diff --git a/aws-aurora-mysql/variables.tf b/aws-aurora-mysql/variables.tf
index ac3cac8c..42dd2527 100755
--- a/aws-aurora-mysql/variables.tf
+++ b/aws-aurora-mysql/variables.tf
@@ -92,7 +92,7 @@ variable "publicly_accessible" {
}
variable "rds_cluster_parameters" {
- type = list
+ type = list(any)
description = "Cluster params you can set. [Doc](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Reference.html#AuroraMySQL.Reference.Parameters.Cluster)"
default = [
@@ -110,7 +110,7 @@ variable "rds_cluster_parameters" {
}
variable "db_parameters" {
- type = list
+ type = list(any)
description = "Instance params you can set. [Doc](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Reference.html#AuroraMySQL.Reference.Parameters.Instance)"
default = [
@@ -175,13 +175,13 @@ variable "params_engine_version" {
default = "5.7"
}
-variable ca_cert_identifier {
+variable "ca_cert_identifier" {
type = string
description = "Identifier for the certificate authority. rds-ca-2019 is the latest available version."
default = "rds-ca-2019"
}
-variable auto_minor_version_upgrade {
+variable "auto_minor_version_upgrade" {
type = bool
description = "Set the databases to automatically upgrade minor versions."
default = true
diff --git a/aws-aurora-postgres/variables.tf b/aws-aurora-postgres/variables.tf
index cdc4e588..6aebf5fb 100755
--- a/aws-aurora-postgres/variables.tf
+++ b/aws-aurora-postgres/variables.tf
@@ -86,13 +86,13 @@ variable "apply_immediately" {
}
variable "rds_cluster_parameters" {
- type = list
+ type = list(any)
description = "Cluster params you can set. [Doc](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Reference.html#AuroraPostgreSQL.Reference.Parameters.Cluster)"
default = []
}
variable "db_parameters" {
- type = list
+ type = list(any)
description = "Instance params you can set. [Doc](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Reference.html#AuroraPostgreSQL.Reference.Parameters.Instance)"
default = []
}
@@ -119,13 +119,13 @@ variable "iam_database_authentication_enabled" {
default = false
}
-variable ca_cert_identifier {
+variable "ca_cert_identifier" {
type = string
description = "Identifier for the certificate authority."
default = "rds-ca-2019"
}
-variable auto_minor_version_upgrade {
+variable "auto_minor_version_upgrade" {
type = bool
description = "Set the databases to automatically upgrade minor versions."
default = true
diff --git a/aws-aurora/main.tf b/aws-aurora/main.tf
index dd5ab92d..095c2b30 100755
--- a/aws-aurora/main.tf
+++ b/aws-aurora/main.tf
@@ -17,7 +17,7 @@ resource "aws_security_group" "rds" {
vpc_id = var.vpc_id
- dynamic ingress {
+ dynamic "ingress" {
for_each = var.ingress_cidr_blocks
content {
from_port = var.port
@@ -27,7 +27,7 @@ resource "aws_security_group" "rds" {
}
}
- dynamic ingress {
+ dynamic "ingress" {
for_each = var.ingress_security_groups
content {
from_port = var.port
diff --git a/aws-aurora/variables.tf b/aws-aurora/variables.tf
index 7cf9b8ef..1db7e059 100755
--- a/aws-aurora/variables.tf
+++ b/aws-aurora/variables.tf
@@ -77,13 +77,13 @@ variable "publicly_accessible" {
}
variable "rds_cluster_parameters" {
- type = list
+ type = list(any)
default = []
}
variable "db_parameters" {
- type = list
+ type = list(any)
default = []
}
@@ -116,7 +116,7 @@ variable "iam_database_authentication_enabled" {
}
variable "enabled_cloudwatch_logs_exports" {
- type = list
+ type = list(any)
default = []
}
@@ -130,13 +130,13 @@ variable "db_deletion_protection" {
default = false
}
-variable ca_cert_identifier {
+variable "ca_cert_identifier" {
type = string
description = "Identifier for the certificate authority. Use rds-ca-2019 for anything new."
default = "rds-ca-2019"
}
-variable auto_minor_version_upgrade {
+variable "auto_minor_version_upgrade" {
type = bool
description = "Set the databases to automatically upgrade minor versions."
default = true
diff --git a/aws-cloudfront-domain-redirect/main.tf b/aws-cloudfront-domain-redirect/main.tf
index 3ccd78b4..4f9196ca 100644
--- a/aws-cloudfront-domain-redirect/main.tf
+++ b/aws-cloudfront-domain-redirect/main.tf
@@ -7,7 +7,7 @@ locals {
}
}
-resource aws_s3_bucket redirect_bucket {
+resource "aws_s3_bucket" "redirect_bucket" {
bucket = "redirect-${var.source_domain}-to-${var.target_domain}"
website {
redirect_all_requests_to = "https://${var.target_domain}"
@@ -36,7 +36,7 @@ module "cert" {
service = var.service
}
-resource aws_cloudfront_distribution cf {
+resource "aws_cloudfront_distribution" "cf" {
enabled = true
comment = "Redirect requests from ${var.source_domain} to ${var.target_domain}."
