fix: Correct IAM policy statement variables

Author: bryantbiggs

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.99.5
+    rev: v1.100.0
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

examples/iam-account/README.md

@@ -44,6 +44,5 @@ No inputs.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_caller_identity_account_id"></a> [caller\_identity\_account\_id](#output\_caller\_identity\_account\_id) | The ID of the AWS account |
 | <a name="output_iam_account_password_policy_expire_passwords"></a> [iam\_account\_password\_policy\_expire\_passwords](#output\_iam\_account\_password\_policy\_expire\_passwords) | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. |
 <!-- END_TF_DOCS -->

examples/iam-account/main.tf

@@ -2,9 +2,10 @@ provider "aws" {
   region = "eu-west-1"
 }
 
-##############
+################################################################################
 # IAM account
-##############
+################################################################################
+
 module "iam_account" {
   source = "../../modules/iam-account"
 

examples/iam-account/outputs.tf

@@ -1,8 +1,3 @@
-output "caller_identity_account_id" {
-  description = "The ID of the AWS account"
-  value       = module.iam_account.caller_identity_account_id
-}
-
 output "iam_account_password_policy_expire_passwords" {
   description = "Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present."
   value       = module.iam_account.iam_account_password_policy_expire_passwords

examples/iam-group/main.tf

@@ -26,13 +26,12 @@ module "iam_group" {
     module.iam_user2.name,
   ]
 
-  permission_statements = [
-    {
-      sid       = "AssumeRole"
+  permission_statements = {
+    AssumeRole = {
       actions   = ["sts:AssumeRole"]
       resources = ["arn:aws:iam::111111111111:role/admin"]
     }
-  ]
+  }
 
   policies = {
     ReadOnlyAccess = "arn:aws:iam::aws:policy/ReadOnlyAccess"

examples/iam-role-for-service-accounts/README.md

@@ -41,7 +41,7 @@ Run `terraform destroy` when you don't need these resources.
 | <a name="module_ebs_csi_irsa"></a> [ebs\_csi\_irsa](#module\_ebs\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_ebs_csi_irsa_v2"></a> [ebs\_csi\_irsa\_v2](#module\_ebs\_csi\_irsa\_v2) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_efs_csi_irsa"></a> [efs\_csi\_irsa](#module\_efs\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
-| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.10 |
+| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 21.0 |
 | <a name="module_external_dns_irsa"></a> [external\_dns\_irsa](#module\_external\_dns\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_external_secrets_irsa"></a> [external\_secrets\_irsa](#module\_external\_secrets\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_fsx_lustre_csi_irsa"></a> [fsx\_lustre\_csi\_irsa](#module\_fsx\_lustre\_csi\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
@@ -53,7 +53,7 @@ Run `terraform destroy` when you don't need these resources.
 | <a name="module_load_balancer_controller_targetgroup_binding_only_irsa"></a> [load\_balancer\_controller\_targetgroup\_binding\_only\_irsa](#module\_load\_balancer\_controller\_targetgroup\_binding\_only\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_node_termination_handler_irsa"></a> [node\_termination\_handler\_irsa](#module\_node\_termination\_handler\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_velero_irsa"></a> [velero\_irsa](#module\_velero\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 | <a name="module_vpc_cni_ipv4_irsa"></a> [vpc\_cni\_ipv4\_irsa](#module\_vpc\_cni\_ipv4\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 | <a name="module_vpc_cni_ipv6_irsa"></a> [vpc\_cni\_ipv6\_irsa](#module\_vpc\_cni\_ipv6\_irsa) | ../../modules/iam-role-for-service-accounts | n/a |
 

examples/iam-role-for-service-accounts/main.tf

@@ -48,14 +48,13 @@ module "irsa_v2_custom_policy" {
   name = "${local.name}-custom-name"
 
   enable_irsa_v2 = true
-  policy_statements = [
-    {
-      sid       = "DescribeEc2"
+  policy_statements = {
+    DescribeEc2 = {
       actions   = ["ec2:Describe*"]
       effect    = "Allow"
       resources = ["*"]
     }
-  ]
+  }
 
   tags = local.tags
 }
@@ -399,7 +398,7 @@ module "vpc_cni_ipv6_irsa" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = "~> 6.0"
 
   name = local.name
   cidr = local.vpc_cidr
@@ -408,9 +407,8 @@ module "vpc" {
   private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
   public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
 
-  enable_nat_gateway   = true
-  single_nat_gateway   = true
-  enable_dns_hostnames = true
+  enable_nat_gateway = true
+  single_nat_gateway = true
 
   public_subnet_tags = {
     "kubernetes.io/role/elb" = 1
@@ -425,16 +423,31 @@ module "vpc" {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.10"
+  version = "~> 21.0"
 
-  cluster_name    = local.name
-  cluster_version = "1.25"
+  name               = local.name
+  kubernetes_version = "1.33"
 
