabled](#input\_tags\_enabled) | Enable/disable tags on IAM roles and policies | `string` | `true` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | | [use\_fullname](#input\_use\_fullname) | If set to 'true' then the full ID for the IAM role name (e.g. `[var.namespace]-[var.environment]-[var.stage]`) will be used.

Otherwise, `var.name` will be used for the IAM role name. | `bool` | `true` | no |