@@ -93,7 +93,7 @@ resource aws_cloudfront_distribution cf {
tags = local.tags
}
-resource aws_route53_record alias_ipv4 {
+resource "aws_route53_record" "alias_ipv4" {
zone_id = var.source_domain_zone_id
name = var.source_domain
type = "A"
@@ -105,7 +105,7 @@ resource aws_route53_record alias_ipv4 {
}
}
-resource aws_route53_record alias_ipv6 {
+resource "aws_route53_record" "alias_ipv6" {
zone_id = var.source_domain_zone_id
name = var.source_domain
type = "AAAA"
diff --git a/aws-cloudfront-domain-redirect/variables.tf b/aws-cloudfront-domain-redirect/variables.tf
index 1ebc0b16..40df98e5 100755
--- a/aws-cloudfront-domain-redirect/variables.tf
+++ b/aws-cloudfront-domain-redirect/variables.tf
@@ -1,34 +1,34 @@
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable source_domain {
+variable "source_domain" {
type = string
description = "The domain that will be redirected from."
}
-variable source_domain_zone_id {
+variable "source_domain_zone_id" {
type = string
description = "Route53 zone id for the source domain."
}
-variable target_domain {
+variable "target_domain" {
type = string
description = "The domain that will be redirected to."
}
diff --git a/aws-cloudfront-logs-bucket/variables.tf b/aws-cloudfront-logs-bucket/variables.tf
index d06a262a..a4e282f8 100755
--- a/aws-cloudfront-logs-bucket/variables.tf
+++ b/aws-cloudfront-logs-bucket/variables.tf
@@ -58,7 +58,7 @@ variable "lifecycle_rules" {
]
}
-variable public_access_block {
+variable "public_access_block" {
type = bool
default = true
}
diff --git a/aws-cloudwatch-log-retention-manager/main.tf b/aws-cloudwatch-log-retention-manager/main.tf
index a7b88154..f195faf0 100755
--- a/aws-cloudwatch-log-retention-manager/main.tf
+++ b/aws-cloudwatch-log-retention-manager/main.tf
@@ -10,7 +10,7 @@ locals {
lambda_name = "${var.project}-${var.env}-${var.service}-cloudwatch-retention"
}
-data archive_file lambda {
+data "archive_file" "lambda" {
type = "zip"
output_path = "${path.module}/build/lambda.zip"
source {
@@ -60,7 +60,7 @@ data archive_file lambda {
}
}
-module lambda {
+module "lambda" {
source = "../aws-lambda-function"
function_name = local.lambda_name
@@ -78,18 +78,18 @@ module lambda {
service = var.service
}
-resource aws_cloudwatch_event_rule trigger {
+resource "aws_cloudwatch_event_rule" "trigger" {
name = "${var.project}-${var.env}-${var.service}-retention-trigger"
schedule_expression = "rate(12 hours)"
tags = local.tags
}
-resource aws_cloudwatch_event_target trigger {
+resource "aws_cloudwatch_event_target" "trigger" {
rule = aws_cloudwatch_event_rule.trigger.id
arn = module.lambda.arn
}
-resource aws_lambda_permission permission {
+resource "aws_lambda_permission" "permission" {
statement_id = "AllowScheduledLambdaExecution"
action = "lambda:InvokeFunction"
function_name = local.lambda_name
@@ -97,7 +97,7 @@ resource aws_lambda_permission permission {
source_arn = aws_cloudwatch_event_rule.trigger.arn
}
-data aws_iam_policy_document policy {
+data "aws_iam_policy_document" "policy" {
statement {
effect = "Allow"
actions = [
@@ -110,7 +110,7 @@ data aws_iam_policy_document policy {
}
}
-resource aws_iam_role_policy policy {
+resource "aws_iam_role_policy" "policy" {
name = "allow-managing-log-groups"
role = module.lambda.role_id
policy = data.aws_iam_policy_document.policy.json
diff --git a/aws-cloudwatch-log-retention-manager/variables.tf b/aws-cloudwatch-log-retention-manager/variables.tf
index 72a2c102..85cdec0c 100755
--- a/aws-cloudwatch-log-retention-manager/variables.tf
+++ b/aws-cloudwatch-log-retention-manager/variables.tf
@@ -1,24 +1,24 @@
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable maximum_retention {
+variable "maximum_retention" {
type = number
description = "The default days of retention to apply to untagged Cloudwatch Log Groups."
