diff --git a/README.md b/README.md
index 5dfa24c..fd24999 100644
--- a/README.md
+++ b/README.md
@@ -26,21 +26,21 @@ Truefoundry AWS platform features
| Name | Type |
|------|------|
| [aws_iam_policy.truefoundry_platform_feature_cluster_integration_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.truefoundry_platform_feature_user_ecr_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.truefoundry_platform_feature_user_parameter_store_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.truefoundry_platform_feature_user_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.truefoundry_platform_feature_user_secrets_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.truefoundry_platform_feature_ecr_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.truefoundry_platform_feature_parameter_store_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.truefoundry_platform_feature_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.truefoundry_platform_feature_secrets_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource |
| [aws_iam_role.truefoundry_platform_feature_iam_role](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.truefoundry_platform_user_cluster_integration_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.truefoundry_platform_user_ecr_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.truefoundry_platform_user_parameter_store_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.truefoundry_platform_user_s3_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.truefoundry_platform_user_secrets_manager_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.truefoundry_platform_cluster_integration_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.truefoundry_platform_ecr_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.truefoundry_platform_parameter_store_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.truefoundry_platform_s3_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.truefoundry_platform_secrets_manager_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_policy_document.truefoundry_platform_feature_cluster_integration_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.truefoundry_platform_feature_user_ecr_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.truefoundry_platform_feature_user_parameter_store_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.truefoundry_platform_feature_user_s3_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.truefoundry_platform_feature_user_secrets_manager_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.truefoundry_platform_feature_ecr_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.truefoundry_platform_feature_parameter_store_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.truefoundry_platform_feature_s3_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.truefoundry_platform_feature_secrets_manager_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source |
## Inputs
@@ -60,7 +60,7 @@ Truefoundry AWS platform features
| [feature\_cluster\_integration\_enabled](#input\_feature\_cluster\_integration\_enabled) | Enable cluster integration feature in the platform | `bool` | `true` | no |
| [feature\_docker\_registry\_enabled](#input\_feature\_docker\_registry\_enabled) | Enable docker registry feature in the platform | `bool` | `true` | no |
| [feature\_parameter\_store\_enabled](#input\_feature\_parameter\_store\_enabled) | Enable parameter store feature in the platform | `bool` | `true` | no |
-| [feature\_secrets\_manager\_enabled](#input\_feature\_secrets\_manager\_enabled) | Enable secrets manager feature in the platform | `bool` | `true` | no |
+| [feature\_secrets\_manager\_enabled](#input\_feature\_secrets\_manager\_enabled) | Enable secrets manager feature in the platform | `bool` | `false` | no |
| [platform\_feature\_enabled](#input\_platform\_feature\_enabled) | Enable platform features like docker registry, secrets manager and blob storage | `bool` | `true` | no |
| [platform\_role\_enable\_override](#input\_platform\_role\_enable\_override) | Enable overriding the platform role name. You need to pass s3\_override\_name to pass the bucket name | `bool` | `false` | no |
| [platform\_role\_override\_name](#input\_platform\_role\_override\_name) | Platform IAM role name which will have access to S3 bucket, SSM and ECR | `string` | `""` | no |
diff --git a/iam.tf b/iam.tf
index 35d6b8e..9db1f21 100644
--- a/iam.tf
+++ b/iam.tf
@@ -1,4 +1,4 @@
-data "aws_iam_policy_document" "truefoundry_platform_feature_user_s3_policy_document" {
+data "aws_iam_policy_document" "truefoundry_platform_feature_s3_policy_document" {
