diff --git a/buckets.tf b/buckets.tf index 19c340b..7af8228 100644 --- a/buckets.tf +++ b/buckets.tf @@ -1,5 +1,5 @@ module "truefoundry_bucket" { - count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0 + count = var.feature_blob_storage_enabled ? 1 : 0 source = "terraform-aws-modules/s3-bucket/aws" version = "3.15.0" @@ -72,4 +72,4 @@ module "truefoundry_bucket" { max_age_seconds = 3000 } ] -} \ No newline at end of file +} diff --git a/iam.tf b/iam.tf index 572d4a7..1bb25fc 100644 --- a/iam.tf +++ b/iam.tf @@ -1,5 +1,5 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_s3_policy_document" { - count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0 + count = var.feature_blob_storage_enabled ? 1 : 0 statement { effect = "Allow" actions = [ @@ -14,7 +14,7 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_s3_policy_document" } data "aws_iam_policy_document" "truefoundry_platform_feature_parameter_store_policy_document" { - count = var.platform_feature_enabled ? var.feature_parameter_store_enabled ? 1 : 0 : 0 + count = var.feature_parameter_store_enabled ? 1 : 0 statement { effect = "Allow" actions = [ @@ -32,7 +32,7 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_parameter_store_pol } data "aws_iam_policy_document" "truefoundry_platform_feature_secrets_manager_policy_document" { - count = var.platform_feature_enabled ? var.feature_secrets_manager_enabled ? 1 : 0 : 0 + count = var.feature_secrets_manager_enabled ? 1 : 0 statement { effect = "Allow" actions = [ @@ -51,7 +51,7 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_secrets_manager_pol } data "aws_iam_policy_document" "truefoundry_platform_feature_ecr_policy_document" { - count = var.platform_feature_enabled ? var.feature_docker_registry_enabled ? 1 : 0 : 0 + count = var.feature_docker_registry_enabled ? 1 : 0 statement { effect = "Allow" actions = [ @@ -94,7 +94,7 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_ecr_policy_document } data "aws_iam_policy_document" "truefoundry_platform_feature_cluster_integration_policy_document" { - count = var.platform_feature_enabled ? var.feature_cluster_integration_enabled ? 1 : 0 : 0 + count = var.feature_cluster_integration_enabled ? 1 : 0 statement { effect = "Allow" actions = [ @@ -141,32 +141,32 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_cluster_integration resource "aws_iam_policy" "truefoundry_platform_feature_s3_policy" { - count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0 - name_prefix = "${local.truefoundry_unique_name}-s3-access" + count = var.feature_blob_storage_enabled ? 1 : 0 + name_prefix = "${local.truefoundry_unique_name}-s3-access-" description = "IAM policy for TrueFoundry user for platform features blob storage" policy = data.aws_iam_policy_document.truefoundry_platform_feature_s3_policy_document[0].json tags = local.tags } resource "aws_iam_policy" "truefoundry_platform_feature_parameter_store_policy" { - count = var.platform_feature_enabled ? var.feature_parameter_store_enabled ? 1 : 0 : 0 - name_prefix = "${local.truefoundry_unique_name}-parameter-store-access" + count = var.feature_parameter_store_enabled ? 1 : 0 + name_prefix = "${local.truefoundry_unique_name}-parameter-store-access-" description = "IAM policy for TrueFoundry user for platform features Secrets manager" policy = data.aws_iam_policy_document.truefoundry_platform_feature_parameter_store_policy_document[0].json tags = local.tags } resource "aws_iam_policy" "truefoundry_platform_feature_secrets_manager_policy" { - count = var.platform_feature_enabled ? var.feature_secrets_manager_enabled ? 1 : 0 : 0 - name_prefix = "${local.truefoundry_unique_name}-secrets-manager-access" + count = var.feature_secrets_manager_enabled ? 1 : 0 + name_prefix = "${local.truefoundry_unique_name}-secrets-manager-access-" description = "IAM policy for TrueFoundry user for platform features Secrets manager" policy = data.aws_iam_policy_document.truefoundry_platform_feature_secrets_manager_policy_document[0].json tags = local.tags } resource "aws_iam_policy" "truefoundry_platform_feature_ecr_policy" { - count = var.platform_feature_enabled ? var.feature_docker_registry_enabled ? 1 : 0 : 0 - name_prefix = "${local.truefoundry_unique_name}-ecr-access" + count = var.feature_docker_registry_enabled ? 