}
diff --git a/aws-iam-group-assume-role/variables.tf b/aws-iam-group-assume-role/variables.tf
index 3b850053..1d4dbca0 100755
--- a/aws-iam-group-assume-role/variables.tf
+++ b/aws-iam-group-assume-role/variables.tf
@@ -1,5 +1,5 @@
variable "target_accounts" {
- type = list
+ type = list(any)
description = "List of accounts in which this role should be assume-able."
}
@@ -15,7 +15,7 @@ variable "group_name" {
}
variable "users" {
- type = list
+ type = list(any)
default = []
description = "List of user's names who should be added to this group."
}
@@ -29,5 +29,5 @@ variable "target_role" {
# Pseudo depends_on because Terraform modules do not support depends_on
variable "dependencies" {
default = []
- type = list
+ type = list(any)
}
diff --git a/aws-iam-role-bless/variables.tf b/aws-iam-role-bless/variables.tf
index 1569ce29..bcfa0b0d 100755
--- a/aws-iam-role-bless/variables.tf
+++ b/aws-iam-role-bless/variables.tf
@@ -15,7 +15,7 @@ variable "source_account_ids" {
}
variable "bless_lambda_arns" {
- type = list
+ type = list(any)
description = "List of bless lambda arns"
}
@@ -25,22 +25,22 @@ variable "iam_path" {
description = "IAM path"
}
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
diff --git a/aws-iam-role-cloudfront-poweruser/variables.tf b/aws-iam-role-cloudfront-poweruser/variables.tf
index 515d65cd..e62386c1 100755
--- a/aws-iam-role-cloudfront-poweruser/variables.tf
+++ b/aws-iam-role-cloudfront-poweruser/variables.tf
@@ -4,7 +4,7 @@ variable "role_name" {
}
variable "s3_bucket_prefixes" {
- type = list
+ type = list(any)
description = "Limits role permissions to buckets with specific prefixes. Empty for all buckets."
default = [
@@ -35,22 +35,22 @@ variable "saml_idp_arn" {
description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
}
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
index 098f2e18..70da629b 100755
--- a/aws-iam-role-crossacct/variables.tf
+++ b/aws-iam-role-crossacct/variables.tf
@@ -26,7 +26,7 @@ variable "saml_idp_arn" {
description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
}
-variable oidc {
+variable "oidc" {
type = list(object(
{
idp_arn : string, # the AWS IAM IDP arn
@@ -39,27 +39,27 @@ variable oidc {
description = "A list of AWS OIDC IDPs to establish a trust relationship for this role."
}
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable max_session_duration {
+variable "max_session_duration" {
type = number
default = 60 * 60 // 1 hour
description = "The maximum session duration (in seconds) for the role."
diff --git a/aws-iam-role-ec2-poweruser/variables.tf b/aws-iam-role-ec2-poweruser/variables.tf
index b930a29f..c4a1458c 100755
--- a/aws-iam-role-ec2-poweruser/variables.tf
+++ b/aws-iam-role-ec2-poweruser/variables.tf
@@ -31,22 +31,22 @@ variable "default_iam_policy" {
default = true
}
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
diff --git a/aws-iam-role-ecs-poweruser/variables.tf b/aws-iam-role-ecs-poweruser/variables.tf
index fe4467ad..acbd5055 100755
--- a/aws-iam-role-ecs-poweruser/variables.tf
+++ b/aws-iam-role-ecs-poweruser/variables.tf
@@ -25,22 +25,22 @@ variable "saml_idp_arn" {
description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
}
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
diff --git a/aws-iam-role-infraci/main.tf b/aws-iam-role-infraci/main.tf
index a7ee5624..d1abe1d9 100755
--- a/aws-iam-role-infraci/main.tf
+++ b/aws-iam-role-infraci/main.tf
@@ -105,7 +105,7 @@ data "aws_iam_policy_document" "secrets" {
}
}
- dynamic statement {
+ dynamic "statement" {
for_each = var.terraform_state_lock_dynamodb_arns
diff --git a/aws-iam-role-infraci/variables.tf b/aws-iam-role-infraci/variables.tf
index 16ec7f60..9bcd2907 100755
--- a/aws-iam-role-infraci/variables.tf
+++ b/aws-iam-role-infraci/variables.tf
@@ -30,22 +30,22 @@ variable "saml_idp_arn" {
description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
}
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
diff --git a/aws-iam-role-poweruser/variables.tf b/aws-iam-role-poweruser/variables.tf
index 056d9d23..d7dc0585 100755
--- a/aws-iam-role-poweruser/variables.tf
+++ b/aws-iam-role-poweruser/variables.tf
@@ -26,7 +26,7 @@ variable "iam_path" {
default = "/"
}
-variable oidc {
+variable "oidc" {
type = list(object(
{
idp_arn : string, # the AWS IAM IDP arn
@@ -39,34 +39,34 @@ variable oidc {
description = "A list of AWS OIDC IDPs to establish a trust relationship for this role."
}
-variable authorize_iam {
+variable "authorize_iam" {
type = bool
default = true
description = "Indicates if we should augment the PowerUserAccess policy with certain IAM actions."
}
-variable max_session_duration {
+variable "max_session_duration" {
type = number
default = 60 * 60 // 1 hour
description = "The maximum session duration (in seconds) for the role."
}
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
\ No newline at end of file
diff --git a/aws-iam-role-readonly/variables.tf b/aws-iam-role-readonly/variables.tf
index 1a2b2f64..89274c40 100755
--- a/aws-iam-role-readonly/variables.tf
+++ b/aws-iam-role-readonly/variables.tf
@@ -25,7 +25,7 @@ variable "saml_idp_arn" {
description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
}
-variable oidc {
+variable "oidc" {
type = list(object(
{
idp_arn : string, # the AWS IAM IDP arn
@@ -38,28 +38,28 @@ variable oidc {
description = "A list of AWS OIDC IDPs to establish a trust relationship for this role."
}
-variable authorize_read_secrets {
+variable "authorize_read_secrets" {
type = bool
description = "Should this role also be authorized to decrypt and read secrets."
default = true
}
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
diff --git a/aws-iam-role-route53domains-poweruser/variables.tf b/aws-iam-role-route53domains-poweruser/variables.tf
index fc7a28d9..49d9988e 100644
--- a/aws-iam-role-route53domains-poweruser/variables.tf
+++ b/aws-iam-role-route53domains-poweruser/variables.tf
@@ -26,22 +26,22 @@ variable "saml_idp_arn" {
description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
}
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
diff --git a/aws-iam-role-security-audit/variables.tf b/aws-iam-role-security-audit/variables.tf
index 88af1781..1f8619d3 100755
--- a/aws-iam-role-security-audit/variables.tf
+++ b/aws-iam-role-security-audit/variables.tf
@@ -27,22 +27,22 @@ variable "saml_idp_arn" {
description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
}
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
diff --git a/aws-iam-role/README.md b/aws-iam-role/README.md
index 85112108..a04c14bb 100644
--- a/aws-iam-role/README.md
+++ b/aws-iam-role/README.md
@@ -30,35 +30,48 @@ module iam-role {
| Name | Version |
|------|---------|
-| aws | < 3.0.0 |
+| [aws](#requirement\_aws) | < 3.0.0 |
## Providers
| Name | Version |
|------|---------|
-| aws | < 3.0.0 |
+| [aws](#provider\_aws) | < 3.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| attached\_policies\_names\_arns | Map of policy names to the respective ARNs to be attached to the IAM role. | `map(string)` | `{}` | no |
-| env | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
-| iam\_path | The IAM path under which the IAM role will be created. | `string` | `null` | no |
-| inline\_policies | List of inline policies to be associated with the IAM role. | `list(object({ name = string, policy = string }))` | `[]` | no |
-| owner | Owner for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
-| principals | AWS IAM Principals which will be able to assume this role. | `list(object({ type = string, identifiers = list(string) }))` | n/a | yes |
-| project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
-| role\_description | IAM role description. | `string` | `null` | no |
-| role\_name | IAM role name. | `string` | n/a | yes |
-| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |
-| service | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
+| [attached\_policies\_names\_arns](#input\_attached\_policies\_names\_arns) | Map of policy names to the respective ARNs to be attached to the IAM role. | `map(string)` | `{}` | no |
+| [env](#input\_env) | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
+| [iam\_path](#input\_iam\_path) | The IAM path under which the IAM role will be created. | `string` | `null` | no |
+| [inline\_policies](#input\_inline\_policies) | List of inline policies to be associated with the IAM role. | `list(object({ name = string, policy = string }))` | `[]` | no |
+| [max\_session\_duration](#input\_max\_session\_duration) | The maximum amount of time, in seconds, that a principal can assume this role. | `number` | `3600` | no |
