chore: Update naming use and remove role self-assume

Author: bryantbiggs

examples/iam-role/main.tf

@@ -23,8 +23,6 @@ module "iam_role_instance_profile" {
 
   name = "${local.name}-instance-profile"
 
-  # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
-  allow_self_assume_role  = true
   create_instance_profile = true
 
   assume_role_policy_statements = [

modules/iam-account/README.md

@@ -24,12 +24,14 @@ module "iam_account" {
 ## Notes
 
 If IAM account alias was previously set (either via AWS console or during the creation of an account from AWS Organizations) you will see this error:
-```
+
+```sh
 aws_iam_account_alias.this: Error creating account alias with name my-account-alias
 ```
 
 If you want to manage IAM alias using Terraform (otherwise why are you reading this?) you need to import this resource like this:
-```
+
+```sh
 $ terraform import module.iam_account.aws_iam_account_alias.this this
 
 module.iam_account.aws_iam_account_alias.this: Importing from ID "this"...
@@ -64,18 +66,17 @@ No modules.
 |------|------|
 | [aws_iam_account_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_alias) | resource |
 | [aws_iam_account_password_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
-| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS IAM account alias for this account | `string` | n/a | yes |
 | <a name="input_allow_users_to_change_password"></a> [allow\_users\_to\_change\_password](#input\_allow\_users\_to\_change\_password) | Whether to allow users to change their own password | `bool` | `true` | no |
+| <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_account_password_policy"></a> [create\_account\_password\_policy](#input\_create\_account\_password\_policy) | Whether to create AWS IAM account password policy | `bool` | `true` | no |
-| <a name="input_get_caller_identity"></a> [get\_caller\_identity](#input\_get\_caller\_identity) | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | `bool` | `true` | no |
 | <a name="input_hard_expiry"></a> [hard\_expiry](#input\_hard\_expiry) | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | `bool` | `false` | no |
-| <a name="input_max_password_age"></a> [max\_password\_age](#input\_max\_password\_age) | The number of days that an user password is valid. | `number` | `0` | no |
+| <a name="input_max_password_age"></a> [max\_password\_age](#input\_max\_password\_age) | The number of days that an user password is valid | `number` | `0` | no |
 | <a name="input_minimum_password_length"></a> [minimum\_password\_length](#input\_minimum\_password\_length) | Minimum length to require for user passwords | `number` | `8` | no |
 | <a name="input_password_reuse_prevention"></a> [password\_reuse\_prevention](#input\_password\_reuse\_prevention) | The number of previous passwords that users are prevented from reusing | `number` | `null` | no |
 | <a name="input_require_lowercase_characters"></a> [require\_lowercase\_characters](#input\_require\_lowercase\_characters) | Whether to require lowercase characters for user passwords | `bool` | `true` | no |
@@ -90,7 +91,7 @@ No modules.
 | <a name="output_caller_identity_account_id"></a> [caller\_identity\_account\_id](#output\_caller\_identity\_account\_id) | The AWS Account ID number of the account that owns or contains the calling entity |
 | <a name="output_caller_identity_arn"></a> [caller\_identity\_arn](#output\_caller\_identity\_arn) | The AWS ARN associated with the calling entity |
 | <a name="output_caller_identity_user_id"></a> [caller\_identity\_user\_id](#output\_caller\_identity\_user\_id) | The unique identifier of the calling entity |
-| <a name="output_iam_account_password_policy_expire_passwords"></a> [iam\_account\_password\_policy\_expire\_passwords](#output\_iam\_account\_password\_policy\_expire\_passwords) | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. |
+| <a name="output_iam_account_password_policy_expire_passwords"></a> [iam\_account\_password\_policy\_expire\_passwords](#output\_iam\_account\_password\_policy\_expire\_passwords) | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present |
 <!-- END_TF_DOCS -->
 
 ## License

modules/iam-account/main.tf

@@ -1,13 +1,19 @@
-data "aws_caller_identity" "this" {
-  count = var.get_caller_identity ? 1 : 0
-}
+################################################################################
+# Alias
+################################################################################
 
 resource "aws_iam_account_alias" "this" {
+  count = var.create ? 1 : 0
+
   account_alias = var.account_alias
 }
 
+################################################################################
+# Password Policy
+################################################################################
+
 resource "aws_iam_account_password_policy" "this" {
-  count = var.create_account_password_policy ? 1 : 0
+  count = var.create && var.create_account_password_policy ? 1 : 0
 
   max_password_age               = var.max_password_age
   minimum_password_length        = var.minimum_password_length

modules/iam-account/outputs.tf

@@ -1,19 +1,19 @@
 output "caller_identity_account_id" {
   description = "The AWS Account ID number of the account that owns or contains the calling entity"
-  value       = try(data.aws_caller_identity.this[0].account_id, "")
+  value       = try(data.aws_caller_identity.this[0].account_id, null)
 }
 
 output "caller_identity_arn" {
   description = "The AWS ARN associated with the calling entity"
-  value       = try(data.aws_caller_identity.this[0].arn, "")
+  value       = try(data.aws_caller_identity.this[0].arn, null)
 }
 
 output "caller_identity_user_id" {
   description = "The unique identifier of the calling entity"
-  value       = try(data.aws_caller_identity.this[0].user_id, "")
+  value       = try(data.aws_caller_identity.this[0].user_id, null)
 }
 
 output "iam_account_password_policy_expire_passwords" {
-  description = "Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present."
-  value       = try(aws_iam_account_password_policy.this[0].expire_passwords, "")
+  description = "Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present"
+  value       = try(aws_iam_account_password_policy.this[0].expire_passwords, null)
 }

modules/iam-account/variables.tf

@@ -1,22 +1,30 @@
-variable "get_caller_identity" {
-  description = "Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized"
+variable "create" {
+  description = "Determines whether resources will be created (affects all resources)"
   type        = bool
   default     = true
 }
 
+################################################################################
+# Alias
+################################################################################
+
 variable "account_alias" {
   description = "AWS IAM account alias for this account"
   type        = string
 }
 
+################################################################################
+# Password Policy
+################################################################################
+
 variable "create_account_password_policy" {
   description = "Whether to create AWS IAM account password policy"
   type        = bool
   default     = true
 }
 
 variable "max_password_age" {
-  description = "The number of days that an user password is valid."
+  description = "The number of days that an user password is valid"
   type        = number
   default     = 0
 }

modules/iam-group/README.md

@@ -77,11 +77,12 @@ No modules.
 | <a name="input_enable_self_management_permissions"></a> [enable\_self\_management\_permissions](#input\_enable\_self\_management\_permissions) | Determines whether permissions are added to the policy which allow the groups IAM users to manage their credentials and MFA | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | The group's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: `=,.@-_.` | `string` | `""` | no |
 | <a name="input_path"></a> [path](#input\_path) | Path in which to create the group | `string` | `null` | no |
-| <a name="input_permission_statements"></a> [permission\_statements](#input\_permission\_statements) | List of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for the policy | `any` | `[]` | no |
+| <a name="input_permission_statements"></a> [permission\_statements](#input\_permission\_statements) | List of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for the policy | <pre>list(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string)<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      values   = list(string)<br/>      variable = string<br/>    })))<br/>  }))</pre> | `null` | no |
 | <a name="input_policies"></a> [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |
 | <a name="input_policy_description"></a> [policy\_description](#input\_policy\_description) | Description of the IAM policy | `string` | `null` | no |
-| <a name="input_policy_name_prefix"></a> [policy\_name\_prefix](#input\_policy\_name\_prefix) | Name prefix for IAM policy | `string` | `null` | no |
+| <a name="input_policy_name"></a> [policy\_name](#input\_policy\_name) | Name to use on IAM policy created | `string` | `null` | no |
 | <a name="input_policy_path"></a> [policy\_path](#input\_policy\_path) | The IAM policy path | `string` | `null` | no |
+| <a name="input_policy_use_name_prefix"></a> [policy\_use\_name\_prefix](#input\_policy\_use\_name\_prefix) | Determines whether the IAM policy name (`policy_name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_users"></a> [users](#input\_users) | A list of IAM User names to associate with the Group | `list(string)` | `[]` | no |
 | <a name="input_users_account_id"></a> [users\_account\_id](#input\_users\_account\_id) | An overriding AWS account ID where the group's users reside; leave empty to use the current account ID for the AWS provider | `string` | `null` | no |

modules/iam-group/main.tf

@@ -1,11 +1,16 @@
-data "aws_partition" "current" {}
-data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {
+  count = var.create ? 1 : 0
+}
+data "aws_caller_identity" "current" {
+  count = var.create ? 1 : 0
+}
 
 locals {
-  users_account_id = coalesce(var.users_account_id, data.aws_caller_identity.current.account_id)
+  partition        = try(data.aws_partition.current[0].partition, "")
+  users_account_id = try(coalesce(var.users_account_id, data.aws_caller_identity.current[0].account_id), "")
 
   user_resources = [for pattern in ["user/$${aws:username}", "user/*/$${aws:username}"] :
-    "arn:${data.aws_partition.current.partition}:iam::${local.users_account_id}:${pattern}"
+    "arn:${local.partition}:iam::${local.users_account_id}:${pattern}"
   ]
 }
 
@@ -34,6 +39,8 @@ resource "aws_iam_group_membership" "this" {
 
 locals {
   create_policy = var.create && var.create_policy && (var.enable_self_management_permissions || length(var.permission_statements) > 0)
+
+  policy_name = try(coalesce(var.policy_name, var.name), "")
