docs: Capture before/after in upgrade guide from testing

Author: bryantbiggs

docs/UPGRADE-6.0.md

@@ -140,6 +140,26 @@ module "iam_role_github_oidc" {
   tags = local.tags
 }
 
+################################################################################
+# IAM Role - CircleCI OIDC
+################################################################################
+
+module "iam_role_github_oidc" {
+  source = "../../modules/iam-role"
+
+  name = local.name
+
+  enable_oidc        = true
+  oidc_provider_urls = ["oidc.circleci.com/org/<CIRCLECI_ORG_UUID>"]
+  oidc_audiences     = ["<CIRCLECI_ORG_UUID>"]
+
+  policies = {
+    AmazonEC2ContainerRegistryPowerUser = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
+  }
+
+  tags = local.tags
+}
+
 ################################################################################
 # IAM Role - SAML 2.0
 ################################################################################

examples/iam-role/main.tf

@@ -39,7 +39,7 @@ resource "aws_iam_group_membership" "this" {
 ################################################################################
 
 locals {
-  create_policy = var.create && var.create_policy && (var.enable_self_management_permissions || length(var.permission_statements) > 0)
+  create_policy = var.create && var.create_policy && (var.enable_self_management_permissions || var.permission_statements != null)
 
   policy_name = try(coalesce(var.policy_name, var.name), "")
 }
@@ -174,7 +174,8 @@ data "aws_iam_policy_document" "this" {
     for_each = var.enable_self_management_permissions && var.enable_mfa_enforcment ? [1] : []
 
     content {
-      sid = "DenyAllExceptListedIfNoMFA"
+      sid    = "DenyAllExceptListedIfNoMFA"
+      effect = "Deny"
       not_actions = [
         "iam:CreateVirtualMFADevice",
         "iam:EnableMFADevice",

modules/iam-group/main.tf

@@ -0,0 +1,13 @@
+################################################################################
+# Migrations: v5.60 -> v6.0
+################################################################################
+
+moved {
+  from = aws_iam_policy.iam_self_management
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_group_policy_attachment.iam_self_management
+  to   = aws_iam_group_policy_attachment.this
+}

modules/iam-group/migrations.tf

@@ -169,7 +169,7 @@ resource "aws_iam_role_policy_attachment" "this" {
 ################################################################################
 
 locals {
-  create_iam_role_inline_policy = var.create && length(var.inline_policy_statements) > 0
+  create_iam_role_inline_policy = var.create && var.inline_policy_statements
 }
 
 data "aws_iam_policy_document" "inline" {

modules/iam-role-for-service-accounts/main.tf

@@ -166,10 +166,10 @@ No modules.
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours | `number` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to use on IAM role created | `string` | `null` | no |
 | <a name="input_oidc_account_id"></a> [oidc\_account\_id](#input\_oidc\_account\_id) | An overriding AWS account ID where the OIDC provider lives; leave empty to use the current account ID for the AWS provider | `string` | `null` | no |
-| <a name="input_oidc_audiences"></a> [oidc\_audiences](#input\_oidc\_audiences) | The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise. | `set(string)` | `[]` | no |
+| <a name="input_oidc_audiences"></a> [oidc\_audiences](#input\_oidc\_audiences) | The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise. | `list(string)` | `[]` | no |
 | <a name="input_oidc_provider_urls"></a> [oidc\_provider\_urls](#input\_oidc\_provider\_urls) | List of URLs of the OIDC Providers | `list(string)` | `[]` | no |
-| <a name="input_oidc_subjects"></a> [oidc\_subjects](#input\_oidc\_subjects) | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
-| <a name="input_oidc_wildcard_subjects"></a> [oidc\_wildcard\_subjects](#input\_oidc\_wildcard\_subjects) | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
+| <a name="input_oidc_subjects"></a> [oidc\_subjects](#input\_oidc\_subjects) | The fully qualified OIDC subjects to be added to the role policy | `list(string)` | `[]` | no |
+| <a name="input_oidc_wildcard_subjects"></a> [oidc\_wildcard\_subjects](#input\_oidc\_wildcard\_subjects) | The OIDC subject using wildcards to be added to the role policy | `list(string)` | `[]` | no |
 | <a name="input_path"></a> [path](#input\_path) | Path of IAM role | `string` | `"/"` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
 | <a name="input_policies"></a> [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |

modules/iam-role/README.md

@@ -306,7 +306,7 @@ resource "aws_iam_role_policy_attachment" "this" {
 ################################################################################
 
 locals {
-  create_iam_role_inline_policy = var.create && length(var.inline_policy_statements) > 0
+  create_iam_role_inline_policy = var.create && var.inline_policy_statements != null
 }
 
 data "aws_iam_policy_document" "inline" {

modules/iam-role/main.tf

@@ -112,19 +112,19 @@ variable "oidc_provider_urls" {
 
 variable "oidc_subjects" {
   description = "The fully qualified OIDC subjects to be added to the role policy"
-  type        = set(string)
+  type        = list(string)
   default     = []
 }
 
 variable "oidc_wildcard_subjects" {
   description = "The OIDC subject using wildcards to be added to the role policy"
-  type        = set(string)
+  type        = list(string)
   default     = []
 }
 
 variable "oidc_audiences" {
   description = "The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise."
-  type        = set(string)
+  type        = list(string)
   default     = []
 }