+| [owner](#input\_owner) | Owner for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
+| [principals](#input\_principals) | AWS IAM Principals which will be able to assume this role. | `list(object({ type = string, identifiers = list(string) }))` | n/a | yes |
+| [project](#input\_project) | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
+| [role\_description](#input\_role\_description) | IAM role description. | `string` | `null` | no |
+| [role\_name](#input\_role\_name) | IAM role name. | `string` | n/a | yes |
+| [saml\_idp\_arn](#input\_saml\_idp\_arn) | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |
+| [service](#input\_service) | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
-| role\_arn | IAM role ARN. |
-| role\_name | IAM role name. |
-
+| [role\_arn](#output\_role\_arn) | IAM role ARN. |
+| [role\_name](#output\_role\_name) | IAM role name. |
diff --git a/aws-iam-role/main.tf b/aws-iam-role/main.tf
index 48dbb467..32b97eaa 100644
--- a/aws-iam-role/main.tf
+++ b/aws-iam-role/main.tf
@@ -10,7 +10,7 @@ locals {
data "aws_iam_policy_document" "assume_role_policy" {
statement {
- dynamic principals {
+ dynamic "principals" {
for_each = var.principals
content {
type = principals.value.type
@@ -20,7 +20,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
actions = ["sts:AssumeRole"]
}
- dynamic statement {
+ dynamic "statement" {
for_each = compact([var.saml_idp_arn])
content {
principals {
@@ -45,6 +45,8 @@ resource "aws_iam_role" "role" {
path = var.iam_path
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+ max_session_duration = var.max_session_duration
+
tags = local.tags
}
diff --git a/aws-iam-role/outputs.tf b/aws-iam-role/outputs.tf
index dc3f5dec..420e031f 100755
--- a/aws-iam-role/outputs.tf
+++ b/aws-iam-role/outputs.tf
@@ -1,9 +1,9 @@
-output role_name {
+output "role_name" {
value = aws_iam_role.role.id
description = "IAM role name."
}
-output role_arn {
+output "role_arn" {
value = aws_iam_role.role.arn
description = "IAM role ARN."
}
diff --git a/aws-iam-role/variables.tf b/aws-iam-role/variables.tf
index 380c3532..de012eea 100755
--- a/aws-iam-role/variables.tf
+++ b/aws-iam-role/variables.tf
@@ -1,58 +1,63 @@
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable iam_path {
+variable "iam_path" {
type = string
description = "The IAM path under which the IAM role will be created."
default = null
}
-variable principals {
+variable "principals" {
type = list(object({ type = string, identifiers = list(string) }))
description = "AWS IAM Principals which will be able to assume this role."
}
-variable saml_idp_arn {
+variable "max_session_duration" {
+ type = number
+ description = "The maximum amount of time, in seconds, that a principal can assume this role."
+ default = 3600
+}
+variable "saml_idp_arn" {
type = string
default = ""
description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
}
-variable role_name {
+variable "role_name" {
type = string
description = "IAM role name."
}
-variable role_description {
+variable "role_description" {
type = string
description = "IAM role description."
default = null
}
-variable inline_policies {
+variable "inline_policies" {
type = list(object({ name = string, policy = string }))
description = "List of inline policies to be associated with the IAM role."
default = []
}
-variable attached_policies_names_arns {
+variable "attached_policies_names_arns" {
type = map(string)
description = "Map of policy names to the respective ARNs to be attached to the IAM role."
default = {}
diff --git a/aws-iam-secrets-reader-policy/main.tf b/aws-iam-secrets-reader-policy/main.tf
index 3fa8bcf0..5127c049 100755
--- a/aws-iam-secrets-reader-policy/main.tf
+++ b/aws-iam-secrets-reader-policy/main.tf
@@ -1,5 +1,5 @@
# TODO KMS permissions
-data aws_iam_policy_document policy {
+data "aws_iam_policy_document" "policy" {
statement {
actions = [
"secretsmanager:GetSecretValue",
@@ -9,14 +9,14 @@ data aws_iam_policy_document policy {
}
}
-resource aws_iam_policy policy {
+resource "aws_iam_policy" "policy" {
name_prefix = "${var.role_name}-secrets-policy"
description = "A terraform created policy for reading secrets manager secrets."
path = var.iam_path
policy = data.aws_iam_policy_document.policy.json
}
-resource aws_iam_policy_attachment attach {
+resource "aws_iam_policy_attachment" "attach" {
name = "attachment"
roles = [var.role_name]
policy_arn = aws_iam_policy.policy.arn
diff --git a/aws-iam-secrets-reader-policy/test/main.tf b/aws-iam-secrets-reader-policy/test/main.tf
index ab085b9e..d3eba74b 100644
--- a/aws-iam-secrets-reader-policy/test/main.tf
+++ b/aws-iam-secrets-reader-policy/test/main.tf
@@ -1,16 +1,16 @@
-resource random_string name {
+resource "random_string" "name" {
length = 6
special = false
}
-resource random_string not {
+resource "random_string" "not" {
length = 6
special = false
}
-data aws_caller_identity cur {}
+data "aws_caller_identity" "cur" {}
-resource aws_iam_role role {
+resource "aws_iam_role" "role" {
name = random_string.name.result
assume_role_policy = < 0 ? [0] : []
content {
@@ -42,7 +42,7 @@ resource aws_lambda_function lambda {
tags = local.tags
}
-data aws_iam_policy_document lambda_role_policy {
+data "aws_iam_policy_document" "lambda_role_policy" {
statement {
principals {
type = "Service"
@@ -55,7 +55,7 @@ data aws_iam_policy_document lambda_role_policy {
}
}
-resource aws_iam_role role {
+resource "aws_iam_role" "role" {
name = local.name
path = var.lambda_role_path
@@ -64,13 +64,13 @@ resource aws_iam_role role {
tags = local.tags
}
-resource aws_cloudwatch_log_group log {
+resource "aws_cloudwatch_log_group" "log" {
name = "/aws/lambda/${local.name}"
retention_in_days = var.log_retention_in_days
}
-data aws_region current {}
-data aws_caller_identity current {}
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
# TODO scope this policy down
#
@@ -81,7 +81,7 @@ data aws_caller_identity current {}
# arn:aws:logs:us-west-2:123456789:log-group:/foo/bar
# to match operations on the log group(like creating a new stream.) So instead we construct one
# without the colon before the *, so that we can match both log groups and log streams.
-data aws_iam_policy_document lambda_logging_policy {
+data "aws_iam_policy_document" "lambda_logging_policy" {
statement {
effect = "Allow"
actions = compact([
@@ -98,7 +98,7 @@ data aws_iam_policy_document lambda_logging_policy {
}
}
-resource aws_iam_policy lambda_logging {
+resource "aws_iam_policy" "lambda_logging" {
name_prefix = "${local.name}-lambda-logging"
path = "/"
description = "IAM policy for logging from the ${local.name} lambda."
@@ -106,7 +106,7 @@ resource aws_iam_policy lambda_logging {
policy = data.aws_iam_policy_document.lambda_logging_policy.json
}
-resource aws_iam_role_policy_attachment lambda_logs {
+resource "aws_iam_role_policy_attachment" "lambda_logs" {
role = aws_iam_role.role.name
policy_arn = aws_iam_policy.lambda_logging.arn
}
diff --git a/aws-lambda-function/outputs.tf b/aws-lambda-function/outputs.tf
index 04750dd5..29e8f017 100755
--- a/aws-lambda-function/outputs.tf
+++ b/aws-lambda-function/outputs.tf
@@ -1,28 +1,28 @@
-output arn {
+output "arn" {
value = aws_lambda_function.lambda.arn
}
-output qualified_arn {
+output "qualified_arn" {
description = "If the lambda function is published, the qualified_arn points at the latest version number."
value = aws_lambda_function.lambda.qualified_arn
}
-output invoke_arn {
+output "invoke_arn" {
value = aws_lambda_function.lambda.invoke_arn
}
-output function_name {
+output "function_name" {
value = aws_lambda_function.lambda.function_name
}
-output log_group_name {
+output "log_group_name" {
value = aws_cloudwatch_log_group.log.name
}
-output role_name {
+output "role_name" {
value = aws_iam_role.role.name
}
-output role_id {
+output "role_id" {
value = aws_iam_role.role.id
}
diff --git a/aws-lambda-function/test/main.tf b/aws-lambda-function/test/main.tf
index b7211fcb..9b52b6d0 100644
--- a/aws-lambda-function/test/main.tf
+++ b/aws-lambda-function/test/main.tf
@@ -1,4 +1,4 @@
-resource random_string random {
+resource "random_string" "random" {
length = 6
special = false
}
@@ -10,24 +10,24 @@ data "archive_file" "notifier" {
output_path = "${path.module}/hello.zip"
}
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming."
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming."
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming."
}
-module lambda {
+module "lambda" {
source = "../."
handler = "hello.hello"
@@ -44,14 +44,14 @@ module lambda {
owner = var.owner
}
-output arn {
+output "arn" {
value = module.lambda.arn
}
-output invoke_arn {
+output "invoke_arn" {
value = module.lambda.invoke_arn
}
-output log_group_name {
+output "log_group_name" {
value = module.lambda.log_group_name
}
diff --git a/aws-lambda-function/variables.tf b/aws-lambda-function/variables.tf
index 126bf312..212ff534 100755
--- a/aws-lambda-function/variables.tf
+++ b/aws-lambda-function/variables.tf
@@ -1,109 +1,109 @@
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable source_s3_bucket {
+variable "source_s3_bucket" {
type = string
description = "Bucket holding lambda source code."
default = null
}
-variable source_s3_key {
+variable "source_s3_key" {
type = string
description = "Key identifying location of code."
default = null
}
-variable handler {
+variable "handler" {
type = string
description = "Name of the lambda handler."
