Merge pull request #10 from dasmeta/DMVP-5344-have-iam-role-module-im…

…portant-outputs

DMVP-5344 have some important data in module outputs, like role arn

modules/role/README.md

@@ -1,5 +1,51 @@
-# role
+# terraform module allows to create aws role with provided policies
 
+## usage example to provide aws eks
+```hcl
+module "external_dns_role" {
+  source  = "dasmeta/iam/aws//modules/role"
+  version = "1.2.1"
+
+  name        = "test-role-name"
+
+  policy = [
+    {
+      actions   = ["route53:ChangeResourceRecordSets"]
+      resources = ["arn:aws:route53:::hostedzone/*"]
+    },
+    {
+      actions = [
+        "route53:ListHostedZones",
+        "route53:ListResourceRecordSets",
+        "route53:ListTagsForResource"
+      ]
+      resources = ["*"]
+    }
+  ]
+
+  trust_relationship = [
+    {
+      principals = {
+        type        = "Service"
+        identifiers = ["eks.amazonaws.com"]
+      },
+      actions = ["sts:AssumeRole"]
+    },
+    {
+      principals = {
+        type        = "Federated"
+        identifiers = ["arn:aws:iam::<account-id>:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/<oidc-id>"]
+      },
+      actions = ["sts:AssumeRoleWithWebIdentity"]
+      conditions = [{
+        type  = "StringEquals"
+        key   = "oidc.eks.eu-central-1.amazonaws.com/id/<oidc-id>:aud"
+        value = ["sts.amazonaws.com"]
+      }]
+    }
+  ]
+}
+```
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -29,12 +75,16 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_description"></a> [description](#input\_description) | Role description | `string` | n/a | yes |
+| <a name="input_description"></a> [description](#input\_description) | Role description | `string` | `""` | no |
 | <a name="input_name"></a> [name](#input\_name) | Role name | `string` | n/a | yes |
-| <a name="input_policy"></a> [policy](#input\_policy) | AWS role assigne policy | <pre>list(object({<br/>    actions   = list(string)<br/>    resources = list(string)<br/>  }))</pre> | n/a | yes |
-| <a name="input_trust_relationship"></a> [trust\_relationship](#input\_trust\_relationship) | AWS role trust relationship | <pre>list(object({<br/>    effect     = optional(string, "Allow") # Effect of the policy (Allow or Deny)<br/>    actions    = list(string)              # Actions like sts:AssumeRole<br/>    principals = any                       # Principals (e.g., AWS, Service, Federated)<br/>    conditions = optional(any, [])         # Optional conditions for assume role<br/>  }))</pre> | n/a | yes |
+| <a name="input_policy"></a> [policy](#input\_policy) | AWS role assigne policy | <pre>list(object({<br>    actions   = list(string)<br>    resources = list(string)<br>  }))</pre> | n/a | yes |
+| <a name="input_trust_relationship"></a> [trust\_relationship](#input\_trust\_relationship) | AWS role trust relationship | <pre>list(object({<br>    effect     = optional(string, "Allow") # Effect of the policy (Allow or Deny)<br>    actions    = list(string)              # Actions like sts:AssumeRole<br>    principals = any                       # Principals (e.g., AWS, Service, Federated)<br>    conditions = optional(any, [])         # Optional conditions for assume role<br>  }))</pre> | n/a | yes |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | Created role arn |
+| <a name="output_assume_role_policy"></a> [assume\_role\_policy](#output\_assume\_role\_policy) | Policy document associated with the role |
+| <a name="output_id"></a> [id](#output\_id) | Created role id |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/role/outputs.tf

@@ -0,0 +1,14 @@
+output "arn" {
+  value       = aws_iam_role.aws-role.arn
+  description = "Created role arn"
+}
+
+output "id" {
+  value       = aws_iam_role.aws-role.id
+  description = "Created role id"
+}
+
+output "assume_role_policy" {
+  value       = aws_iam_role.aws-role.assume_role_policy
+  description = "Policy document associated with the role"
+}

modules/role/variables.tf

@@ -6,6 +6,7 @@ variable "name" {
 variable "description" {
   type        = string
   description = "Role description"
+  default     = ""
 }
 
 variable "policy" {

modules/sso/modules/account-assignments/README.md

@@ -73,7 +73,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | n/a | <pre>list(object({<br/>    account             = string<br/>    permission_set_name = string<br/>    permission_set_arn  = string<br/>    principal_name      = string<br/>    principal_type      = string<br/>  }))</pre> | n/a | yes |
+| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | n/a | <pre>list(object({<br>    account             = string<br>    permission_set_name = string<br>    permission_set_arn  = string<br>    principal_name      = string<br>    principal_type      = string<br>  }))</pre> | n/a | yes |
 
 ## Outputs
 

modules/sso/modules/permission-sets/README.md

@@ -95,7 +95,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | n/a | <pre>list(object({<br/>    name               = string<br/>    description        = string<br/>    relay_state        = string<br/>    session_duration   = string<br/>    tags               = map(string)<br/>    inline_policy      = string<br/>    policy_attachments = list(string)<br/>    customer_managed_policy_attachments = list(object({<br/>      name = string<br/>      path = string<br/>    }))<br/>  }))</pre> | `[]` | no |
+| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | n/a | <pre>list(object({<br>    name               = string<br>    description        = string<br>    relay_state        = string<br>    session_duration   = string<br>    tags               = map(string)<br>    inline_policy      = string<br>    policy_attachments = list(string)<br>    customer_managed_policy_attachments = list(object({<br>      name = string<br>      path = string<br>    }))<br>  }))</pre> | `[]` | no |
 
 ## Outputs
 

modules/user/README.md

@@ -33,7 +33,7 @@ No requirements.
 | <a name="input_console"></a> [console](#input\_console) | Whether to create IAM user login profile | `bool` | `true` | no |
 | <a name="input_create_user"></a> [create\_user](#input\_create\_user) | Whether to create the IAM user | `bool` | `true` | no |
 | <a name="input_pgp_key"></a> [pgp\_key](#input\_pgp\_key) | Either a base-64 encoded PGP public key, or a keybase username in the form `keybase:username`. Used to encrypt password and access key. `pgp_key` is required when `create_iam_user_login_profile` is set to `true` | `string` | `""` | no |
-| <a name="input_policy"></a> [policy](#input\_policy) | AWS role assigne policy | <pre>list(object({<br/>    effect    = optional(string, "Allow")<br/>    actions   = list(string)<br/>    resources = list(string)<br/>    conditions = optional(list(object({<br/>      test     = string<br/>      variable = string<br/>      values   = list(string)<br/>    })), [])<br/>  }))</pre> | `[]` | no |
+| <a name="input_policy"></a> [policy](#input\_policy) | AWS role assigne policy | <pre>list(object({<br>    effect    = optional(string, "Allow")<br>    actions   = list(string)<br>    resources = list(string)<br>    conditions = optional(list(object({<br>      test     = string<br>      variable = string<br>      values   = list(string)<br>    })), [])<br>  }))</pre> | `[]` | no |
 | <a name="input_policy_attachment"></a> [policy\_attachment](#input\_policy\_attachment) | The list of ARN-s of the policy you want to apply | `list(string)` | `[]` | no |
 | <a name="input_username"></a> [username](#input\_username) | Desired name for the IAM user | `string` | n/a | yes |