count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0
statement {
effect = "Allow"
@@ -13,7 +13,7 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_user_s3_policy_docu
}
}
-data "aws_iam_policy_document" "truefoundry_platform_feature_user_parameter_store_policy_document" {
+data "aws_iam_policy_document" "truefoundry_platform_feature_parameter_store_policy_document" {
count = var.platform_feature_enabled ? var.feature_parameter_store_enabled ? 1 : 0 : 0
statement {
effect = "Allow"
@@ -31,7 +31,7 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_user_parameter_stor
}
}
-data "aws_iam_policy_document" "truefoundry_platform_feature_user_secrets_manager_policy_document" {
+data "aws_iam_policy_document" "truefoundry_platform_feature_secrets_manager_policy_document" {
count = var.platform_feature_enabled ? var.feature_secrets_manager_enabled ? 1 : 0 : 0
statement {
effect = "Allow"
@@ -41,15 +41,16 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_user_secrets_manage
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:UpdateSecret",
- "secretsmanager:ListSecrets"
+ "secretsmanager:ListSecrets",
+ "secretsmanager:PutSecretValue",
]
resources = [
- "arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id}:secret:tfy-secret/*"
+ "arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id}:secret:/tfy-secret/*"
]
}
}
-data "aws_iam_policy_document" "truefoundry_platform_feature_user_ecr_policy_document" {
+data "aws_iam_policy_document" "truefoundry_platform_feature_ecr_policy_document" {
count = var.platform_feature_enabled ? var.feature_docker_registry_enabled ? 1 : 0 : 0
statement {
effect = "Allow"
@@ -139,35 +140,35 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_cluster_integration
}
-resource "aws_iam_policy" "truefoundry_platform_feature_user_s3_policy" {
+resource "aws_iam_policy" "truefoundry_platform_feature_s3_policy" {
count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0
name_prefix = "${local.truefoundry_unique_name}-s3-access"
description = "IAM policy for TrueFoundry user for platform features blob storage"
- policy = data.aws_iam_policy_document.truefoundry_platform_feature_user_s3_policy_document[0].json
+ policy = data.aws_iam_policy_document.truefoundry_platform_feature_s3_policy_document[0].json
tags = local.tags
}
-resource "aws_iam_policy" "truefoundry_platform_feature_user_parameter_store_policy" {
+resource "aws_iam_policy" "truefoundry_platform_feature_parameter_store_policy" {
count = var.platform_feature_enabled ? var.feature_parameter_store_enabled ? 1 : 0 : 0
- name_prefix = "${local.truefoundry_unique_name}-ssm-access"
+ name_prefix = "${local.truefoundry_unique_name}-parameter-store-access"
description = "IAM policy for TrueFoundry user for platform features Secrets manager"
- policy = data.aws_iam_policy_document.truefoundry_platform_feature_user_parameter_store_policy_document[0].json
+ policy = data.aws_iam_policy_document.truefoundry_platform_feature_parameter_store_policy_document[0].json
tags = local.tags
}
-resource "aws_iam_policy" "truefoundry_platform_feature_user_secrets_manager_policy" {
+resource "aws_iam_policy" "truefoundry_platform_feature_secrets_manager_policy" {
count = var.platform_feature_enabled ? var.feature_secrets_manager_enabled ? 1 : 0 : 0
name_prefix = "${local.truefoundry_unique_name}-secrets-manager-access"
description = "IAM policy for TrueFoundry user for platform features Secrets manager"
- policy = data.aws_iam_policy_document.truefoundry_platform_feature_user_secrets_manager_policy_document[0].json
+ policy = data.aws_iam_policy_document.truefoundry_platform_feature_secrets_manager_policy_document[0].json
tags = local.tags
}
-resource "aws_iam_policy" "truefoundry_platform_feature_user_ecr_policy" {
+resource "aws_iam_policy" "truefoundry_platform_feature_ecr_policy" {
count = var.platform_feature_enabled ? var.feature_docker_registry_enabled ? 1 : 0 : 0
name_prefix = "${local.truefoundry_unique_name}-ecr-access"
description = "IAM policy for TrueFoundry user for platform features docker registry"
- policy = data.aws_iam_policy_document.truefoundry_platform_feature_user_ecr_policy_document[0].json
+ policy = data.aws_iam_policy_document.truefoundry_platform_feature_ecr_policy_document[0].json
tags = local.tags
}
@@ -205,31 +206,31 @@ resource "aws_iam_role" "truefoundry_platform_feature_iam_role" {
tags = local.tags
}
-resource "aws_iam_role_policy_attachment" "truefoundry_platform_user_s3_policy_attachment" {
+resource "aws_iam_role_policy_attachment" "truefoundry_platform_s3_policy_attachment" {
count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0
role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name
- policy_arn = aws_iam_policy.truefoundry_platform_feature_user_s3_policy[0].arn
+ policy_arn = aws_iam_policy.truefoundry_platform_feature_s3_policy[0].arn
}
-resource "aws_iam_role_policy_attachment" "truefoundry_platform_user_parameter_store_policy_attachment" {
+resource "aws_iam_role_policy_attachment" "truefoundry_platform_parameter_store_policy_attachment" {
count = var.platform_feature_enabled ? var.feature_parameter_store_enabled ? 1 : 0 : 0
role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name
- policy_arn = aws_iam_policy.truefoundry_platform_feature_user_parameter_store_policy[0].arn
+ policy_arn = aws_iam_policy.truefoundry_platform_feature_parameter_store_policy[0].arn
}
-resource "aws_iam_role_policy_attachment" "truefoundry_platform_user_secrets_manager_policy_attachment" {
+resource "aws_iam_role_policy_attachment" "truefoundry_platform_secrets_manager_policy_attachment" {
count = var.platform_feature_enabled ? var.feature_secrets_manager_enabled ? 1 : 0 : 0
role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name
- policy_arn = aws_iam_policy.truefoundry_platform_feature_user_secrets_manager_policy[0].arn
+ policy_arn = aws_iam_policy.truefoundry_platform_feature_secrets_manager_policy[0].arn
}
-resource "aws_iam_role_policy_attachment" "truefoundry_platform_user_ecr_policy_attachment" {
+resource "aws_iam_role_policy_attachment" "truefoundry_platform_ecr_policy_attachment" {
count = var.platform_feature_enabled ? var.feature_docker_registry_enabled ? 1 : 0 : 0
role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name
- policy_arn = aws_iam_policy.truefoundry_platform_feature_user_ecr_policy[0].arn
+ policy_arn = aws_iam_policy.truefoundry_platform_feature_ecr_policy[0].arn
}
-resource "aws_iam_role_policy_attachment" "truefoundry_platform_user_cluster_integration_policy_attachment" {
+resource "aws_iam_role_policy_attachment" "truefoundry_platform_cluster_integration_policy_attachment" {
count = var.platform_feature_enabled ? var.feature_cluster_integration_enabled ? 1 : 0 : 0
role = aws_iam_role.truefoundry_platform_feature_iam_role[0].name
policy_arn = aws_iam_policy.truefoundry_platform_feature_cluster_integration_policy[0].arn
diff --git a/locals.tf b/locals.tf
index 8355a24..e57c517 100644
--- a/locals.tf
+++ b/locals.tf
@@ -10,10 +10,10 @@ locals {
truefoundry_unique_name = "${var.cluster_name}-platform"
bucket_name = var.blob_storage_enable_override ? var.blob_storage_override_name : "${var.cluster_name}-ml"
policy_arns = [
- var.feature_blob_storage_enabled ? aws_iam_policy.truefoundry_platform_feature_user_s3_policy[0].arn : null,
- var.feature_parameter_store_enabled ? aws_iam_policy.truefoundry_platform_feature_user_parameter_store_policy[0].arn : null,
- var.feature_secrets_manager_enabled ? aws_iam_policy.truefoundry_platform_feature_user_secrets_manager_policy[0].arn : null,
- var.feature_docker_registry_enabled ? aws_iam_policy.truefoundry_platform_feature_user_ecr_policy[0].arn : null,
+ var.feature_blob_storage_enabled ? aws_iam_policy.truefoundry_platform_feature_s3_policy[0].arn : null,
+ var.feature_parameter_store_enabled ? aws_iam_policy.truefoundry_platform_feature_parameter_store_policy[0].arn : null,
+ var.feature_secrets_manager_enabled ? aws_iam_policy.truefoundry_platform_feature_secrets_manager_policy[0].arn : null,
+ var.feature_docker_registry_enabled ? aws_iam_policy.truefoundry_platform_feature_ecr_policy[0].arn : null,
]
- truefoundry_platform_user_policy_arns = [for arn in local.policy_arns : tostring(arn) if arn != null]
+ truefoundry_platform_policy_arns = [for arn in local.policy_arns : tostring(arn) if arn != null]
}
diff --git a/output.tf b/output.tf
index e616b6d..45004f4 100644
--- a/output.tf
+++ b/output.tf
@@ -21,7 +21,7 @@ output "platform_iam_role_assume_role_arns" {
output "platform_iam_role_policy_arns" {
description = "The list of ARNs of policies directly assigned to the IAM user"
- value = local.truefoundry_platform_user_policy_arns
+ value = local.truefoundry_platform_policy_arns
}
################################################################################
@@ -43,4 +43,4 @@ output "platform_user_bucket_arn" {
output "platform_user_ecr_url" {
description = "The ECR url to connect"
value = var.feature_docker_registry_enabled ? "${var.aws_account_id}.dkr.ecr.${var.aws_region}.amazonaws.com" : ""
-}
\ No newline at end of file
+}
diff --git a/upgrade-guide.md b/upgrade-guide.md
new file mode 100644
index 0000000..4a7bac8
--- /dev/null
+++ b/upgrade-guide.md
@@ -0,0 +1,33 @@
+# AWS Platform Features Upgrade Guide
+This guide helps in migration from the old terraform modules to the new one.
+
+# Updgrade guide to AWS platform features module from 0.2.2 to 0.3.0
+1. When upgrading terraform version for platform features ensure that you are running on version `0.2.x` and the platform features is upgraded to the newer 0.3.x version.
+2. Update the following variables;
+ - `feature_secrets_enabled` to `feature_parameter_store_enabled`
+3. Run `terraform state mv old_resource_name new_resource_name` to move the resources to the new name. Run the following commands to update state;
+```bash
+ terraform state mv module..aws_iam_role_policy_attachment.truefoundry_platform_user_ecr_policy_attachment module..aws_iam_role_policy_attachment.truefoundry_platform_ecr_policy_attachment
+ terraform state mv module..aws_iam_role_policy_attachment.truefoundry_platform_user_ssm_policy_attachment module..aws_iam_role_policy_attachment.truefoundry_platform_parameter_store_policy_attachment
+ terraform state mv module..aws_iam_role_policy_attachment.truefoundry_platform_user_cluster_integration_policy_attachment module..aws_iam_role_policy_attachment.truefoundry_platform_cluster_integration_policy_attachment
+ terraform state mv module..aws_iam_role_policy_attachment.truefoundry_platform_user_s3_policy_attachment module..aws_iam_role_policy_attachment.truefoundry_platform_s3_policy_attachment
+
+ terraform state mv module..aws_iam_policy.truefoundry_platform_feature_user_ecr_policy module..aws_iam_policy.truefoundry_platform_feature_ecr_policy
+ terraform state mv module..aws_iam_policy.truefoundry_platform_feature_user_ssm_policy module..aws_iam_policy.truefoundry_platform_feature_parameter_store_policy
+ terraform state mv module..aws_iam_policy.truefoundry_platform_feature_user_s3_policy module..aws_iam_policy.truefoundry_platform_feature_s3_policy
+```
+4. Run `terraform plan` to see the changes that will be applied.
+5. Run `terraform apply` to apply the changes.
+
+
+# Updgrade guide to AWS platform features module from 0.2.1 to 0.2.2
+1. When upgrading terraform version for platform features ensure that you are running on version `0.2.x` and the platform features is upgraded to the newer 0.2.2 version.
+2. Update the following variables;
+ - `feature_cloud_integration_enabled` to `feature_cluster_integration_enabled`
+3. Run `terraform state mv old_resource_name new_resource_name` to move the resources to the new name. Run the following commands to update state;
+```bash
+ terraform state mv module..aws_iam_policy.truefoundry_platform_feature_cloud_integration_policy module..aws_iam_policy.truefoundry_platform_feature_cluster_integration_policy
+ terraform state mv module..aws_iam_role_policy_attachment.truefoundry_platform_user_cloud_integration_policy_attachment module..aws_iam_role_policy_attachment.truefoundry_platform_user_cluster_integration_policy_attachment
+```
+4. Run `terraform plan` to see the changes that will be applied.
+5. Run `terraform apply` to apply the changes.
diff --git a/variables.tf b/variables.tf
index f612634..de8c54a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -111,7 +111,7 @@ variable "feature_parameter_store_enabled" {
variable "feature_secrets_manager_enabled" {
description = "Enable secrets manager feature in the platform"
type = bool
- default = true
+ default = false
}
################################################################################