update var manes. comply with some precommit rules

adamwolfe-tc · adamwolfe-tc · commit 4269d4cd7b30 · 2024-04-18T17:28:04.000-05:00
diff --git a/README.md b/README.md
@@ -57,14 +57,14 @@ We recommend using GitLab's OIDC issuer to get short-lived credentials needed fo
 IMPORTANT: The master branch is used in source just as an example. In your code, do not pin to master because there may be breaking changes between releases. Instead pin to the release tag (e.g. ?ref=tags/x.y.z) of one of our [latest releases](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider/releases).
 
 ```hcl
-module "gitlab-oidc" {
+module "gitlab_oidc" {
   source  = "terraform-module/gitlab-oidc-provider/aws"
   version = "~> 1"
 
   create_oidc_provider = true
   create_oidc_role     = true
 
-  repositories              = ["terraform-module/module-blueprint"]
+  project_paths             = ["project_path:terraform-module/module-blueprint", "project_path:foo/bar"]
   oidc_role_attach_policies = ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
 }
 ```
diff --git a/examples/basic/README.md b/examples/basic/README.md
@@ -15,5 +15,34 @@ $ terraform apply
 Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
 
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_gitlab_oidc"></a> [gitlab\_oidc](#module\_gitlab\_oidc) | ../.. | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_oidc_provider_arn"></a> [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | OIDC provider ARN |
+| <a name="output_oidc_role"></a> [oidc\_role](#output\_oidc\_role) | CICD GiLab role. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -1,3 +1,7 @@
+terraform {
+  required_version = ">= 1.0"
+}
+
 ################################################################################
 # Resources
 ################################################################################
@@ -8,7 +12,7 @@ module "gitlab_oidc" {
   create_oidc_provider = true
   create_oidc_role     = true
 
-  repositories              = ["terraform-module/terraform-aws-gitlab-oidc-provider"]
+  project_paths             = ["project_path:terraform-module/terraform-aws-gitlab-oidc-provider"]
   oidc_role_attach_policies = ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
 }
 
diff --git a/main.tf b/main.tf
@@ -2,9 +2,10 @@
  * # AWS Gitlab OIDC Provider Terraform Module
  *
  * ## Purpose
- * This module allows you to create a Gitlab OIDC provider for your AWS account, that will help Gitlab Actions to securely authenticate against the AWS API using an IAM role
+ * This module allows you to create a Gitlab OIDC provider for your AWS account, that will allow Gitlab pipelines to securely authenticate against the AWS API using an IAM role
  *
 */
+
 data "tls_certificate" "gitlab" {
   url = var.gitlab_tls_url
 }
@@ -13,7 +14,7 @@ resource "aws_iam_openid_connect_provider" "this" {
   count = var.create_oidc_provider ? 1 : 0
 
   client_id_list  = var.aud_value
-  thumbprint_list = ["${data.tls_certificate.gitlab.certificates.0.sha1_fingerprint}"]
+  thumbprint_list = [data.tls_certificate.gitlab.certificates[0].sha1_fingerprint]
   url             = var.url
 }
 
@@ -22,7 +23,7 @@ resource "aws_iam_role" "this" {
   name                 = var.role_name
   description          = var.role_description
   max_session_duration = var.max_session_duration
-  assume_role_policy   = join("", data.aws_iam_policy_document.this.*.json)
+  assume_role_policy   = join("", data.aws_iam_policy_document.this[*].json)
   tags                 = var.tags
 
   depends_on = [aws_iam_openid_connect_provider.this]
@@ -32,7 +33,7 @@ resource "aws_iam_role_policy_attachment" "attach" {
   count = var.create_oidc_role ? length(var.oidc_role_attach_policies) : 0
 
   policy_arn = var.oidc_role_attach_policies[count.index]
-  role       = join("", aws_iam_role.this.*.name)
+  role       = join("", aws_iam_role.this[*].name)
 
   depends_on = [aws_iam_role.this]
 }
@@ -48,8 +49,8 @@ data "aws_iam_policy_document" "this" {
 
       condition {
         test     = "StringLike"
-        values   = var.projects
-        variable = "${join("", aws_iam_openid_connect_provider.this.*.url)}:${var.match_field}"
+        values   = var.project_paths
+        variable = "${join("", aws_iam_openid_connect_provider.this[*].url)}:${var.match_field}"
       }
 
       principals {
diff --git a/outputs.tf b/outputs.tf
@@ -14,5 +14,6 @@ output "thumbprint" {
 }
 
 output "policy_document" {
-  value = join("", data.aws_iam_policy_document.this.*.json)
+  description = "joined IAM policy documents"
+  value       = join("", data.aws_iam_policy_document.this[*].json)
 }
diff --git a/variables.tf b/variables.tf
@@ -34,7 +34,7 @@ variable "role_description" {
   default     = "Role assumed by the Gitlab OIDC provider."
 }
 
-variable "projects" {
+variable "project_paths" {
   description = "List of GitLab namesapce/project names authorized to assume the role."
   type        = list(string)
   default     = []
@@ -43,9 +43,9 @@ variable "projects" {
     # Ensures each element of gitlab_projects list matches the
     # namespace/project format used by GitLab.
     condition = length([
-      for proj in var.projects : 1
-      if length(regexall("[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/-]+|\\*)$", proj)) > 0
-    ]) == length(var.projects)
+      for path in var.project_paths : 1
+      if length(regexall("project_path:[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/-]+|\\*)$", path)) > 0
+    ]) == length(var.project_paths)
     error_message = "Projects must be specified in the namespace/project format."
   }
 }
@@ -68,18 +68,14 @@ variable "oidc_role_attach_policies" {
 }
 
 variable "match_field" {
-  type    = string
-  default = "sub"
-}
-
-variable "gitlab_url" {
-  type    = string
-  default = "https://gitlab.com"
+  description = "the token field the OIDC provider filter on"
+  type        = string
+  default     = "sub"
 }
 
 variable "gitlab_tls_url" {
-  type = string
-  # Avoid using https scheme because the Hashicorp TLS provider has started following redirects starting v4.
+  type        = string
+  description = "the Hashicorp TLS provider has started following redirects starting v4. so we use tls://"
   # See https://github.com/hashicorp/terraform-provider-tls/issues/249
   default = "tls://gitlab.com:443"
 }
diff --git a/versions.tf b/versions.tf
@@ -1,3 +1,14 @@
 terraform {
   required_version = ">= 1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.40"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 3.0"
+    }
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -14,5 +14,6 @@ output "thumbprint" {`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`output "policy_document" {`
`17`		`- value = join("", data.aws_iam_policy_document.this.*.json)`
	`17`	`+ description = "joined IAM policy documents"`
	`18`	`+ value = join("", data.aws_iam_policy_document.this[*].json)`
`18`	`19`	`}`