chore: Add variable/output changes to upgrade guide

Author: bryantbiggs

.pre-commit-config.yaml

@@ -24,7 +24,7 @@ repos:
           - '--args=--only=terraform_workspace_remote'
       - id: terraform_validate
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer

README.md

@@ -192,6 +192,10 @@ module "iam_role_saml" {
 
 ### IAM Role for EKS Service Accounts (IRSA)
 
+> [!TIP]
+> Upgrade to use EKS Pod Identity instead of IRSA
+> A similar module for EKS Pod Identity is available [here](https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity).
+
 Creates an IAM role that is suitable for EKS IAM role for service accounts (IRSA) with a set of pre-defined policies for common EKS addons.
 
 ```hcl

docs/UPGRADE-6.0.md

@@ -6,6 +6,8 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 
 ## List of backwards incompatible changes
 
+- `iam-account`:
+    - The `aws_caller_identity` data source and associated outputs have been removed. Users should instead use the data source directly in their configuration
 - `iam-assumable-role` has been renamed to `iam-role`
 - `iam-assumable-role-with-oidc` has been merged into `iam-role`
 - `iam-assumable-role-with-saml` has been merged into `iam-role`
@@ -17,6 +19,10 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 - `iam-group-with-assumable-roles-policy` has been merged into `iam-group`
 - `iam-eks-role` has been removed; `iam-role-for-service-accounts` or [`eks-pod-identity`](https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity) should be used instead
 - `iam-policy` has been removed; the `aws_iam_policy` resource should be used directly instead
+- `iam-role-for-service-accounts`:
+    - Individual policy creation and attachment has been consolidated under one policy creation and attachment
+    - Default values that enable permissive permissions have been removed; users will need to be explicit about the scope of access (i.e. ARNs) they provide when enabling permissions
+    - AppMesh policy support has been removed due to service reaching end of support
 
 ```mermaid
 stateDiagram
@@ -69,6 +75,8 @@ stateDiagram
 
 1. Removed variables:
 
+    - `iam-account`
+        - `get_caller_identity`
     - `iam-role`
         - `trusted_role_actions`
         - `trusted_role_arns`
@@ -85,6 +93,24 @@ stateDiagram
     - `iam-group`
         - `custom_group_policies`
         - `assumable_roles`
+    - `iam-oidc-provider`
+        - `additional_thumbprints` - no longer required by GitHub
+    - `iam-role-for-service-accounts`
+        - `cluster_autoscaler_cluster_ids` - use `cluster_autoscaler_cluster_names` instead
+        - `role_name_prefix` - functionality covered under `name`
+        - `policy_name_prefix` - functionality covered under `policy_name`
+        - `allow_self_assume_role`
+        - `attach_karpenter_controller_policy`
+        - `karpenter_controller_cluster_id`
+        - `karpenter_controller_cluster_name`
+        - `karpenter_tag_key`
+        - `karpenter_controller_ssm_parameter_arns`
+        - `karpenter_controller_node_iam_role_arns`
+        - `karpenter_subnet_account_id`
+        - `karpenter_sqs_queue_arn`
+        - `enable_karpenter_instance_profile_creation`
+        - `attach_appmesh_controller_policy`
+        - `attach_appmesh_envoy_proxy_policy`
 
 2. Renamed variables:
 
@@ -103,19 +129,52 @@ stateDiagram
         - `attach_iam_self_management_policy` -> `create_policy`
         - `iam_self_management_policy_name_prefix` -> `policy_name_prefix`
         - `aws_account_id` -> `users_account_id`
+    - `iam-read-only-policy`
+        - `name_prefix` (string) -> `use_name_prefix` (bool)
+    - `iam-role-for-service-accounts`
+        - `create_role` -> `create`
+        - `role_name` -> `name`
+        - `role_path` -> `path`
+        - `role_name_prefix` (string) -> `use_name_prefix` (bool)
+        - `role_permissions_boundary_arn` -> `permissions_boundary`
+        - `role_description` -> `description`
+        - `role_policy_arns` -> `policies`
+        - `ebs_csi_kms_cmk_ids` -> `ebs_csi_kms_cmk_arns`
+    - `iam-user`
+        - `create_user` -> `create`
+        - `create_iam_user_login_profile` -> `create_login_profile`
+        - `create_iam_access_key` -> `create_access_key`
+        - `iam_access_key_status` -> `access_key_status`
+        - `policy_arns` -> `policies`
+        - `upload_iam_user_ssh_key` -> `create_ssh_key`
 
