Updated examples for iam-policy and formatting

riteshsingla01 · Feb 19, 2019 · fec4895 · fec4895
1 parent 52656bb
commit fec4895
Show file tree

Hide file tree

Showing 18 changed files with 194 additions and 179 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,10 +1,10 @@
 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.7.1
+  rev: v1.9.0
   hooks:
     - id: terraform_fmt
     - id: terraform_docs
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  rev: v1.2.3
+  rev: v2.1.0
   hooks:
     - id: check-merge-conflict
diff --git a/README.md b/README.md
@@ -66,12 +66,24 @@ module "iam_user" {
 module "iam_policy" {
   source = "terraform-aws-modules/iam/aws//modules/iam-policy"
 
-  name = "example"
-  path = "/"
+  name        = "example"
+  path        = "/"
   description = "My example policy"
 
-  policy ="path/to/policy_file"
-  }
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
 }
 ```
 
@@ -124,9 +136,6 @@ Use [iam-policy module](https://github.com/terraform-aws-modules/terraform-aws-i
 * [iam-user](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-user) - Add IAM user, login profile and access keys
 * [iam-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-policy) - Create IAM policy
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Authors
 
 Module managed by [Anton Babenko](https://github.com/antonbabenko).

diff --git a/examples/iam-account/README.md b/examples/iam-account/README.md
@@ -15,12 +15,11 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| this_caller_identity_account_id | The ID of the AWS account |
-| this_iam_account_password_policy_expire_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
+| this\_caller\_identity\_account\_id | The ID of the AWS account |
+| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/iam-assumable-roles/README.md b/examples/iam-assumable-roles/README.md
@@ -15,22 +15,21 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| admin_iam_role_arn | Admin |
-| admin_iam_role_name | Name of admin IAM role |
-| admin_iam_role_path | Path of admin IAM role |
-| admin_iam_role_requires_mfa | Whether admin IAM role requires MFA |
-| poweruser_iam_role_arn | Poweruser |
-| poweruser_iam_role_name | Name of poweruser IAM role |
-| poweruser_iam_role_path | Path of poweruser IAM role |
-| poweruser_iam_role_requires_mfa | Whether poweruser IAM role requires MFA |
-| readonly_iam_role_arn | Readonly |
-| readonly_iam_role_name | Name of readonly IAM role |
-| readonly_iam_role_path | Path of readonly IAM role |
-| readonly_iam_role_requires_mfa | Whether readonly IAM role requires MFA |
+| admin\_iam\_role\_arn | ARN of admin IAM role |
+| admin\_iam\_role\_name | Name of admin IAM role |
+| admin\_iam\_role\_path | Path of admin IAM role |
+| admin\_iam\_role\_requires\_mfa | Whether admin IAM role requires MFA |
+| poweruser\_iam\_role\_arn | ARN of poweruser IAM role |
+| poweruser\_iam\_role\_name | Name of poweruser IAM role |
+| poweruser\_iam\_role\_path | Path of poweruser IAM role |
+| poweruser\_iam\_role\_requires\_mfa | Whether poweruser IAM role requires MFA |
+| readonly\_iam\_role\_arn | ARN of readonly IAM role |
+| readonly\_iam\_role\_name | Name of readonly IAM role |
+| readonly\_iam\_role\_path | Path of readonly IAM role |
+| readonly\_iam\_role\_requires\_mfa | Whether readonly IAM role requires MFA |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/iam-policy/README.md b/examples/iam-policy/README.md
@@ -1,6 +1,6 @@
 # IAM user example
 
-Configuration in this directory creates IAM policy.
+Configuration in this directory creates IAM policies.
 
 # Usage
 
@@ -15,14 +15,13 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| id | The policy's ID |
 | arn | The ARN assigned by AWS to this policy |
 | description | The description of the policy |
+| id | The policy ID |
 | name | The name of the policy |
 | path | The path of the policy in IAM |
 | policy | The policy document |

diff --git a/examples/iam-policy/main.tf b/examples/iam-policy/main.tf
@@ -2,15 +2,46 @@ provider "aws" {
   region = "eu-west-1"
 }
 
+data "aws_iam_policy_document" "bucket_policy" {
+  statement {
+    sid       = "AllowFullS3Access"
+    actions   = ["s3:ListBuckets"]
+    resources = ["*"]
+  }
+}
+
 #########################################
 # IAM policy
 #########################################
 module "iam_policy" {
   source = "../../modules/iam-policy"
 
-  name = "example"
-  path = "/"
+  name        = "example"
+  path        = "/"
   description = "My example policy"
 
-  policy ="./policy.tpl"
-  }
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+module "iam_policy_from_data_source" {
+  source = "../../modules/iam-policy"
+
+  name        = "example_from_data_source"
+  path        = "/"
+  description = "My example policy"
+
+  policy = "${data.aws_iam_policy_document.bucket_policy.json}"
+}
diff --git a/examples/iam-policy/outputs.tf b/examples/iam-policy/outputs.tf
@@ -1,29 +1,29 @@
 output "id" {
-  description = "The policy's ID"
-  value = "${module.iam_policy.id}"
+  description = "The policy ID"
+  value       = "${module.iam_policy.id}"
 }
 
 output "arn" {
   description = "The ARN assigned by AWS to this policy"
-  value = "${module.iam_policy.arn}"
+  value       = "${module.iam_policy.arn}"
 }
 
 output "description" {
   description = "The description of the policy"
-  value = "${module.iam_policy.description}"
