Skip to content

refactor: remove policy files and simplify providers#61

Merged
Benbentwo merged 9 commits intomainfrom
Benbentwo/remove-src-policies
Feb 4, 2026
Merged

refactor: remove policy files and simplify providers#61
Benbentwo merged 9 commits intomainfrom
Benbentwo/remove-src-policies

Conversation

@Benbentwo
Copy link
Contributor

@Benbentwo Benbentwo commented Feb 3, 2026

Summary

Removes two policy definition files (TerraformUpdateAccess and Identity-role-TeamAccess) and simplifies the providers configuration. The component now uses basic AWS provider setup with a dummy IAM roles module.

Changes

  • Deleted policy-TerraformUpdateAccess.tf and policy-Identity-role-TeamAccess.tf
  • Simplified providers.tf to remove complex role assumption logic
  • Updated main.tf to remove root account assignment handling
  • Removed unused variables from variables.tf

Testing

Terraform validate passed successfully.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Refactor

    • Simplified account assignment flow into a single flat configuration and streamlined provider/role handling.
  • New Features

    • Added mixins for root-provider migration, Terraform-state access, and per-team role permission sets.
    • Added a v2.0.0 Migration Guide and changelog with migration steps and guidance.
    • Introduced static account-map support and extended account-map fields.
  • Chores

    • Removed legacy root-specific configuration and deprecated variables.
    • Moved policy definitions into mixins and updated documentation and examples.

Remove policy-TerraformUpdateAccess.tf and policy-Identity-role-TeamAccess.tf files. Simplify providers.tf to basic provider configuration with dummy iam_roles module. Update main.tf to remove root account assignment handling and associated permission sets. Remove unused variables from variables.tf.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@coderabbitai
Copy link

coderabbitai bot commented Feb 3, 2026

Warning

Rate limit exceeded

@Benbentwo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 32 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Removes root-specific account assignment branching and module, consolidates account_assignments, extends account_map schema, simplifies provider/iam_roles wiring, removes several public variables, adds mixin-based policy files, and adds a v2.0.0 migration guide and changelog.

Changes

Cohort / File(s) Summary
Account assignment & permission sets
src/main.tf
Deleted root-specific locals and module "sso_account_assignments_root"; replaced composite/root assignments with account_assignments = concat(account_assignments_groups, account_assignments_users); removed identity_access_permission_sets and terraform_update_access_permission_set args from permission_sets.
Providers & IAM roles
src/providers.tf
Extended account_map object with identity_account_account_name, aws_partition, iam_role_arn_templates; removed per-account assume_role/provider dynamic logic and iam_roles_root; added placeholder module "iam_roles".
Public variables removed
src/variables.tf
Removed public variables: privileged, aws_teams_accessible, tfstate_backend_component_name, overridable_team_permission_set_name_pattern.
Mixins and policy docs
mixins/README.md, mixins/provider-root.tf, mixins/policy-TerraformUpdateAccess.tf, mixins/policy-Identity-role-TeamAccess.tf
Added mixin documentation and three new mixin definitions (provider-root.tf, policy-TerraformUpdateAccess.tf, policy-Identity-role-TeamAccess.tf); minor whitespace cleanup in mixins/policy-Identity-role-TeamAccess.tf.
Migration & release notes
src/MIGRATION.md, src/CHANGELOG.md, README.yaml, README.md
Added v2.0.0 migration guide and BREAKING notes; updated docs and examples for static account_map, mixin vendoring, and removal of root/provider patterns.
Minor edits
mixins/policy-Identity-role-TeamAccess.tf
Removed a leading blank line; no functional changes.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Suggested reviewers

  • osterman
  • aknysh
  • goruha

Poem

🐰 I hopped through Terraform plains tonight,
Root branches pruned beneath the moonlight,
Mixins stitched each permission seam,
Account maps steady, bright the beam,
Tiny paws, big infra delight 🥕

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: removal of policy files and simplification of provider configuration across the codebase.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch Benbentwo/remove-src-policies

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mergify mergify bot requested review from a team February 3, 2026 16:38
@mergify mergify bot added triage Needs triage needs-test Needs testing labels Feb 3, 2026
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

module "sso_account_assignments" {
source = "cloudposse/sso/aws//modules/account-assignments"
version = "1.2.0"
account_assignments = local.account_assignments
context = module.this.context

P2 Badge Preserve root account assignment handling

All account assignments are now applied through the default provider (sso_account_assignments uses local.account_assignments directly). When account_assignments includes the management/root account and the component is deployed from a delegated admin/identity account, AWS Identity Center APIs reject those root assignments (they require management account credentials). The previous split for root vs non-root avoided this; with the split removed, root assignments will fail in that scenario.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Fix all issues with AI agents
In `@src/providers.tf`:
- Around line 3-7: The change to variable "account_map_enabled" flips its
default from true to false which is a breaking behavioral change for existing
users; either revert the default back to true in the variable declaration
(restore previous behavior for variable "account_map_enabled") or, if the new
default is intentional, explicitly document the breaking change in the PR
description and release notes and add a migration guide (and consider a version
bump) so consumers know to opt-in to the new behavior.
- Around line 33-37: The dummy module "iam_roles" uses cloudposse/label/null
which doesn't export the expected outputs (global_tenant_name,
global_environment_name, global_stage_name) referenced by the remote-state
usage; fix by either swapping the "iam_roles" module to one that exposes those
outputs or adapt the remote-state configuration to use the existing context
outputs (tenant, environment, stage) from module. Locate the module "iam_roles"
declaration and either replace its source with a module that defines
global_tenant_name/global_environment_name/global_stage_name, or add a
mapping/local values so remote-state references the available outputs (e.g., map
module.iam_roles.context.tenant -> global_tenant_name) and update remote-state
references accordingly.

