feat: Last minute variable name changes for improved ergonomics

Author: bryantbiggs

README.md

@@ -45,7 +45,7 @@ module "iam_group" {
   ]
 
   enable_self_management_permissions = true
-  permission_statements = {
+  permissions = {
     AssumeRole = {
       actions   = ["sts:AssumeRole"]
       resources = ["arn:aws:iam::111111111111:role/admin"]
@@ -67,7 +67,8 @@ module "iam_group" {
 
 Creates an OpenID connect provider. Useful for trusting external identity providers such as GitHub, Bitbucket, etc.
 
-⚠️ An IAM provider is 1 per account per given URL. This module would be provisioned once per AWS account, and then one or more roles can be created with this provider as the trusted identity.
+> [!TIP]
+> An IAM provider is 1 per account per given URL. This module would be provisioned once per AWS account, and then one or more roles can be created with this provider as the trusted identity.
 
 ```hcl
 module "iam_oidc_provider" {
@@ -113,15 +114,15 @@ module "iam_role" {
 
   name = "example"
 
-  assume_role_policy_statements = {
+  trust_policy_permissions = {
     TrustRoleAndServiceToAssume = {
       principals = [{
         type = "AWS"
         identifiers = [
           "arn:aws:iam::835367859851:user/anton",
         ]
       }]
-      conditions = [{
+      condition = [{
         test     = "StringEquals"
         variable = "sts:ExternalId"
         values   = ["some-secret-id"]
@@ -153,7 +154,7 @@ module "iam_role_github_oidc" {
   enable_github_oidc = true
 
   # This should be updated to suit your organization, repository, references/branches, etc.
-  oidc_subjects = ["terraform-aws-modules/terraform-aws-iam:*"]
+  oidc_wildcard_subjects = ["terraform-aws-modules/terraform-aws-iam:*"]
 
   policies = {
     S3ReadOnly = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
@@ -200,7 +201,7 @@ Creates an IAM role that is suitable for EKS IAM role for service accounts (IRSA
 
 ```hcl
 module "vpc_cni_irsa" {
-  source      = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
 
   name   = "vpc-cni"
 

docs/UPGRADE-6.0.md

@@ -85,7 +85,7 @@ stateDiagram
     - `iam-oidc-provider`
         - `additional_thumbprints` - no longer required by GitHub
     - `iam-read-only-policy`
-        - None
+        - `additional_policy_json` - use `source_inline_policy_documents` or `override_inline_policy_documents` instead
     - `iam-role`
         - `trusted_role_actions`
         - `trusted_role_arns`
@@ -150,6 +150,7 @@ stateDiagram
         - `role_description` -> `description`
         - `role_policy_arns` -> `policies`
         - `ebs_csi_kms_cmk_ids` -> `ebs_csi_kms_cmk_arns`
+        - `assume_role_condition_test` -> `trust_condition_test`
     - `iam-user`
         - `create_user` -> `create`
         - `create_iam_user_login_profile` -> `create_login_profile`
@@ -163,23 +164,34 @@ stateDiagram
     - `iam-account`
         - `create`
     - `iam-group`
-        - `permission_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
+        - `permissions` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
         - `path`/`policy_path`
         - `create_policy`
         - `enable_mfa_enforcment`
     - `iam-oidc-provider`
         - None
     - `iam-read-only-policy`
         - `create`
+        - `source_policy_documents`
+        - `override_policy_documents`
     - `iam-role`
-        - `assume_role_policy_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
+        - `trust_policy_permissions` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
+        - `trust_policy_conditions`
+        - `create_inline_policy`
+        - `source_inline_policy_documents`
+        - `override_inline_policy_documents`
+        - `inline_policy_permissions`
     - `iam-role-for-service-accounts`
         - `create_policy`
         - `source_policy_documents`
         - `override_policy_documents`
-        - `policy_statements`
+        - `permissions`
         - `policy_name`
         - `policy_description`
+        - `create_inline_policy`
+        - `source_inline_policy_documents`
+        - `override_inline_policy_documents`
+        - `inline_policy_permissions`
     - `iam-user`
         - None
 
