diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
index a250e58..57587d6 100644
--- a/.github/workflows/workflow.yaml
+++ b/.github/workflows/workflow.yaml
@@ -1,24 +1,9 @@
name: Terraform CI
-
-on: push
+on:
+ push:
+ merge_group:
+ types: [checks_requested]
jobs:
- validate:
- name: Validate
- runs-on: ubuntu-latest
- steps:
- - name: Check out code
- uses: actions/checkout@v1
-
- - uses: hashicorp/setup-terraform@v3
- with:
- terraform_version: "1.5"
-
- # note: we can only validate the example atm. see https://github.com/hashicorp/terraform/issues/28490
- - run: terraform init -backend=false
- working-directory: examples/basic-aws-integration
-
- - run: terraform validate
- working-directory: examples/basic-aws-integration
-
- - run: terraform fmt -recursive -check
+ build:
+ uses: meshcloud/shared-workflows/.github/workflows/terraform-meshplatform-modules-build-workflow.yml@main
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1185d9a..92f550b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [v0.3.0]
### Added
+
- Added workload identity federation
- Added option to disable access keys
diff --git a/README.md b/README.md
index 5fc60fc..050d884 100644
--- a/README.md
+++ b/README.md
@@ -113,17 +113,22 @@ For an overview of the module structure, refer to [generated terraform docs](./T
EOF
```
-2. Download the example `main.tf` and `outputs.tf` files.
-
- ```sh
- # Downloads main.tf and outputs.tf files into ~/terraform-aws-meshplatform
- wget https://raw.githubusercontent.com/meshcloud/terraform-aws-meshplatform/main/examples/basic-aws-integration/main.tf -O ~/terraform-aws-meshplatform/main.tf
- wget https://raw.githubusercontent.com/meshcloud/terraform-aws-meshplatform/main/examples/basic-aws-integration/outputs.tf -O ~/terraform-aws-meshplatform/outputs.tf
+2. Create a terraform file that calls this module and produces outputs. Similar to:
+
+ ```hcl
+ module "meshplatform" {
+ source = "git::https://github.com/meshcloud/terraform-aws-meshplatform.git"
+ # FILL INPUTS
+ }
+ output "meshplatform" {
+ sensitive = true
+ value = module.meshplatform
+ }
```
-3. Open `~/terraform-aws-meshplatform/main.tf` with a text editor. Modify the module variables and Terraform state backend settings in the file.
+ > It is highly recommended to configure a [terraform backend](https://developer.hashicorp.com/terraform/language/settings/backends/configuration), otherwise you risk losing track of your applied resources.
-4. Execute the module.
+3. Execute the module.
```sh
# Changes into ~/terraform-aws-meshplatform and applies terraform
@@ -132,23 +137,19 @@ For an overview of the module structure, refer to [generated terraform docs](./T
terraform apply
```
-5. Access terraform output and pass it securely to meshcloud.
+4. Use the information from terraform output to configure the platform in meshStack.
```sh
- # The JSON output contains sensitive values that must not be transmitted to meshcloud in plain text.
+ # The JSON output contains sensitive values that must not be transmitted anywhere other then the platform config screen in meshStack.
terraform output -json
```
-## Example Usages
-
-Check [examples](./examples/) for different use cases. As a quick start we recommend using [basic-aws-integration](./examples/basic-aws-integration) example.
-
[^1]: This How-To guides you through the setup from your Cloudshell. You can also run the terraform scripts on your local machine.
[^2]: You can also use other [ways to assign values input variables](https://www.terraform.io/language/values/variables#assigning-values-to-root-module-variables).