 }
 
 # Allows MFA-authenticated IAM users to manage their own credentials on the My security credentials page
@@ -135,7 +142,7 @@ data "aws_iam_policy_document" "this" {
     content {
       sid       = "ManageOwnVirtualMFADevice"
       actions   = ["iam:CreateVirtualMFADevice"]
-      resources = ["arn:${data.aws_partition.current.partition}:iam::${local.users_account_id}:mfa/*"]
+      resources = ["arn:${local.partition}:iam::${local.users_account_id}:mfa/*"]
     }
   }
 
@@ -180,18 +187,18 @@ data "aws_iam_policy_document" "this" {
   }
 
   dynamic "statement" {
-    for_each = var.permission_statements
+    for_each = var.permission_statements != null ? var.permission_statements : []
 
     content {
-      sid           = try(statement.value.sid, null)
-      actions       = try(statement.value.actions, null)
-      not_actions   = try(statement.value.not_actions, null)
-      effect        = try(statement.value.effect, null)
-      resources     = try(statement.value.resources, null)
-      not_resources = try(statement.value.not_resources, null)
+      sid           = statement.value.sid
+      actions       = statement.value.actions
+      not_actions   = statement.value.not_actions
+      effect        = statement.value.effect
+      resources     = statement.value.resources
+      not_resources = statement.value.not_resources
 
       dynamic "principals" {
-        for_each = try(statement.value.principals, [])
+        for_each = statement.value.principals != null ? statement.value.principals : []
 
         content {
           type        = principals.value.type
@@ -200,7 +207,7 @@ data "aws_iam_policy_document" "this" {
       }
 
       dynamic "not_principals" {
-        for_each = try(statement.value.not_principals, [])
+        for_each = statement.value.not_principals != null ? statement.value.not_principals : []
 
         content {
           type        = not_principals.value.type
@@ -209,7 +216,7 @@ data "aws_iam_policy_document" "this" {
       }
 
       dynamic "condition" {
-        for_each = try(statement.value.conditions, [])
+        for_each = statement.value.condition != null ? statement.value.condition : []
 
         content {
           test     = condition.value.test
@@ -224,8 +231,9 @@ data "aws_iam_policy_document" "this" {
 resource "aws_iam_policy" "this" {
   count = local.create_policy ? 1 : 0
 
-  name_prefix = try(coalesce(var.policy_name_prefix, "${var.name}-"), null)
   description = var.policy_description
+  name        = var.policy_use_name_prefix ? null : local.policy_name
+  name_prefix = var.policy_use_name_prefix ? "${local.policy_name}-" : null
   path        = coalesce(var.policy_path, var.path, "/")
   policy      = data.aws_iam_policy_document.this[0].json
 

modules/iam-group/variables.tf

@@ -56,16 +56,42 @@ variable "enable_mfa_enforcment" {
 
 variable "permission_statements" {
   description = "List of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for the policy"
-  type        = any
-  default     = []
+  type = list(object({
+    sid           = optional(string)
+    actions       = optional(list(string))
+    not_actions   = optional(list(string))
+    effect        = optional(string)
+    resources     = optional(list(string))
+    not_resources = optional(list(string))
+    principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    not_principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    condition = optional(list(object({
+      test     = string
+      values   = list(string)
+      variable = string
+    })))
+  }))
+  default = null
 }
 
-variable "policy_name_prefix" {
-  description = "Name prefix for IAM policy"
+variable "policy_name" {
+  description = "Name to use on IAM policy created"
   type        = string
   default     = null
 }
 
+variable "policy_use_name_prefix" {
+  description = "Determines whether the IAM policy name (`policy_name`) is used as a prefix"
+  type        = bool
+  default     = true
+}
+
 variable "policy_description" {
   description = "Description of the IAM policy"
   type        = string

modules/iam-oidc-provider/main.tf

@@ -1,7 +1,13 @@
-data "aws_partition" "current" {}
+data "aws_partition" "current" {
+  count = var.create ? 1 : 0
+}
+
+locals {
+  dns_suffix = try(data.aws_partition.current[0].dns_suffix, "")
+}
 
 ################################################################################
-# GitHub OIDC Provider
+# OIDC Provider
 ################################################################################
 
 data "tls_certificate" "this" {
@@ -14,7 +20,7 @@ resource "aws_iam_openid_connect_provider" "this" {
   count = var.create ? 1 : 0
 
   url             = var.url
-  client_id_list  = coalescelist(var.client_id_list, ["sts.${data.aws_partition.current.dns_suffix}"])
+  client_id_list  = coalescelist(var.client_id_list, ["sts.${local.dns_suffix}"])
   thumbprint_list = data.tls_certificate.this[0].certificates[*].sha1_fingerprint
 
   tags = var.tags

modules/iam-oidc-provider/variables.tf

@@ -10,6 +10,10 @@ variable "tags" {
   default     = {}
 }
 
+################################################################################
+# OIDC Provider
+################################################################################
+
 variable "client_id_list" {
   description = "List of client IDs (also known as audiences) for the IAM OIDC provider. Defaults to STS service if not values are provided"
   type        = list(string)