 3. Added variables:
 
+    - `iam-account`
+        - `create`
     - `iam-role`
         - `assume_role_policy_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
     - `iam-group`
         - `permission_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
         - `path`/`policy_path`
         - `create_policy`
         - `enable_mfa_enforcment`
+    - `iam-read-only-policy`
+        - `create`
+    - `iam-role-for-service-accounts`
+        - `create_policy`
+        - `source_policy_documents`
+        - `override_policy_documents`
+        - `policy_statements`
+        - `policy_name`
+        - `policy_description`
 
 4. Removed outputs:
 
+    - `iam-account`
+        - `caller_identity_account_id`
+        - `caller_identity_arn`
+        - `caller_identity_user_id`
     - `iam-role`
         - `iam_role_path`
         - `role_requires_mfa`
@@ -124,6 +183,18 @@ stateDiagram
     - `iam-group`
         - `assumable_roles`
         - `aws_account_id`
+    - `iam-read-only-policy`
+        - `description`
+        - `path`
+    - `iam-user`
+        - `pgp_key`
+        - `keybase_password_decrypt_command`
+        - `keybase_password_pgp_message`
+        - `keybase_secret_key_decrypt_command`
+        - `keybase_secret_key_pgp_message`
+        - `keybase_ses_smtp_password_v4_decrypt_command`
+        - `keybase_ses_smtp_password_v4_pgp_message`
+        - `policy_arns`
 
 5. Renamed outputs:
 
@@ -140,6 +211,22 @@ stateDiagram
         - `group_name` -> `name`
         - `group_arn` -> `arn`
         - `group_users` -> `users`
+    - `iam-user`
+        - `iam_user_arn` -> `arn`
+        - `iam_user_name` -> `name`
+        - `iam_user_unique_id` -> `unique_id`
+        - `iam_user_login_profile_password` -> `login_profile_password`
+        - `iam_user_login_profile_key_fingerprint` -> `login_profile_key_fingerprint`
+        - `iam_user_login_profile_encrypted_password` -> `login_profile_encrypted_password`
+        - `iam_access_key_id` -> `access_key_id`
+        - `iam_access_key_secret` -> `access_key_secret`
+        - `iam_access_key_key_fingerprint` -> `access_key_key_fingerprint`
+        - `iam_access_key_encrypted_secret` -> `access_key_encrypted_secret`
+        - `iam_access_key_ses_smtp_password_v4` -> `access_key_ses_smtp_password_v4`
+        - `iam_access_key_encrypted_ses_smtp_password_v4` -> `access_key_encrypted_ses_smtp_password_v4`
+        - `iam_access_key_status` -> `access_key_status`
+        - `iam_user_ssh_key_ssh_public_key_id` -> `ssh_key_public_key_id`
+        - `iam_user_ssh_key_fingerprint` -> `ssh_key_fingerprint`
 