## Contributing Guide
-Before opening a Pull Request, we recommend following the below steps to get a faster approval:
+Before opening a Pull Request, please do the following:
1. Install [pre-commit](https://pre-commit.com/#install)
@@ -167,9 +168,9 @@ Before opening a Pull Request, we recommend following the below steps to get a f
| Name | Version |
|------|---------|
-| [aws.automation](#provider\_aws.automation) | >= 2.7.0 |
-| [aws.management](#provider\_aws.management) | >= 2.7.0 |
-| [aws.meshcloud](#provider\_aws.meshcloud) | >= 2.7.0 |
+| [aws.automation](#provider\_aws.automation) | 5.48.0 |
+| [aws.management](#provider\_aws.management) | 5.48.0 |
+| [aws.meshcloud](#provider\_aws.meshcloud) | 5.48.0 |
## Modules
diff --git a/TERRAFORM_DOCS.md b/TERRAFORM_DOCS.md
deleted file mode 100644
index e69de29..0000000
diff --git a/default.nix b/default.nix
new file mode 100644
index 0000000..410ae60
--- /dev/null
+++ b/default.nix
@@ -0,0 +1,35 @@
+{ pkgs ? import { }, system ? builtins.currentSystem }:
+
+let
+ # fake opentofu as terraform so that tools like terraform-docs pre-commit hook (which doesn't have tofu support)
+ # fall back to tofu
+ tofu_terraform =
+ pkgs.stdenv.mkDerivation {
+ name = "tofu-terraform";
+ phases = [ "installPhase" ];
+ installPhase = ''
+ mkdir -p $out/bin
+ echo '#!/usr/bin/env sh' > $out/bin/terraform
+ echo 'tofu $@' > $out/bin/terraform
+ chmod +x $out/bin/terraform
+ '';
+ };
+
+in
+
+pkgs.mkShell {
+ NIX_SHELL = "terraform-meshplatform-modules";
+ shellHook = ''
+ echo starting terraform-meshplatform-modules shell
+ '';
+
+ buildInputs = [
+ pkgs.pre-commit
+ pkgs.opentofu
+ pkgs.tflint
+ pkgs.terraform-docs
+
+ # fake tofu as terraform
+ tofu_terraform
+ ];
+}
diff --git a/examples/basic-aws-integration/main.tf b/examples/basic-aws-integration/main.tf
deleted file mode 100644
index 464fcb1..0000000
--- a/examples/basic-aws-integration/main.tf
+++ /dev/null
@@ -1,50 +0,0 @@
-# It is highly recommended to setup a backend to store the terraform state file
-# Removing the backend will output the terraform state in the local filesystem
-# See https://www.terraform.io/language/settings/backends for more details
-#
-# Remove/comment the backend block below if you are only testing the module.
-# Please be aware that you cannot destroy the created resources via terraform if you lose the state file.
-terraform {
- backend "s3" {
- region = "eu-west-1"
- profile = "myprofile"
- bucket = "cloudfoundation-tfstates"
- key = "meshstack/platforms/aws"
- encrypt = true
- }
-}
-
-provider "aws" {
- alias = "management"
- profile = "management"
-}
-
-provider "aws" {
- alias = "meshcloud"
- profile = "meshcloud"
-}
-
-provider "aws" {
- alias = "automation"
- profile = "automation"
-}
-
-module "meshplatform" {
- source = "../../"
- # note: for production use we recommend using a pinned version of the module like so
- # source = "git::https://github.com/meshcloud/terraform-aws-meshplatform.git?ref=v0.2.0"
-
-
- providers = {
- aws.management = aws.management
- aws.meshcloud = aws.meshcloud
- aws.automation = aws.automation
- }
-
- aws_sso_instance_arn = "arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxx"
- control_tower_enrollment_enabled = true
- control_tower_portfolio_id = "port-xxxxxxxxxxx"
- replicator_privileged_external_id = "replace with random UUID v4"
- cost_explorer_privileged_external_id = "replace with random UUID v4"
- landing_zone_ou_arns = ["arn:aws:organizations::*:ou/o-*/ou-*"]
-}
diff --git a/examples/basic-aws-integration/outputs.tf b/examples/basic-aws-integration/outputs.tf
deleted file mode 100644
index 9186a5c..0000000
--- a/examples/basic-aws-integration/outputs.tf
+++ /dev/null
@@ -1,58 +0,0 @@
-output "management_account_id" {
- value = module.meshplatform.management_account_id
- description = "Management Account ID"
-}
-
-output "meshcloud_account_id" {
- value = module.meshplatform.meshcloud_account_id
- description = "Meshcloud Account ID"
-}
-
-output "automation_account_id" {
- value = module.meshplatform.automation_account_id
- description = "Automation Account ID"
-}
-
-output "replicator_aws_iam_keys" {
- value = module.meshplatform.replicator_aws_iam_keys
- description = "You can access your credentials when you execute `terraform output replicator_aws_iam_keys` command"
- sensitive = true
-}
-
-output "replicator_management_account_role_arn" {
- description = "Amazon Resource Name (ARN) of Management Account Role for replicator"
- value = module.meshplatform.replicator_management_account_role_arn
-}
-
-output "replicator_automation_account_role_arn" {
- description = "Amazon Resource Name (ARN) of Automation Account Role for replicator"
- value = module.meshplatform.replicator_automation_account_role_arn
-}
-
-output "replicator_privileged_external_id" {
- value = module.meshplatform.replicator_privileged_external_id
- description = "Replicator privileged_external_id"
- sensitive = true
-}
-
-output "meshstack_access_role_name" {
- value = module.meshplatform.meshstack_access_role_name
- description = "The name for the Account Access Role that will be rolled out to all managed accounts."