Benbentwo and others added 2 commits February 3, 2026 09:38
…scription

- Move policy-TerraformUpdateAccess.tf and policy-Identity-role-TeamAccess.tf to mixins folder
- Restore account_map_enabled variable description and default to true

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CHANGELOG.md entry for v2.0.0 breaking changes
- Create MIGRATION.md with step-by-step upgrade instructions
- Document static account_map support for bypassing remote state
- Update mixins README with documentation for all available mixins

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@mergify
Copy link

mergify bot commented Feb 3, 2026

Important

Do not edit the README.md directly. It's auto-generated from the README.yaml

Please update the README.yaml file instead.

Could you fix it @Benbentwo? 🙏

Benbentwo and others added 3 commits February 3, 2026 11:27
- Add migration section with link to MIGRATION.md
- Document static account map support
- Update examples to use account_map_enabled: false
- Update mixins list with new mixins
- Update identity_roles_accessible section to reference mixin

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CI was failing because the iam_roles dummy module was missing a version pin.
Added version = "0.25.0" to match the version used in context.tf.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Auto-generated documentation update reflecting v2.0.0 changes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@Benbentwo Benbentwo added the major Breaking changes (or first stable release) label Feb 3, 2026
Copy link
Contributor

@milldr milldr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove all references to account-map in the new version. For example, remote state.

Document tf_access_bucket_arn and tf_access_role_arn variables required
when using the TerraformUpdateAccess mixin.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents
In `@README.md`:
- Line 510: The README module table is out of sync: it shows
cloudposse/label/null as "n/a" while src/providers.tf pins version = "0.25.0";
regenerate the docs from README.yaml (e.g., run `atmos docs` or your
repository's docs generation command) so README.md reflects the pinned provider
version and commit the updated README.md.
🧹 Nitpick comments (3)
src/providers.tf (1)

1-2: Comment text is inconsistent with default behavior.

The comment states "when account map is disabled" but the default for account_map_enabled is true (enabled). This could confuse users reading the code.

Consider updating the comment to accurately reflect the file's purpose:

📝 Suggested fix
-# This is the default providers.tf when account map is disabled.
+# This is the default providers.tf for the aws-identity-center component.
+# Set account_map_enabled to false to use static account mappings instead of remote state lookups.
src/MIGRATION.md (1)

79-88: Add language specifier to fenced code block.

The error message code block is missing a language specifier. Per markdownlint (MD040), fenced code blocks should have a language specified for consistency and proper rendering.

📝 Suggested fix
-```
+```text
 Error: Provider configuration not present
 
 To work with module.sso_account_assignments_root.aws_ssoadmin_account_assignment.this[...] (orphan)
 its original provider configuration at provider["registry.terraform.io/hashicorp/aws"].root is required,
 but it has been removed.
</details>

</blockquote></details>
<details>
<summary>README.md (1)</summary><blockquote>

`160-164`: **Add language specifier to fenced code block.**

The code block showing the Terraform format expression is missing a language specifier. Per markdownlint (MD040), add `hcl` for proper syntax highlighting.

<details>
<summary>📝 Suggested fix</summary>

```diff
-```
+```hcl
 format("Identity%sTeamAccess", replace(title(replace(team, "_", "-")), "-", ""))
</details>

</blockquote></details>

</blockquote></details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

Update module version from n/a to 0.25.0 to match src/providers.tf.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents
In `@README.md`:
- Around line 161-163: The fenced code block showing
format("Identity%sTeamAccess", replace(title(replace(team, "_", "-")), "-", ""))
is missing a language tag in the generated README.md; open the source
README.yaml, locate the corresponding code block entry and add the appropriate
language identifier (e.g., bash, text, or the template language you use) to the
fence, then regenerate README.md from README.yaml using the atmos docs commands
so the change is preserved (do not edit README.md directly).

Add language identifier to fenced code block showing the Terraform
format function for permission set names.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@Benbentwo Benbentwo requested a review from milldr February 4, 2026 20:35
@Benbentwo Benbentwo added this pull request to the merge queue Feb 4, 2026
@mergify mergify bot removed the triage Needs triage label Feb 4, 2026
Merged via the queue into main with commit 015e1af Feb 4, 2026
15 checks passed
@Benbentwo Benbentwo deleted the Benbentwo/remove-src-policies branch February 4, 2026 20:45
@github-actions
Copy link

github-actions bot commented Feb 4, 2026

These changes were released in v2.0.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

major Breaking changes (or first stable release) needs-test Needs testing

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants