Skip to content

Commit

Permalink
Remove use of template provider
Browse files Browse the repository at this point in the history 
The template provider is deprecated and it is now advised to use the
templatefile function instead. Since all templates were AWS IAM Policy
Documents, the aws_iam_policy_document data source is used instead.
  • Loading branch information
@rhynix
rhynix committed Mar 18, 2022
1 parent 103255b commit 27169d5
Show file tree
Hide file tree
Showing 8 changed files with 159 additions and 207 deletions.
41 changes: 30 additions & 11 deletions aws_config.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,14 +47,21 @@ resource "aws_config_delivery_channel" "aws_config_delivery_channel" {
]
}

data "template_file" "aws_config_iam_assume_role_policy_document" {
template = file("${path.module}/policies/aws_config_assume_role_policy.tpl")
data "aws_iam_policy_document" "aws_config_assume" {
statement {
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}

actions = ["sts:AssumeRole"]
}
}

resource "aws_iam_role" "aws_config_iam_role" {
count = var.enable_aws_config ? 1 : 0
name = "terraform-awsconfig-role"
assume_role_policy = data.template_file.aws_config_iam_assume_role_policy_document.rendered
assume_role_policy = data.aws_iam_policy_document.aws_config_assume.json
}

resource "aws_iam_role_policy_attachment" "aws_config_iam_policy_attachment" {
Expand All @@ -63,21 +70,34 @@ resource "aws_iam_role_policy_attachment" "aws_config_iam_policy_attachment" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
}

data "template_file" "aws_config_iam_policy_document" {
template = file("${path.module}/policies/aws_config_policy.tpl")
count = var.enable_aws_config ? 1 : 0
data "aws_iam_policy_document" "aws_config" {
count = var.enable_aws_config ? 1 : 0

vars = {
sns_topic_arn = aws_sns_topic.aws_config_updates_topic[0].arn
s3_bucket_arn = aws_s3_bucket.aws_config_configuration_bucket[0].arn
statement {
actions = ["config:Put*"]
resources = ["*"]
}

statement {
actions = ["sns:*"]
resources = [one(aws_sns_topic.aws_config_updates_topic).arn]
}

statement {
actions = ["s3:*"]

resources = [
one(aws_s3_bucket.aws_config_configuration_bucket).arn,
"${one(aws_s3_bucket.aws_config_configuration_bucket).arn}/*"
]
}
}

resource "aws_iam_role_policy" "aws_config_iam_policy" {
count = var.enable_aws_config ? 1 : 0
name = "terraform-awsconfig-policy"
role = aws_iam_role.aws_config_iam_role[0].id
policy = data.template_file.aws_config_iam_policy_document[0].rendered
policy = one(data.aws_iam_policy_document.aws_config).json
}

resource "null_resource" "sns_subscribe" {
Expand All @@ -93,4 +113,3 @@ resource "null_resource" "sns_subscribe" {
command = "aws sns subscribe --topic-arn ${aws_sns_topic.aws_config_updates_topic[0].arn} --protocol email --notification-endpoint ${element(var.aws_config_notification_emails, count.index)}"
}
}

25 changes: 16 additions & 9 deletions cloudtrail.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,14 +54,21 @@ resource "aws_cloudwatch_log_group" "log_group" {
#
# CloudTrail Cloudwatch IAM Role
#
data "template_file" "cloudwatch_iam_assume_role_policy_document" {
template = file("${path.module}/policies/cloudwatch_assume_role_policy.tpl")
data "aws_iam_policy_document" "cloudwatch_assume" {
statement {
principals {
type = "Service"
identifiers = ["cloudtrial.amazonaws.com"]
}

actions = ["sts:AssumeRole"]
}
}

resource "aws_iam_role" "cloudwatch_iam_role" {
count = var.enable_cloudwatch_logs ? 1 : 0
name = var.cloudwatch_iam_role_name
assume_role_policy = data.template_file.cloudwatch_iam_assume_role_policy_document.rendered
assume_role_policy = data.aws_iam_policy_document.cloudwatch_assume.json
}

resource "aws_iam_role_policy_attachment" "cloudwatch_iam_policy_attachment" {
Expand All @@ -70,19 +77,19 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_iam_policy_attachment" {
policy_arn = aws_iam_policy.cloudwatch_iam_policy[0].arn
}

data "template_file" "cloudwatch_iam_policy_document" {
count = var.enable_cloudwatch_logs ? 1 : 0
template = file("${path.module}/policies/cloudwatch_policy.tpl")
data "aws_iam_policy_document" "cloudwatch" {
count = var.enable_cloudwatch_logs ? 1 : 0

vars = {
log_group_arn = aws_cloudwatch_log_group.log_group[0].arn
statement {
actions = ["logs:CreateLogStream", "logs:PutLogEvents"]
resources = ["${one(aws_cloudwatch_log_group.log_group).arn}:*"]
}
}

resource "aws_iam_policy" "cloudwatch_iam_policy" {
count = var.enable_cloudwatch_logs ? 1 : 0
name = var.cloudwatch_iam_policy_name
policy = data.template_file.cloudwatch_iam_policy_document[0].rendered
policy = one(data.aws_iam_policy_document.cloudwatch).rendered
}

#
Expand Down
13 changes: 0 additions & 13 deletions policies/aws_config_assume_role_policy.tpl
View file

This file was deleted.

25 changes: 0 additions & 25 deletions policies/aws_config_policy.tpl
View file

This file was deleted.

13 changes: 0 additions & 13 deletions policies/cloudwatch_assume_role_policy.tpl
View file

This file was deleted.

23 changes: 0 additions & 23 deletions policies/cloudwatch_policy.tpl
View file

This file was deleted.

109 changes: 0 additions & 109 deletions policies/force-mfa.json
View file

This file was deleted.

Loading

0 comments on commit 27169d5

Please sign in to comment.