 6. Added outputs:
 
@@ -149,6 +236,12 @@ stateDiagram
 
 ### Diff of before <> after
 
+#### `iam-account`
+
+None
+
+
+
 #### `iam-role`
 
 ```diff

examples/iam-role-for-service-accounts/README.md

@@ -1,5 +1,9 @@
 # AWS IAM Role for Service Accounts in EKS
 
+> [!TIP]
+> Upgrade to use EKS Pod Identity instead of IRSA
+> A similar module for EKS Pod Identity is available [here](https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity).
+
 Configuration in this directory creates IAM roles that can be assumed by multiple EKS `ServiceAccount`s for various tasks.
 
 # Usage

modules/iam-read-only-policy/README.md

@@ -1,4 +1,4 @@
-### AWS IAM ReadOnly Policy Terraform Module
+# AWS IAM ReadOnly Policy Terraform Module
 
 Creates an IAM policy that allows read-only access to the list of AWS services provided.
 

modules/iam-role-for-service-accounts/migrations.tf

@@ -0,0 +1,168 @@
+################################################################################
+# Migrations: v5.60 -> v6.0
+################################################################################
+
+# AWS Gateway Controller
+moved {
+  from = aws_iam_policy.aws_gateway_controller
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.aws_gateway_controller
+  to   = aws_iam_policy.this
+}
+
+# Cert Manager
+moved {
+  from = aws_iam_policy.cert_manager
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.cert_manager
+  to   = aws_iam_policy.this
+}
+
+# Cluster Autoscaler
+moved {
+  from = aws_iam_policy.cluster_autoscaler
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.cluster_autoscaler
+  to   = aws_iam_policy.this
+}
+
+# EBS CSI
+moved {
+  from = aws_iam_policy.ebs_csi
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.ebs_csi
+  to   = aws_iam_policy.this
+}
+
+# EFS CSI
+moved {
+  from = aws_iam_policy.efs_csi
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.efs_csi
+  to   = aws_iam_policy.this
+}
+
+# Mountpoint S3 CSI
+moved {
+  from = aws_iam_policy.mountpoint_s3_csi
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.mountpoint_s3_csi
+  to   = aws_iam_policy.this
+}
+
+# External DNS
+moved {
+  from = aws_iam_policy.external_dns
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.external_dns
+  to   = aws_iam_policy.this
+}
+
+# External Secrets
+moved {
+  from = aws_iam_policy.external_secrets
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.external_secrets
+  to   = aws_iam_policy.this
+}
+
+# FSx OpenZFS CSI
+moved {
+  from = aws_iam_policy.fsx_openzfs_csi
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.fsx_openzfs_csi
+  to   = aws_iam_policy.this
+}
+
+# AWS Load Balancer Controller
+moved {
+  from = aws_iam_policy.load_balancer_controller
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.load_balancer_controller
+  to   = aws_iam_policy.this
+}
+
+# AWS Load Balancer Controller - Target Group Binding Only
+moved {
+  from = aws_iam_policy.load_balancer_controller_targetgroup_only
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.load_balancer_controller_targetgroup_only
+  to   = aws_iam_policy.this
+}
+
+# Amazon Managed Service for Prometheus
+moved {
+  from = aws_iam_policy.amazon_managed_service_prometheus
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.amazon_managed_service_prometheus
+  to   = aws_iam_policy.this
+}
+
+# Node Termination Handler
+moved {
+  from = aws_iam_policy.node_termination_handler
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.node_termination_handler
+  to   = aws_iam_policy.this
+}
+
+# Velero
+moved {
+  from = aws_iam_policy.velero
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.velero
+  to   = aws_iam_policy.this
+}
+
+# VPC CNI
+moved {
+  from = aws_iam_policy.vpc_cni
+  to   = aws_iam_policy.this
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.vpc_cni
+  to   = aws_iam_policy.this
+}

modules/iam-user/README.md

@@ -50,6 +50,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_access_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
+| [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_user.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_login_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
 | [aws_iam_user_ssh_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_ssh_key) | resource |
@@ -70,6 +71,7 @@ No modules.
 | <a name="input_path"></a> [path](#input\_path) | Desired path for the IAM user | `string` | `"/"` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the user | `string` | `null` | no |
 | <a name="input_pgp_key"></a> [pgp\_key](#input\_pgp\_key) | Either a base-64 encoded PGP public key, or a keybase username in the form `keybase:username`. Used to encrypt password and access key | `string` | `null` | no |
+| <a name="input_policies"></a> [policies](#input\_policies) | Policies to attach to the IAM user in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |
 | <a name="input_ssh_key_encoding"></a> [ssh\_key\_encoding](#input\_ssh\_key\_encoding) | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | `string` | `"SSH"` | no |
 | <a name="input_ssh_public_key"></a> [ssh\_public\_key](#input\_ssh\_public\_key) | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |

modules/iam-user/main.tf

@@ -13,6 +13,13 @@ resource "aws_iam_user" "this" {
   tags = var.tags
 }
 
+resource "aws_iam_role_policy_attachment" "additional" {
+  for_each = { for k, v in var.policies : k => v if var.create }
+
+  role       = aws_iam_user.this[0].name
+  policy_arn = each.value
+}
+
 ################################################################################
 # User Login Profile
 ################################################################################