}
-variable runtime {
+variable "runtime" {
type = string
description = "Lambda language runtime."
}
-variable timeout {
+variable "timeout" {
type = number
description = "Execution timeout for the lambda."
default = null
}
-variable environment {
+variable "environment" {
type = map(string)
description = "Map of environment variables."
default = {}
}
-variable kms_key_arn {
+variable "kms_key_arn" {
type = string
description = "KMS key used to encrypt environment variables."
default = null
}
-variable source_code_hash {
+variable "source_code_hash" {
type = string
default = null
}
-variable filename {
+variable "filename" {
type = string
default = null
}
-variable log_retention_in_days {
+variable "log_retention_in_days" {
type = number
default = null
}
-variable function_name {
+variable "function_name" {
type = string
description = "If not set, function use default naming convention of $project-$env-$service. See local.name in main.tf"
default = null
}
-variable function_description {
+variable "function_description" {
type = string
description = "Description for lambda function."
default = ""
}
-variable publish_lambda {
+variable "publish_lambda" {
type = bool
description = "Whether to publish creation/change as new lambda function version."
default = false
}
-variable lambda_role_path {
+variable "lambda_role_path" {
type = string
description = "The path to the IAM role for lambda."
default = null
}
-variable at_edge {
+variable "at_edge" {
type = bool
description = "Is this lambda going to be used with a Cloufront distribution? If you set this, you will not have control over log retention, and you cannot include environment variables."
default = false
}
-variable reserved_concurrent_executions {
+variable "reserved_concurrent_executions" {
type = number
description = "Set reserved_concurrent_executions for this function. See [docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html)."
default = -1 // aws default
diff --git a/aws-params-writer/variables.tf b/aws-params-writer/variables.tf
index 307f879b..037cbd8e 100755
--- a/aws-params-writer/variables.tf
+++ b/aws-params-writer/variables.tf
@@ -19,7 +19,7 @@ variable "owner" {
}
variable "parameters" {
- type = map
+ type = map(any)
description = "Map from parameter names to values to set."
}
diff --git a/aws-s3-account-public-access-block/main.tf b/aws-s3-account-public-access-block/main.tf
index 63aac7d2..a518491f 100644
--- a/aws-s3-account-public-access-block/main.tf
+++ b/aws-s3-account-public-access-block/main.tf
@@ -5,8 +5,8 @@ locals {
# These only affect new acls and policies by rejecting requests that contain them
- block_public_acls = ! local.is_none # all or new
- block_public_policy = ! local.is_none # all or new
+ block_public_acls = !local.is_none # all or new
+ block_public_policy = !local.is_none # all or new
# These affect existing buckets, policies, and acls
ignore_public_acls = local.is_all
diff --git a/aws-s3-account-public-access-block/outputs.tf b/aws-s3-account-public-access-block/outputs.tf
index 825b2f7f..f6666a7d 100644
--- a/aws-s3-account-public-access-block/outputs.tf
+++ b/aws-s3-account-public-access-block/outputs.tf
@@ -1,4 +1,4 @@
-output block_settings {
+output "block_settings" {
description = "The computed block configuration"
value = {
block_public_acls = local.block_public_acls
diff --git a/aws-s3-account-public-access-block/variables.tf b/aws-s3-account-public-access-block/variables.tf
index 761d1c67..b9669c5b 100644
--- a/aws-s3-account-public-access-block/variables.tf
+++ b/aws-s3-account-public-access-block/variables.tf
@@ -1,4 +1,4 @@
-variable restrict {
+variable "restrict" {
type = string
default = "all"
description = < sns.arn }
description = "SNS topic ARNs."