1 : 0 + name_prefix = "${local.truefoundry_unique_name}-ecr-access-" description = "IAM policy for TrueFoundry user for platform features docker registry" policy = data.aws_iam_policy_document.truefoundry_platform_feature_ecr_policy_document[0].json tags = local.tags @@ -174,8 +174,8 @@ resource "aws_iam_policy" "truefoundry_platform_feature_ecr_policy" { resource "aws_iam_policy" "truefoundry_platform_feature_cluster_integration_policy" { - count = var.platform_feature_enabled ? var.feature_cluster_integration_enabled ? 1 : 0 : 0 - name_prefix = "${local.truefoundry_unique_name}-cluster-integration-access" + count = var.feature_cluster_integration_enabled ? 1 : 0 + name_prefix = "${local.truefoundry_unique_name}-cluster-integration-access-" description = "IAM policy for TrueFoundry user for platform features cluster integration" policy = data.aws_iam_policy_document.truefoundry_platform_feature_cluster_integration_policy_document[0].json tags = local.tags @@ -186,7 +186,7 @@ resource "aws_iam_policy" "truefoundry_platform_feature_cluster_integration_poli ################################################################################ resource "aws_iam_role" "truefoundry_platform_feature_iam_role" { - count = var.platform_feature_enabled ? 1 : 0 + count = var.platform_user_enabled ? 0 : 1 name = var.platform_role_enable_override ? var.platform_role_override_name : null description = "IAM role for TrueFoundry platform to access S3 bucket, SSM, ECR and EKS" name_prefix = var.platform_role_enable_override ? null : "${local.truefoundry_unique_name}-iam-role-" @@ -208,31 +208,31 @@ resource "aws_iam_role" "truefoundry_platform_feature_iam_role" { } resource "aws_iam_role_policy_attachment" "truefoundry_platform_s3_policy_attachment" { - count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0 + count = var.feature_blob_storage_enabled && !var.platform_user_enabled ? 1 : 0 role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name policy_arn = aws_iam_policy.truefoundry_platform_feature_s3_policy[0].arn } resource "aws_iam_role_policy_attachment" "truefoundry_platform_parameter_store_policy_attachment" { - count = var.platform_feature_enabled ? var.feature_parameter_store_enabled ? 1 : 0 : 0 + count = var.feature_parameter_store_enabled && !var.platform_user_enabled ? 1 : 0 role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name policy_arn = aws_iam_policy.truefoundry_platform_feature_parameter_store_policy[0].arn } resource "aws_iam_role_policy_attachment" "truefoundry_platform_secrets_manager_policy_attachment" { - count = var.platform_feature_enabled ? var.feature_secrets_manager_enabled ? 1 : 0 : 0 + count = var.feature_secrets_manager_enabled && !var.platform_user_enabled ? 1 : 0 role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name policy_arn = aws_iam_policy.truefoundry_platform_feature_secrets_manager_policy[0].arn } resource "aws_iam_role_policy_attachment" "truefoundry_platform_ecr_policy_attachment" { - count = var.platform_feature_enabled ? var.feature_docker_registry_enabled ? 1 : 0 : 0 + count = var.feature_docker_registry_enabled && !var.platform_user_enabled ? 1 : 0 role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name policy_arn = aws_iam_policy.truefoundry_platform_feature_ecr_policy[0].arn } resource "aws_iam_role_policy_attachment" "truefoundry_platform_cluster_integration_policy_attachment" { - count = var.platform_feature_enabled ? var.feature_cluster_integration_enabled ? 1 : 0 : 0 + count = var.feature_cluster_integration_enabled && !var.platform_user_enabled ? 1 : 0 role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name policy_arn = aws_iam_policy.truefoundry_platform_feature_cluster_integration_policy[0].arn } @@ -242,7 +242,7 @@ resource "aws_iam_role_policy_attachment" "truefoundry_platform_cluster_integrat # IAM user ################################################################################ resource "aws_iam_user" "truefoundry_platform_user" { - count = var.platform_feature_enabled && var.platform_user_enabled ? 1 : 0 + count = var.platform_user_enabled ? 1 : 0 name = var.platform_user_name_override_enabled ? var.platform_user_override_name : "${local.truefoundry_unique_name}-user" path = "/truefoundry/" @@ -251,37 +251,37 @@ resource "aws_iam_user" "truefoundry_platform_user" { } resource "aws_iam_access_key" "truefoundry_platform_user_keys" { - count = var.platform_feature_enabled && var.platform_user_enabled ? 