+  value       = "${module.iam_policy.description}"
 }
 
 output "name" {
   description = "The name of the policy"
-  value = "${module.iam_policy.name}"
+  value       = "${module.iam_policy.name}"
 }
 
 output "path" {
   description = "The path of the policy in IAM"
-  value = "${module.iam_policy.path}"
+  value       = "${module.iam_policy.path}"
 }
 
 output "policy" {
   description = "The policy document"
-  value = "${module.iam_policy.policy}"
+  value       = "${module.iam_policy.policy}"
 }
diff --git a/examples/iam-policy/policy.tpl b/examples/iam-policy/policy.tpl
diff --git a/examples/iam-user/README.md b/examples/iam-user/README.md
@@ -16,25 +16,24 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| keybase_password_decrypt_command |  |
-| keybase_password_pgp_message |  |
-| keybase_secret_key_decrypt_command |  |
-| keybase_secret_key_pgp_message |  |
-| pgp_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
-| this_iam_access_key_encrypted_secret | The encrypted secret, base64 encoded |
-| this_iam_access_key_id | The access key ID |
-| this_iam_access_key_key_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
-| this_iam_access_key_ses_smtp_password | The secret access key converted into an SES SMTP password |
-| this_iam_access_key_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
-| this_iam_user_arn | The ARN assigned by AWS for this user |
-| this_iam_user_login_profile_encrypted_password | The encrypted password, base64 encoded |
-| this_iam_user_login_profile_key_fingerprint | The fingerprint of the PGP key used to encrypt the password |
-| this_iam_user_name | The user's name |
-| this_iam_user_unique_id | The unique ID assigned by AWS |
+| keybase\_password\_decrypt\_command |  |
+| keybase\_password\_pgp\_message |  |
+| keybase\_secret\_key\_decrypt\_command |  |
+| keybase\_secret\_key\_pgp\_message |  |
+| pgp\_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
+| this\_iam\_access\_key\_encrypted\_secret | The encrypted secret, base64 encoded |
+| this\_iam\_access\_key\_id | The access key ID |
+| this\_iam\_access\_key\_key\_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
+| this\_iam\_access\_key\_ses\_smtp\_password | The secret access key converted into an SES SMTP password |
+| this\_iam\_access\_key\_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
+| this\_iam\_user\_arn | The ARN assigned by AWS for this user |
+| this\_iam\_user\_login\_profile\_encrypted\_password | The encrypted password, base64 encoded |
+| this\_iam\_user\_login\_profile\_key\_fingerprint | The fingerprint of the PGP key used to encrypt the password |
+| this\_iam\_user\_name | The user's name |
+| this\_iam\_user\_unique\_id | The unique ID assigned by AWS |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/iam-account/README.md b/modules/iam-account/README.md
@@ -22,31 +22,30 @@ Import successful!
 ``` 
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| account_alias | AWS IAM account alias for this account | string | - | yes |
-| allow_users_to_change_password | Whether to allow users to change their own password | string | `true` | no |
-| create_account_password_policy | Whether to create AWS IAM account password policy | string | `true` | no |
-| get_caller_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | string | `true` | no |
-| hard_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | string | `false` | no |
-| max_password_age | The number of days that an user password is valid. | string | `0` | no |
-| minimum_password_length | Minimum length to require for user passwords | string | `8` | no |
-| password_reuse_prevention | The number of previous passwords that users are prevented from reusing | string | `true` | no |
-| require_lowercase_characters | Whether to require lowercase characters for user passwords | string | `true` | no |
-| require_numbers | Whether to require numbers for user passwords | string | `true` | no |
-| require_symbols | Whether to require symbols for user passwords | string | `true` | no |
-| require_uppercase_characters | Whether to require uppercase characters for user passwords | string | `true` | no |
+| account\_alias | AWS IAM account alias for this account | string | n/a | yes |
+| allow\_users\_to\_change\_password | Whether to allow users to change their own password | string | `"true"` | no |
+| create\_account\_password\_policy | Whether to create AWS IAM account password policy | string | `"true"` | no |
+| get\_caller\_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | string | `"true"` | no |
+| hard\_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | string | `"false"` | no |
+| max\_password\_age | The number of days that an user password is valid. | string | `"0"` | no |
+| minimum\_password\_length | Minimum length to require for user passwords | string | `"8"` | no |
+| password\_reuse\_prevention | The number of previous passwords that users are prevented from reusing | string | `"true"` | no |
+| require\_lowercase\_characters | Whether to require lowercase characters for user passwords | string | `"true"` | no |
+| require\_numbers | Whether to require numbers for user passwords | string | `"true"` | no |
+| require\_symbols | Whether to require symbols for user passwords | string | `"true"` | no |
+| require\_uppercase\_characters | Whether to require uppercase characters for user passwords | string | `"true"` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| this_caller_identity_account_id | The AWS Account ID number of the account that owns or contains the calling entity |