@@ -289,7 +301,7 @@ module "iam_role" {
 -    "codedeploy.amazonaws.com"
 -  ]
 -  role_sts_externalid = ["some-id-goes-here"]
-+  assume_role_policy_statements = {
++  trust_policy_permissions = {
 +    TrustRoleAndServiceToAssume = {
 +      actions = [
 +        "sts:AssumeRole",
@@ -367,7 +379,7 @@ module "iam_role" {
 +  }
 
 -  provider_trust_policy_conditions = [
-+  condition = [
++  trust_policy_conditions = [
     {
       test     = "StringLike"
       variable = "aws:RequestTag/Environment"
@@ -467,7 +479,7 @@ module "iam_role_admin" {
 
   name = "admin"
 
-  assume_role_policy_statements = {
+  trust_policy_permissions = {
     TrustRoleAndServiceToAssume = {
       actions = [
         "sts:AssumeRole",
@@ -500,7 +512,7 @@ module "iam_role_poweruser" {
 
   name = "Billing-And-Support-Access"
 
-  assume_role_policy_statements = {
+  trust_policy_permissions = {
     TrustRoleAndServiceToAssume = {
       actions = [
         "sts:AssumeRole",
@@ -668,7 +680,7 @@ module "iam_role" {
   ]
 
 -  additional_trust_policy_conditions = [
-+  condition = [
++  trust_policy_conditions = [
     {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:actor"
@@ -697,7 +709,7 @@ module "iam_group" {
   enable_self_management_permissions = false
 
 -  assumable_roles = ["arn:aws:iam::111111111111:role/admin"]
-+  permission_statements = {
++  permissions = {
 +    AssumeRole = {
 +      effect    = "Allow"
 +      actions   = ["sts:AssumeRole"]

examples/iam-group/main.tf

@@ -26,7 +26,7 @@ module "iam_group" {
     module.iam_user2.name,
   ]
 
-  permission_statements = {
+  permissions = {
     AssumeRole = {
       actions   = ["sts:AssumeRole"]
       resources = ["arn:aws:iam::111111111111:role/admin"]

examples/iam-role/main.tf

@@ -44,7 +44,7 @@ module "iam_roles" {
 
   name = each.key
 
-  assume_role_policy_statements = {
+  trust_policy_permissions = {
     TrustRoleAndServiceToAssume = {
       principals = [{
         type        = "AWS"
@@ -88,7 +88,7 @@ module "iam_role_instance_profile" {
 
   create_instance_profile = true
 
-  assume_role_policy_statements = {
+  trust_policy_permissions = {
     TrustRoleAndServiceToAssume = {
       principals = [
         {