1 : 0 + count = var.platform_user_enabled ? 1 : 0 user = aws_iam_user.truefoundry_platform_user[0].name } resource "aws_iam_user_policy_attachment" "truefoundry_platform_user_s3_policy_attachment" { - count = var.platform_feature_enabled ? (var.feature_blob_storage_enabled && var.platform_user_enabled) ? 1 : 0 : 0 + count = var.feature_blob_storage_enabled && var.platform_user_enabled ? 1 : 0 user = aws_iam_user.truefoundry_platform_user[0].name policy_arn = aws_iam_policy.truefoundry_platform_feature_s3_policy[0].arn } resource "aws_iam_user_policy_attachment" "truefoundry_platform_user_parameter_store_policy_attachment" { - count = var.platform_feature_enabled ? (var.feature_parameter_store_enabled && var.platform_user_enabled) ? 1 : 0 : 0 + count = var.feature_parameter_store_enabled && var.platform_user_enabled ? 1 : 0 user = aws_iam_user.truefoundry_platform_user[0].name policy_arn = aws_iam_policy.truefoundry_platform_feature_parameter_store_policy[0].arn } resource "aws_iam_user_policy_attachment" "truefoundry_platform_user_secrets_manager_policy_attachment" { - count = var.platform_feature_enabled ? (var.feature_secrets_manager_enabled && var.platform_user_enabled) ? 1 : 0 : 0 + count = var.feature_secrets_manager_enabled && var.platform_user_enabled ? 1 : 0 user = aws_iam_user.truefoundry_platform_user[0].name policy_arn = aws_iam_policy.truefoundry_platform_feature_secrets_manager_policy[0].arn } resource "aws_iam_user_policy_attachment" "truefoundry_platform_user_ecr_policy_attachment" { - count = var.platform_feature_enabled ? (var.feature_docker_registry_enabled && var.platform_user_enabled) ? 1 : 0 : 0 + count = var.feature_docker_registry_enabled && var.platform_user_enabled ? 1 : 0 user = aws_iam_user.truefoundry_platform_user[0].name policy_arn = aws_iam_policy.truefoundry_platform_feature_ecr_policy[0].arn } resource "aws_iam_user_policy_attachment" "truefoundry_platform_user_cluster_integration_policy_attachment" { - count = var.platform_feature_enabled ? (var.feature_cluster_integration_enabled && var.platform_user_enabled) ? 1 : 0 : 0 + count = var.feature_cluster_integration_enabled && var.platform_user_enabled ? 1 : 0 user = aws_iam_user.truefoundry_platform_user[0].name policy_arn = aws_iam_policy.truefoundry_platform_feature_cluster_integration_policy[0].arn } diff --git a/output.tf b/output.tf index 368b778..e0ada01 100644 --- a/output.tf +++ b/output.tf @@ -3,24 +3,24 @@ ################################################################################ # IAM role details ################################################################################ +output "platform_iam_role_enabled" { + description = "Flag to enable IAM role for the platform. If false, the user will be created." + value = !var.platform_user_enabled +} + output "platform_iam_role_arn" { description = "The platform IAM role arn" - value = var.platform_feature_enabled ? aws_iam_role.truefoundry_platform_feature_iam_role[0].arn : "" + value = var.platform_user_enabled ? "" : aws_iam_role.truefoundry_platform_feature_iam_role[0].arn } output "platform_iam_role_assume_role_arns" { description = "The role arns that can assume the platform IAM role" - value = var.platform_feature_enabled ? var.control_plane_roles : [] + value = var.platform_user_enabled ? [] : var.control_plane_roles } output "platform_iam_role_policy_arns" { description = "The platform IAM role policy arns" - value = local.truefoundry_platform_policy_arns -} - -output "platform_iam_role_enabled" { - description = "Flag to enable IAM role for the platform. Either this or or `platform_user_enabled` should be enabled" - value = var.platform_feature_enabled + value = var.platform_user_enabled ? [] : local.truefoundry_platform_policy_arns } ################################################################################ @@ -28,24 +28,24 @@ output "platform_iam_role_enabled" { ################################################################################ output "platform_user_enabled" { - description = "Flag to enable user for the platform. Either this or `platform_iam_role_enabled` should be enabled" - value = var.platform_feature_enabled && var.platform_user_enabled + description = "Flag to enable user for the platform. If false, the iam role will be created." + value = var.platform_user_enabled } output "platform_user_access_key" { description = "The user access key ID" - value = var.platform_feature_enabled && var.platform_user_enabled ? aws_iam_access_key.truefoundry_platform_user_keys[0].id : "" + value = var.platform_user_enabled ? aws_iam_access_key.truefoundry_platform_user_keys[0].id : "" } output "platform_user_secret_key" { description = "The user secret key" - value = var.platform_feature_enabled && var.platform_user_enabled ? aws_iam_access_key.truefoundry_platform_user_keys[0].secret : "" + value = var.platform_user_enabled ? aws_iam_access_key.truefoundry_platform_user_keys[0].secret : "" sensitive = true } output "platform_user_arn" { description = "The user IAM resource arn" - value = var.platform_feature_enabled && var.platform_user_enabled ? aws_iam_user.truefoundry_platform_user[0].arn : "" + value = var.platform_user_enabled ? aws_iam_user.truefoundry_platform_user[0].arn : "" } ################################################################################ @@ -53,7 +53,7 @@ output "platform_user_arn" { ################################################################################ output "platform_bucket_enabled" { description = "Flag to enable S3 bucket for the platform" - value = var.platform_feature_enabled && var.feature_blob_storage_enabled + value = var.feature_blob_storage_enabled } output "platform_bucket_name" { @@ -71,7 +71,7 @@ output "platform_bucket_arn" { ################################################################################ output "platform_ecr_enabled" { description = "Flag to enable ECR for the platform" - value = var.platform_feature_enabled && var.feature_docker_registry_enabled + value = var.feature_docker_registry_enabled } output "platform_ecr_url" { @@ -84,7 +84,7 @@ output "platform_ecr_url" { ################################################################################ output "platform_secrets_manager_enabled" { description = "Flag to enable Secrets Manager for the platform" - value = var.platform_feature_enabled && var.feature_secrets_manager_enabled + value = var.feature_secrets_manager_enabled } ################################################################################ @@ -92,7 +92,7 @@ output "platform_secrets_manager_enabled" { ################################################################################ output "platform_ssm_enabled" { description = "Flag to enable Parameter Store for the platform" - value = var.platform_feature_enabled && var.feature_parameter_store_enabled + value = var.feature_parameter_store_enabled } ################################################################################ @@ -100,5 +100,5 @@ output "platform_ssm_enabled" { ################################################################################ output "platform_cluster_integration_enabled" { description = "Flag to enable cluster integration for the platform" - value = var.platform_feature_enabled && var.feature_cluster_integration_enabled + value = var.feature_cluster_integration_enabled } diff --git a/upgrade-guide.md b/upgrade-guide.md index 856dcee..2fa7e10 100644 --- a/upgrade-guide.md +++ b/upgrade-guide.md @@ -10,6 +10,8 @@ This guide helps in migration from the old terraform modules to the new one. - `platform_user_ecr_url` to `platform_ecr_url` 4. The following outputs have been removed; - `platform_iam_role_name` +5. The following variables have been removed; + - `platform_feature_enabled` # Upgrade guide to AWS platform features module from 0.2.2 to 0.3.0 1. When upgrading terraform version for platform features ensure that you are running on version `0.2.x` and the platform features is upgraded to the newer 0.3.x version. diff --git a/variables.tf b/variables.tf index b80126d..3a47e0e 100644 --- a/variables.tf +++ b/variables.tf @@ -14,12 +14,6 @@ variable "aws_region" { type = string } -variable "platform_feature_enabled" { - description = "Enable platform features like docker registry, secrets manager and blob storage" - type = bool - default = true -} - ################################################################################ # Cluster ################################################################################