Skip to content

Commit b51ca8b

Browse files
Benbentwoclaude
andcommitted
refactor: remove policy files and simplify providers configuration
Remove policy-TerraformUpdateAccess.tf and policy-Identity-role-TeamAccess.tf files. Simplify providers.tf to basic provider configuration with dummy iam_roles module. Update main.tf to remove root account assignment handling and associated permission sets. Remove unused variables from variables.tf. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
1 parent f67e0a0 commit b51ca8b

File tree

5 files changed

+21
-277
lines changed

5 files changed

+21
-277
lines changed

src/main.tf

Lines changed: 2 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,7 @@ locals {
33

44
# module.account_map.outputs provides values from either remote state (when enabled)
55
# or from the static var.account_map defaults (when bypassed)
6-
account_map = module.account_map.outputs.full_account_map
7-
root_account = local.account_map[module.account_map.outputs.root_account_account_name]
6+
account_map = module.account_map.outputs.full_account_map
87

98
account_assignments_groups = flatten([
109
for account_key, account in var.account_assignments : [
@@ -20,17 +19,6 @@ locals {
2019
]
2120
] if lookup(account, "groups", null) != null
2221
])
23-
# Remove root because the identity org role cannot provision root assignments
24-
account_assignments_groups_no_root = [
25-
for val in local.account_assignments_groups :
26-
val
27-
if val.account != local.root_account
28-
]
29-
account_assignments_groups_only_root = [
30-
for val in local.account_assignments_groups :
31-
val
32-
if val.account == local.root_account
33-
]
3422
account_assignments_users = flatten([
3523
for account_key, account in var.account_assignments : [
3624
for principal_key, principal in account.users : [
@@ -45,19 +33,8 @@ locals {
4533
]
4634
] if lookup(account, "users", null) != null
4735
])
48-
account_assignments_users_no_root = [
49-
for val in local.account_assignments_users :
50-
val
51-
if val.account != local.root_account
52-
]
53-
account_assignments_users_only_root = [
54-
for val in local.account_assignments_users :
55-
val
56-
if val.account == local.root_account
57-
]
5836

59-
account_assignments = concat(local.account_assignments_groups_no_root, local.account_assignments_users_no_root)
60-
account_assignments_root = concat(local.account_assignments_groups_only_root, local.account_assignments_users_only_root)
37+
account_assignments = concat(local.account_assignments_groups, local.account_assignments_users)
6138

6239
aws_partition = data.aws_partition.current.partition
6340
}
@@ -99,13 +76,11 @@ module "permission_sets" {
9976
local.billing_administrator_access_permission_set,
10077
local.billing_read_only_access_permission_set,
10178
local.dns_administrator_access_permission_set,
102-
local.identity_access_permission_sets,
10379
local.poweruser_access_permission_set,
10480
local.read_only_access_permission_set,
10581
local.root_access_permission_set,
10682
local.terraform_plan_access_permission_set,
10783
local.terraform_apply_access_permission_set,
108-
local.terraform_update_access_permission_set,
10984
local.terraform_state_access_permission_set,
11085
)
11186

@@ -128,18 +103,3 @@ module "sso_account_assignments" {
128103
]
129104
}
130105

131-
module "sso_account_assignments_root" {
132-
source = "cloudposse/sso/aws//modules/account-assignments"
133-
version = "1.2.0"
134-
135-
providers = {
136-
aws = aws.root
137-
}
138-
139-
account_assignments = local.account_assignments_root
140-
context = module.this.context
141-
142-
depends_on = [
143-
aws_identitystore_group.manual
144-
]
145-
}

src/policy-Identity-role-TeamAccess.tf

Lines changed: 0 additions & 62 deletions
This file was deleted.

src/policy-TerraformUpdateAccess.tf

Lines changed: 0 additions & 61 deletions
This file was deleted.

src/providers.tf

Lines changed: 19 additions & 84 deletions
Original file line numberDiff line numberDiff line change
@@ -1,102 +1,37 @@
1+
# This is the default providers.tf when account map is disabled.
2+
13
variable "account_map_enabled" {
24
type = bool
3-
description = <<-EOT
4-
When true, uses the account-map component to look up account IDs dynamically.
5-
When false, uses the static account_map variable instead. Set to false when
6-
using Atmos Auth profiles and static account mappings.
7-
EOT
8-
default = true
5+
description = "Enable the account map component"
6+
default = false
97
}
108

119
variable "account_map" {
1210
type = object({
13-
full_account_map = map(string)
14-
audit_account_account_name = optional(string, "")
15-
root_account_account_name = optional(string, "")
11+
full_account_map = map(string)
12+
audit_account_account_name = optional(string, "")
13+
root_account_account_name = optional(string, "")
14+
identity_account_account_name = optional(string, "")
15+
aws_partition = optional(string, "aws")
16+
iam_role_arn_templates = optional(map(string), {})
1617
})
17-
description = <<-EOT
18-
Static account map used when account_map_enabled is false.
19-
Provides account name to account ID mapping without requiring the account-map component.
20-
EOT
18+
description = "Map of account names (tenant-stage format) to account IDs. Used to verify we're targeting the correct AWS account. Optional attributes support component-specific functionality (e.g., audit_account_account_name for cloudtrail, root_account_account_name for aws-sso)."
2119
default = {
22-
full_account_map = {}
23-
audit_account_account_name = ""
24-
root_account_account_name = ""
20+
full_account_map = {}
21+
audit_account_account_name = ""
22+
root_account_account_name = ""
23+
identity_account_account_name = ""
24+
aws_partition = "aws"
25+
iam_role_arn_templates = {}
2526
}
2627
}
2728

