Move profiles_enabled logic out of providers.tf and into iam-roles (#702)

Author: Nuru

modules/account-map/modules/iam-roles/README.md

@@ -2,14 +2,15 @@
 
 This submodule is used by other modules to determine which IAM Roles
 or AWS CLI Config Profiles to use for various tasks, most commonly
-for applying Terraform plans. 
+for applying Terraform plans.
 
 ## Special Configuration Needed
 
 In order to avoid having to pass customization information through every module
 that uses this submodule, if the default configuration does not suit your needs,
-you are expected to customize `variables.tf` with the defaults you want to 
-use in your project. For example, if you are including the `tenant` label
-in the designation of your "root" account (your Organization Management Account),
-then you should modify `variables.tf` so that `global_tenant_name` defaults
-to the appropriate value.
+you are expected to add `variables_override.tf` to override the variables with
+the defaults you want to use in your project. For example, if you are not using
+"core" as the `tenant` portion of your "root" account (your Organization Management Account),
+then you should include the `variable "overridable_global_tenant_name"` declaration
+in your `variables_override.tf` so that `overridable_global_tenant_name` defaults
+to the value you are using (or the empty string if you are not using `tenant` at all).

modules/account-map/modules/iam-roles/main.tf

@@ -22,5 +22,6 @@ module "account_map" {
 }
 
 locals {
-  account_name = lookup(module.always.descriptors, "account_name", module.always.stage)
+  account_name     = lookup(module.always.descriptors, "account_name", module.always.stage)
+  profiles_enabled = module.account_map.outputs.profiles_enabled
 }

modules/account-map/modules/iam-roles/outputs.tf

@@ -1,5 +1,5 @@
 output "terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[local.account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[local.account_name]
   description = "The AWS Role ARN for Terraform to use when provisioning resources in the account, when Role ARNs are in use"
 }
 
@@ -9,7 +9,7 @@ output "terraform_role_arns" {
 }
 
 output "terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[local.account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[local.account_name] : null
   description = "The AWS config profile name for Terraform to use when provisioning resources in the account, when profiles are in use"
 }
 
@@ -27,17 +27,17 @@ output "org_role_arn" {
 }
 
 output "global_tenant_name" {
-  value       = var.global_tenant_name
+  value       = var.overridable_global_tenant_name
   description = "The `null-label` `tenant` value used for organization-wide resources"
 }
 
 output "global_environment_name" {
-  value       = var.global_environment_name
+  value       = var.overridable_global_environment_name
   description = "The `null-label` `environment` value used for regionless (global) resources"
 }
 
 output "global_stage_name" {
-  value       = var.global_stage_name
+  value       = var.overridable_global_stage_name
   description = "The `null-label` `stage` value for the organization management account (where the `account-map` state is stored)"
 }
 
@@ -50,22 +50,22 @@ output "current_account_account_name" {
 }
 
 output "dns_terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[module.account_map.outputs.dns_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.dns_account_account_name]
   description = "The AWS Role ARN for Terraform to use to provision DNS Zone delegations, when Role ARNs are in use"
 }
 
 output "dns_terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[module.account_map.outputs.dns_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.dns_account_account_name] : null
   description = "The AWS config profile name for Terraform to use to provision DNS Zone delegations, when profiles are in use"
 }
 
 output "audit_terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[module.account_map.outputs.audit_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.audit_account_account_name]
   description = "The AWS Role ARN for Terraform to use to provision resources in the \"audit\" role account, when Role ARNs are in use"
 }
 
 output "audit_terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[module.account_map.outputs.audit_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.audit_account_account_name] : null
   description = "The AWS config profile name for Terraform to use to provision resources in the \"audit\" role account, when profiles are in use"
 }
 
@@ -75,26 +75,26 @@ output "identity_account_account_name" {
 }
 
 output "identity_terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.identity_account_account_name]
   description = "The AWS Role ARN for Terraform to use to provision resources in the \"identity\" role account, when Role ARNs are in use"
 }
 
 output "identity_terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.identity_account_account_name] : null
   description = "The AWS config profile name for Terraform to use to provision resources in the \"identity\" role account, when profiles are in use"
 }
 
 output "identity_cicd_role_arn" {
-  value       = module.account_map.outputs.cicd_roles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.cicd_roles[module.account_map.outputs.identity_account_account_name]
   description = "(Deprecated) The AWS Role ARN for CI/CD tools to assume to gain access to other accounts, when Role ARNs are in use"
 }
 
 output "identity_cicd_profile_name" {
-  value       = module.account_map.outputs.cicd_profiles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.cicd_profiles[module.account_map.outputs.identity_account_account_name] : null
   description = "(Deprecated) The AWS config profile name for CI/CD tools to assume to gain access to other accounts, when profiles are in use"
 }
 
 output "profiles_enabled" {
-  value       = module.account_map.outputs.profiles_enabled
+  value       = local.profiles_enabled
   description = "When true, use AWS config profiles in Terraform AWS provider configurations. When false, use Role ARNs."
 }

modules/account-map/modules/iam-roles/variables.tf

@@ -4,20 +4,24 @@ variable "privileged" {
   default     = false
 }
 
-variable "global_tenant_name" {
+## The overridable_* variables in this file provide Cloud Posse defaults.
+## Because this module is used in bootstrapping Terraform, we do not configure
+## these inputs in the normal way. Instead, to change the values, you should
+## add a `variables_override.tf` file and change the default to the value you want.
+variable "overridable_global_tenant_name" {
   type        = string
   description = "The tenant name used for organization-wide resources"
   default     = "core"
 }
 