-}
-
-output "metering_aws_iam_keys" {
- value = module.meshplatform.metering_aws_iam_keys
- description = "You can access your credentials when you execute `terraform output metering_aws_iam_keys` command"
- sensitive = true
-}
-
-output "cost_explorer_management_account_role_arn" {
- description = "Amazon Resource Name (ARN) of Management Account Role for replicator"
- value = module.meshplatform.cost_explorer_management_account_role_arn
-}
-
-output "cost_explorer_privileged_external_id" {
- value = module.meshplatform.cost_explorer_privileged_external_id
- description = "Cost explorer privileged_external_id"
- sensitive = true
-}
diff --git a/modules/meshcloud-cost-explorer/ce-management-account-access/README.md b/modules/meshcloud-cost-explorer/ce-management-account-access/README.md
index 691a2af..943654e 100644
--- a/modules/meshcloud-cost-explorer/ce-management-account-access/README.md
+++ b/modules/meshcloud-cost-explorer/ce-management-account-access/README.md
@@ -9,7 +9,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 5.48.0 |
## Modules
diff --git a/modules/meshcloud-cost-explorer/ce-meshcloud-account-access/README.md b/modules/meshcloud-cost-explorer/ce-meshcloud-account-access/README.md
index 10cdd72..27d1927 100644
--- a/modules/meshcloud-cost-explorer/ce-meshcloud-account-access/README.md
+++ b/modules/meshcloud-cost-explorer/ce-meshcloud-account-access/README.md
@@ -9,7 +9,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 2.7.0 |
+| [aws](#provider\_aws) | 5.48.0 |
## Modules
diff --git a/modules/meshcloud-replicator/replicator-automation-account-access/README.md b/modules/meshcloud-replicator/replicator-automation-account-access/README.md
index c4de9cb..28bf715 100644
--- a/modules/meshcloud-replicator/replicator-automation-account-access/README.md
+++ b/modules/meshcloud-replicator/replicator-automation-account-access/README.md
@@ -9,7 +9,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 2.7.0 |
+| [aws](#provider\_aws) | 5.48.0 |
## Modules
diff --git a/modules/meshcloud-replicator/replicator-management-account-access/README.md b/modules/meshcloud-replicator/replicator-management-account-access/README.md
index 2923385..bc8c8ac 100644
--- a/modules/meshcloud-replicator/replicator-management-account-access/README.md
+++ b/modules/meshcloud-replicator/replicator-management-account-access/README.md
@@ -9,7 +9,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.21.0 |
+| [aws](#provider\_aws) | 5.48.0 |
## Modules
diff --git a/modules/meshcloud-replicator/replicator-meshcloud-account-access/README.md b/modules/meshcloud-replicator/replicator-meshcloud-account-access/README.md
index 29c303f..eb8332b 100644
--- a/modules/meshcloud-replicator/replicator-meshcloud-account-access/README.md
+++ b/modules/meshcloud-replicator/replicator-meshcloud-account-access/README.md
@@ -9,7 +9,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 2.7.0 |
+| [aws](#provider\_aws) | 5.48.0 |
## Modules