28-
# This component is unusual in that part of it must be deployed to the `root`
29-
# account. You have the option of where to deploy the remaining part, and
30-
# Cloud Posse recommends you deploy it also to the `root` account, however
31-
# it can be deployed to the `identity` account instead. In the discussion
32-
# below, when we talk about where this module is being deployed, we are
33-
# referring to the part of the module that is not deployed to the `root`
34-
# account and is configured by setting `stage` etc..
35-
36-
# If you have Dynamic Terraform Roles enabled, leave the backend `role_arn` at
37-
# its default value. If deploying only to the `root` account, leave `privileged: false`
38-
# and use either SuperAdmin or an appropriate `aws-team` (such as `managers`).
39-
# If deploying to the `identity` account, set `privileged: true`
40-
# and use SuperAdmin or any other role in the `root` account with Admin access.
41-
#
42-
# For those not using dynamic Terraform roles:
43-
#
44-
# Set the stack configuration for this component to set `privileged: true`
45-
# and backend `role_arn` to `null`, and deploy it using either the SuperAdmin
46-
# role or any other role in the `root` account with Admin access.
47-
#
48-
# If you are deploying this to the "identity" account and have a team empowered
49-
# to deploy to both the "identity" and "root" accounts, then you have the option to set
50-
# `privileged: false` and leave the backend `role_arn` at its default value, but
51-
# then SuperAdmin will not be able to deploy this component,
52-
# only the team with access to both accounts will be able to deploy it.
53-
#
54-
5529
provider "aws" {
5630
region = var.region
57-
58-
profile = !var.privileged && module.iam_roles.profiles_enabled ? module.iam_roles.terraform_profile_name : null
59-
dynamic "assume_role" {
60-
for_each = !var.privileged && module.iam_roles.profiles_enabled ? [] : (
61-
var.privileged ? compact([module.iam_roles.org_role_arn]) : compact([module.iam_roles.terraform_role_arn])
62-
)
63-
content {
64-
role_arn = assume_role.value
65-
}
66-
}
6731
}
6832

69-
33+
# dummy module to satisfy the module dependency
7034
module "iam_roles" {
71-
source = "../account-map/modules/iam-roles"
72-
privileged = var.privileged
73-
74-
context = module.this.context
75-
}
76-
77-
provider "aws" {
78-
alias = "root"
79-
region = var.region
80-
81-
profile = !var.privileged && module.iam_roles_root.profiles_enabled ? module.iam_roles_root.terraform_profile_name : null
82-
dynamic "assume_role" {
83-
for_each = !var.privileged && module.iam_roles_root.profiles_enabled ? [] : (
84-
var.privileged ? compact([module.iam_roles_root.org_role_arn]) : compact([module.iam_roles_root.terraform_role_arn])
85-
)
86-
content {
87-
role_arn = assume_role.value
88-
}
89-
}
90-
}
91-
92-
93-
module "iam_roles_root" {
94-
source = "../account-map/modules/iam-roles"
95-
96-
privileged = var.privileged
97-
tenant = module.iam_roles.global_tenant_name
98-
stage = module.iam_roles.global_stage_name
99-
environment = module.iam_roles.global_environment_name
100-
35+
source = "cloudposse/label/null"
10136
context = module.this.context
10237
}

src/variables.tf

Lines changed: 0 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,6 @@ variable "region" {
33
description = "AWS Region"
44
}
55

6-
variable "privileged" {
7-
type = bool
8-
description = "True if the user running the Terraform command already has access to the Terraform backend"
9-
default = false
10-
}
11-
126
variable "account_assignments" {
137
type = map(map(map(object({
148
permission_sets = list(string)
@@ -33,16 +27,6 @@ variable "account_assignments" {
3327
default = {}
3428
}
3529

36-
variable "aws_teams_accessible" {
37-
type = set(string)
38-
description = <<-EOT
39-
List of IAM roles (e.g. ["admin", "terraform"]) for which to create permission
40-
sets that allow the user to assume that role. Named like
41-
admin -> IdentityAdminTeamAccess
42-
EOT
43-
default = []
44-
}
45-
4630
variable "groups" {
4731
type = list(string)
4832
description = <<-EOT
@@ -59,24 +43,12 @@ variable "session_duration" {
5943
default = ""
6044
}
6145

62-
variable "tfstate_backend_component_name" {
63-
type = string
64-
description = "The name of the tfstate-backend component"
65-
default = "tfstate-backend"
66-
}
67-
6846
variable "account_map_component_name" {
6947
type = string
7048
description = "The name of the account-map component"
7149
default = "account-map"
7250
}
7351

74-
variable "overridable_team_permission_set_name_pattern" {
75-
type = string
76-
description = "The pattern used to generate the AWS SSO PermissionSet name for each team"
77-
default = "Identity%sTeamAccess"
78-
}
79-
8052
variable "idp_groups" {
8153
type = list(string)
8254
description = <<-EOT

0 commit comments

Comments
 (0)