modules/iam-account/README.md

@@ -6,7 +6,7 @@ Creates an account policy and account alias. Module instantiation is once per ac
 
 ```hcl
 module "iam_account" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-account"
+  source = "terraform-aws-modules/iam/aws//modules/iam-account"
 
   account_alias = "awesome-company"
 

modules/iam-group/README.md

@@ -17,7 +17,7 @@ module "iam_group" {
   ]
 
   enable_self_management_permissions = true
-  permission_statements = {
+  permissions = {
     AssumeRole = {
       actions   = ["sts:AssumeRole"]
       resources = ["arn:aws:iam::111111111111:role/admin"]
@@ -76,7 +76,7 @@ No modules.
 | <a name="input_enable_self_management_permissions"></a> [enable\_self\_management\_permissions](#input\_enable\_self\_management\_permissions) | Determines whether permissions are added to the policy which allow the groups IAM users to manage their credentials and MFA | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | The group's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: `=,.@-_.` | `string` | `""` | no |
 | <a name="input_path"></a> [path](#input\_path) | Path in which to create the group | `string` | `null` | no |
-| <a name="input_permission_statements"></a> [permission\_statements](#input\_permission\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | <pre>map(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string, "Allow")<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      variable = string<br/>      values   = list(string)<br/>    })))<br/>  }))</pre> | `null` | no |
+| <a name="input_permissions"></a> [permissions](#input\_permissions) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permissions | <pre>map(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string, "Allow")<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      variable = string<br/>      values   = list(string)<br/>    })))<br/>  }))</pre> | `null` | no |
 | <a name="input_policies"></a> [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |
 | <a name="input_policy_description"></a> [policy\_description](#input\_policy\_description) | Description of the IAM policy | `string` | `null` | no |
 | <a name="input_policy_name"></a> [policy\_name](#input\_policy\_name) | Name to use on IAM policy created | `string` | `null` | no |

modules/iam-group/main.tf

@@ -39,7 +39,7 @@ resource "aws_iam_group_membership" "this" {
 ################################################################################
 
 locals {
-  create_policy = var.create && var.create_policy && (var.enable_self_management_permissions || var.permission_statements != null)
+  create_policy = var.create && var.create_policy && (var.enable_self_management_permissions || var.permissions != null)
 
   policy_name = try(coalesce(var.policy_name, var.name), "")
 }
@@ -198,7 +198,7 @@ data "aws_iam_policy_document" "this" {
   }
 
   dynamic "statement" {
-    for_each = var.permission_statements != null ? var.permission_statements : {}
+    for_each = var.permissions != null ? var.permissions : {}
 
     content {
       sid           = try(coalesce(statement.value.sid, statement.key))

modules/iam-group/variables.tf

@@ -54,8 +54,8 @@ variable "enable_mfa_enforcment" {
   default     = true
 }
 
-variable "permission_statements" {
-  description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
+variable "permissions" {
+  description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permissions"
   type = map(object({
     sid           = optional(string)
     actions       = optional(list(string))

modules/iam-read-only-policy/README.md

@@ -52,16 +52,17 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_additional_policy_json"></a> [additional\_policy\_json](#input\_additional\_policy\_json) | JSON policy document if you want to add custom actions | `string` | `""` | no |
 | <a name="input_allow_cloudwatch_logs_query"></a> [allow\_cloudwatch\_logs\_query](#input\_allow\_cloudwatch\_logs\_query) | Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions | `bool` | `true` | no |
 | <a name="input_allow_predefined_sts_actions"></a> [allow\_predefined\_sts\_actions](#input\_allow\_predefined\_sts\_actions) | Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions | `bool` | `true` | no |
 | <a name="input_allow_web_console_services"></a> [allow\_web\_console\_services](#input\_allow\_web\_console\_services) | Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services) | `bool` | `true` | no |
 | <a name="input_allowed_services"></a> [allowed\_services](#input\_allowed\_services) | List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html | `list(string)` | `[]` | no |
 | <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_policy"></a> [create\_policy](#input\_create\_policy) | Controls if IAM policy should be created. Set to `false` to generate the policy JSON without creating the policy itself | `bool` | `true` | no |
-| <a name="input_description"></a> [description](#input\_description) | The description of the policy | `string` | `"IAM Policy"` | no |
+| <a name="input_description"></a> [description](#input\_description) | The description of the policy | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to use on IAM policy created | `string` | `null` | no |
-| <a name="input_path"></a> [path](#input\_path) | Path of IAM policy | `string` | `"/"` | no |
+| <a name="input_override_inline_policy_documents"></a> [override\_inline\_policy\_documents](#input\_override\_inline\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
+| <a name="input_path"></a> [path](#input\_path) | Path of IAM policy | `string` | `null` | no |
+| <a name="input_source_inline_policy_documents"></a> [source\_inline\_policy\_documents](#input\_source\_inline\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_use_name_prefix"></a> [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether the IAM policy name (`name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_web_console_services"></a> [web\_console\_services](#input\_web\_console\_services) | List of web console services to allow | `list(string)` | <pre>[<br/>  "resource-groups",<br/>  "tag",<br/>  "health",<br/>  "ce"<br/>]</pre> | no |

modules/iam-read-only-policy/main.tf

@@ -17,7 +17,8 @@ resource "aws_iam_policy" "policy" {
 data "aws_iam_policy_document" "this" {
   count = var.create ? 1 : 0
 
-  source_policy_documents = [var.additional_policy_json]
+  source_policy_documents   = var.source_inline_policy_documents
+  override_policy_documents = var.override_inline_policy_documents
 
   dynamic "statement" {
     for_each = toset(distinct(var.allowed_services))