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
 
+  addons = {
+    coredns    = {}
+    kube-proxy = {}
+    vpc-cni = {
+      before_compute = true
+    }
+  }
+
   eks_managed_node_groups = {
-    default = {}
+    example = {
+      ami_type       = "AL2023_x86_64_STANDARD"
+      instance_types = ["m5.xlarge"]
+
+      min_size     = 1
+      max_size     = 2
+      desired_size = 1
+    }
   }
 
   tags = local.tags

examples/iam-role-for-service-accounts/outputs.tf

@@ -21,6 +21,7 @@ output "irsa_unique_id" {
   description = "Unique ID of IAM role"
   value       = module.irsa.unique_id
 }
+
 ################################################################################
 # IAM Policy
 ################################################################################

examples/iam-role-saml/main.tf

@@ -45,11 +45,13 @@ module "iam_roles" {
       }
     }
     poweruser = {
-      PowerUserAccess = "arn:aws:iam::aws:policy/PowerUserAccess"
+      policies = {
+        PowerUserAccess = "arn:aws:iam::aws:policy/PowerUserAccess"
+      }
     }
   }
 
-  name_prefix = "${each.key}-"
+  name = each.key
 
   saml_provider_ids = [aws_iam_saml_provider.this.id]
   policies          = each.value.policies

examples/iam-role/README.md

@@ -32,7 +32,7 @@ Run `terraform destroy` when you don't need these resources.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_iam_role_conditions"></a> [iam\_role\_conditions](#module\_iam\_role\_conditions) | ../../modules/iam-role | n/a |
+| <a name="module_iam_role_condition"></a> [iam\_role\_condition](#module\_iam\_role\_condition) | ../../modules/iam-role | n/a |
 | <a name="module_iam_role_disabled"></a> [iam\_role\_disabled](#module\_iam\_role\_disabled) | ../../modules/iam-role | n/a |
 | <a name="module_iam_role_instance_profile"></a> [iam\_role\_instance\_profile](#module\_iam\_role\_instance\_profile) | ../../modules/iam-role | n/a |
 | <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../../modules/iam-role | n/a |
@@ -52,13 +52,13 @@ No inputs.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_conditions_iam_instance_profile_arn"></a> [conditions\_iam\_instance\_profile\_arn](#output\_conditions\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
-| <a name="output_conditions_iam_instance_profile_id"></a> [conditions\_iam\_instance\_profile\_id](#output\_conditions\_iam\_instance\_profile\_id) | Instance profile's ID |
-| <a name="output_conditions_iam_instance_profile_name"></a> [conditions\_iam\_instance\_profile\_name](#output\_conditions\_iam\_instance\_profile\_name) | Name of IAM instance profile |
-| <a name="output_conditions_iam_instance_profile_unique_id"></a> [conditions\_iam\_instance\_profile\_unique\_id](#output\_conditions\_iam\_instance\_profile\_unique\_id) | Stable and unique string identifying the IAM instance profile |
-| <a name="output_conditions_iam_role_arn"></a> [conditions\_iam\_role\_arn](#output\_conditions\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
-| <a name="output_conditions_iam_role_name"></a> [conditions\_iam\_role\_name](#output\_conditions\_iam\_role\_name) | The name of the IAM role |
-| <a name="output_conditions_iam_role_unique_id"></a> [conditions\_iam\_role\_unique\_id](#output\_conditions\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| <a name="output_condition_iam_instance_profile_arn"></a> [condition\_iam\_instance\_profile\_arn](#output\_condition\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| <a name="output_condition_iam_instance_profile_id"></a> [condition\_iam\_instance\_profile\_id](#output\_condition\_iam\_instance\_profile\_id) | Instance profile's ID |
+| <a name="output_condition_iam_instance_profile_name"></a> [condition\_iam\_instance\_profile\_name](#output\_condition\_iam\_instance\_profile\_name) | Name of IAM instance profile |
+| <a name="output_condition_iam_instance_profile_unique_id"></a> [condition\_iam\_instance\_profile\_unique\_id](#output\_condition\_iam\_instance\_profile\_unique\_id) | Stable and unique string identifying the IAM instance profile |
+| <a name="output_condition_iam_role_arn"></a> [condition\_iam\_role\_arn](#output\_condition\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| <a name="output_condition_iam_role_name"></a> [condition\_iam\_role\_name](#output\_condition\_iam\_role\_name) | The name of the IAM role |
+| <a name="output_condition_iam_role_unique_id"></a> [condition\_iam\_role\_unique\_id](#output\_condition\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
 | <a name="output_instance_profile_iam_instance_profile_arn"></a> [instance\_profile\_iam\_instance\_profile\_arn](#output\_instance\_profile\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
 | <a name="output_instance_profile_iam_instance_profile_id"></a> [instance\_profile\_iam\_instance\_profile\_id](#output\_instance\_profile\_iam\_instance\_profile\_id) | Instance profile's ID |
 | <a name="output_instance_profile_iam_instance_profile_name"></a> [instance\_profile\_iam\_instance\_profile\_name](#output\_instance\_profile\_iam\_instance\_profile\_name) | Name of IAM instance profile |