-variable "global_environment_name" {
+variable "overridable_global_environment_name" {
   type        = string
   description = "Global environment name"
   default     = "gbl"
 }
 
-variable "global_stage_name" {
+variable "overridable_global_stage_name" {
   type        = string
-  description = "The stage name for the organization management account (where the `accout-map` state is stored)"
+  description = "The stage name for the organization management account (where the `account-map` state is stored)"
   default     = "root"
 }

modules/aws-waf-acl/README.md

@@ -84,6 +84,7 @@ components:
 | <a name="input_geo_match_statement_rules"></a> [geo\_match\_statement\_rules](#input\_geo\_match\_statement\_rules) | A rule statement used to identify web requests based on country of origin.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>statement:<br>  country\_codes:<br>    A list of two-character country codes.<br>  forwarded\_ip\_config:<br>    fallback\_behavior:<br>      The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br>      Possible values: `MATCH`, `NO_MATCH`<br>    header\_name:<br>      The name of the HTTP header to use for the IP address.<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for default, which is `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_import_profile_name"></a> [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
+| <a name="input_import_role_arn"></a> [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
 | <a name="input_ip_set_reference_statement_rules"></a> [ip\_set\_reference\_statement\_rules](#input\_ip\_set\_reference\_statement\_rules) | A rule statement used to detect web requests coming from particular IP addresses or address ranges.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>statement:<br>  arn:<br>    The ARN of the IP Set that this statement references.<br>  ip\_set\_forwarded\_ip\_config:<br>    fallback\_behavior:<br>      The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br>      Possible values: `MATCH`, `NO_MATCH`<br>    header\_name:<br>      The name of the HTTP header to use for the IP address.<br>    position:<br>      The position in the header to search for the IP address.<br>      Possible values include: `FIRST`, `LAST`, or `ANY`.<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no |

modules/aws-waf-acl/providers.tf

@@ -1,6 +1,14 @@
 provider "aws" {
-  region  = var.region
-  profile = coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name)
+  region = var.region
+
+  profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
+  dynamic "assume_role" {
+    for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
+    content {
+      role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+    }
+  }
 }
 
 module "iam_roles" {
@@ -13,3 +21,9 @@ variable "import_profile_name" {
   default     = null
   description = "AWS Profile name to use when importing a resource"
 }
+
+variable "import_role_arn" {
+  type        = string
+  default     = null
+  description = "IAM Role ARN to use when importing a resource"
+}

modules/cognito/README.md

@@ -119,7 +119,8 @@ components:
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_identity_providers"></a> [identity\_providers](#input\_identity\_providers) | Cognito Identity Providers configuration | `list(any)` | `[]` | no |
-| <a name="input_import_profile_name"></a> [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile to use when importing a resource | `string` | `null` | no |
+| <a name="input_import_profile_name"></a> [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
+| <a name="input_import_role_arn"></a> [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |

modules/cognito/providers.tf

@@ -1,7 +1,14 @@
 provider "aws" {
   region = var.region
 
-  profile = coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name)
+  profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+
+  dynamic "assume_role" {
+    for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
+    content {
+      role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+    }
+  }
 }
 
 module "iam_roles" {
@@ -12,5 +19,11 @@ module "iam_roles" {
 variable "import_profile_name" {
   type        = string
   default     = null
-  description = "AWS Profile to use when importing a resource"
+  description = "AWS Profile name to use when importing a resource"
+}
+
+variable "import_role_arn" {
+  type        = string
+  default     = null
+  description = "IAM Role ARN to use when importing a resource"
 }

modules/dns-delegated/providers.tf

@@ -20,7 +20,7 @@ provider "aws" {
   profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
 
   dynamic "assume_role" {
-    for_each = var.import_role_arn == null ? (module.iam_roles.terraform_role_arn != null ? [true] : []) : ["import"]
+    for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
     content {
       role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
     }

modules/dns-primary/providers.tf

@@ -4,7 +4,7 @@ provider "aws" {
   profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
 
   dynamic "assume_role" {
-    for_each = var.import_role_arn == null ? (module.iam_roles.terraform_role_arn != null ? [true] : []) : ["import"]
+    for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
     content {
       role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
     }