}
diff --git a/aws-sns-lambda/sns.tf b/aws-sns-lambda/sns.tf
index fa57b342..fff02125 100644
--- a/aws-sns-lambda/sns.tf
+++ b/aws-sns-lambda/sns.tf
@@ -19,7 +19,7 @@ locals {
]
}
-resource aws_sns_topic sns {
+resource "aws_sns_topic" "sns" {
for_each = { for sns_config in local.valid_sns_configs : sns_config.topic_name => sns_config }
name = each.value.topic_name == null ? local.default_sns_name : each.value.topic_name
display_name = each.value.topic_display_name
@@ -32,7 +32,7 @@ resource aws_sns_topic sns {
}
}
-resource aws_sns_topic_subscription sns_subscription {
+resource "aws_sns_topic_subscription" "sns_subscription" {
for_each = { for sns_config in local.valid_sns_configs : sns_config.topic_name => sns_config }
topic_arn = aws_sns_topic.sns[each.value.topic_name].arn
confirmation_timeout_in_minutes = each.value.confirmation_timeout_in_minutes
diff --git a/aws-sns-lambda/test/main.tf b/aws-sns-lambda/test/main.tf
index d74d0d3d..89288aa8 100644
--- a/aws-sns-lambda/test/main.tf
+++ b/aws-sns-lambda/test/main.tf
@@ -1,4 +1,4 @@
-resource random_string random {
+resource "random_string" "random" {
length = 6
special = false
}
@@ -10,7 +10,7 @@ data "archive_file" "notifier" {
output_path = "${path.module}/hello.zip"
}
-module sns-lambda {
+module "sns-lambda" {
source = "./.."
lambda_handler = "hello.hello2"
diff --git a/aws-sns-lambda/variables.tf b/aws-sns-lambda/variables.tf
index 0cdab5de..6b67f123 100644
--- a/aws-sns-lambda/variables.tf
+++ b/aws-sns-lambda/variables.tf
@@ -1,87 +1,87 @@
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming."
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming."
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming."
}
-variable lambda_environment {
- type = map
+variable "lambda_environment" {
+ type = map(any)
description = "Environment for lambda."
default = {}
}
-variable function_description {
+variable "function_description" {
type = string
description = "Description for the lambda function."
default = ""
}
-variable publish_lambda {
+variable "publish_lambda" {
type = bool
description = "Whether to publish creation/change as new Lambda Function Version."
default = false
}
-variable lambda_role_path {
+variable "lambda_role_path" {
type = string
description = "Path of the IAM role for lambda."
default = null
}
-variable lambda_handler {
+variable "lambda_handler" {
type = string
description = "Name of the lambda handler."
}
-variable lambda_runtime {
+variable "lambda_runtime" {
type = string
description = "Lambda language runtime."
}
-variable lambda_timeout {
+variable "lambda_timeout" {
type = number
description = "Execution timeout for the lambda."
default = null
}
-variable lambda_source_code_hash {
+variable "lambda_source_code_hash" {
type = string
description = "Lambda source code, used to trigger updates. Must be set to a base64-encoded SHA256 hash of the package file."
default = null
}
-variable lambda_zip_file {
+variable "lambda_zip_file" {
type = string
description = "The path to the function's deployment package within the local filesystem."
}
-variable log_retention_in_days {
+variable "log_retention_in_days" {
type = number
description = "The number of days to retain log events in the log group for lambda."
default = null
}
-variable lambda_function_name {
+variable "lambda_function_name" {
type = string
description = "Name for lambda function. If not set, function use default naming convention of $project-$env-$service."
default = null
}
-variable sns_configurations {
+variable "sns_configurations" {
type = list(any)
description = "List of objects containing the SNS configurations."
default = []
diff --git a/bless-ca/lambda.tf b/bless-ca/lambda.tf
index ecd584cc..d7e1099b 100644
--- a/bless-ca/lambda.tf
+++ b/bless-ca/lambda.tf
@@ -16,7 +16,7 @@ data "bless_lambda" "code" {
kmsauth_iam_group_name_format = var.kmsauth_iam_group_name_format
}
-module lambda {
+module "lambda" {
source = "../aws-lambda-function"
filename = local.lambda_zip_file
diff --git a/bless-ca/test/outputs.tf b/bless-ca/test/outputs.tf
index 15050fa7..7643f03f 100644
--- a/bless-ca/test/outputs.tf
+++ b/bless-ca/test/outputs.tf
@@ -1,3 +1,3 @@
-output lambda_arn {
+output "lambda_arn" {
value = module.bless.lambda_arn
}
diff --git a/bless-ca/variables.tf b/bless-ca/variables.tf
index cd03dc6c..0da23311 100755
--- a/bless-ca/variables.tf
+++ b/bless-ca/variables.tf
@@ -5,7 +5,7 @@ variable "iam_path" {
}
variable "authorized_users" {
- type = list
+ type = list(any)
default = []
description = "A list of IAM users authorized ot invoke bless and the corresponding kmsauth key."
}
diff --git a/module-template/variables.tf b/module-template/variables.tf
index 0e735537..2af9fc58 100755
--- a/module-template/variables.tf
+++ b/module-template/variables.tf
@@ -1,19 +1,19 @@
-variable project {
+variable "project" {
type = string
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable env {
+variable "env" {
type = string
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable service {
+variable "service" {
type = string
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
}
-variable owner {
+variable "owner" {
type = string
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
}