-| this_caller_identity_arn | The AWS ARN associated with the calling entity |
-| this_caller_identity_user_id | The unique identifier of the calling entity |
-| this_iam_account_password_policy_expire_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
+| this\_caller\_identity\_account\_id | The AWS Account ID number of the account that owns or contains the calling entity |
+| this\_caller\_identity\_arn | The AWS ARN associated with the calling entity |
+| this\_caller\_identity\_user\_id | The unique identifier of the calling entity |
+| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/iam-assumable-roles/README.md b/modules/iam-assumable-roles/README.md
@@ -5,48 +5,47 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assume
 Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - typically, AWS accounts and users.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| admin_role_name | IAM role with admin access | string | `admin` | no |
-| admin_role_path | Path of admin IAM role | string | `/` | no |
-| admin_role_policy_arn | Policy ARN to use for admin role | string | `arn:aws:iam::aws:policy/AdministratorAccess` | no |
-| admin_role_permissions_boundary_arn | Policy ARN to use for admin permission boundary | string | `` | no |
-| admin_role_requires_mfa | Whether admin role requires MFA | string | `true` | no |
-| create_admin_role | Whether to create admin role | string | `false` | no |
-| create_poweruser_role | Whether to create poweruser role | string | `false` | no |
-| create_readonly_role | Whether to create readonly role | string | `false` | no |
-| max_session_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | string | `3600` | no |
-| mfa_age | Max age of valid MFA (in seconds) for roles which require MFA | string | `86400` | no |
-| poweruser_role_name | IAM role with poweruser access | string | `poweruser` | no |
-| poweruser_role_path | Path of poweruser IAM role | string | `/` | no |
-| poweruser_role_policy_arn | Policy ARN to use for poweruser role | string | `arn:aws:iam::aws:policy/PowerUserAccess` | no |
-| poweruser_role_permissions_boundary_arn | Policy ARN to use for poweruser permission boundary | string | `` | no |
-| poweruser_role_requires_mfa | Whether poweruser role requires MFA | string | `true` | no |
-| readonly_role_name | IAM role with readonly access | string | `readonly` | no |
-| readonly_role_path | Path of readonly IAM role | string | `/` | no |
-| readonly_role_policy_arn | Policy ARN to use for readonly role | string | `arn:aws:iam::aws:policy/ReadOnlyAccess` | no |
-| readonly_role_permissions_boundary_arn | Policy ARN to use for readonly permission boundary | string | `` | no |
-| readonly_role_requires_mfa | Whether readonly role requires MFA | string | `true` | no |
-| trusted_role_arns | ARNs of AWS entities who can assume these roles | string | `<list>` | no |
+| admin\_role\_name | IAM role with admin access | string | `"admin"` | no |
+| admin\_role\_path | Path of admin IAM role | string | `"/"` | no |
+| admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
+| admin\_role\_policy\_arn | Policy ARN to use for admin role | string | `"arn:aws:iam::aws:policy/AdministratorAccess"` | no |
+| admin\_role\_requires\_mfa | Whether admin role requires MFA | string | `"true"` | no |
+| create\_admin\_role | Whether to create admin role | string | `"false"` | no |
+| create\_poweruser\_role | Whether to create poweruser role | string | `"false"` | no |
+| create\_readonly\_role | Whether to create readonly role | string | `"false"` | no |
+| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | string | `"3600"` | no |
+| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | string | `"86400"` | no |
+| poweruser\_role\_name | IAM role with poweruser access | string | `"poweruser"` | no |
+| poweruser\_role\_path | Path of poweruser IAM role | string | `"/"` | no |
+| poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
+| poweruser\_role\_policy\_arn | Policy ARN to use for admin role | string | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
+| poweruser\_role\_requires\_mfa | Whether poweruser role requires MFA | string | `"true"` | no |
+| readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
+| readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
+| readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
+| readonly\_role\_policy\_arn | Policy ARN to use for readonly role | string | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
+| readonly\_role\_requires\_mfa | Whether readonly role requires MFA | string | `"true"` | no |
+| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list | `[]` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| admin_iam_role_arn | Admin |
-| admin_iam_role_name | Name of admin IAM role |
-| admin_iam_role_path | Path of admin IAM role |
-| admin_iam_role_requires_mfa | Whether admin IAM role requires MFA |
-| poweruser_iam_role_arn | Poweruser |
-| poweruser_iam_role_name | Name of poweruser IAM role |
-| poweruser_iam_role_path | Path of poweruser IAM role |
-| poweruser_iam_role_requires_mfa | Whether poweruser IAM role requires MFA |
-| readonly_iam_role_arn | Readonly |
-| readonly_iam_role_name | Name of readonly IAM role |
-| readonly_iam_role_path | Path of readonly IAM role |
-| readonly_iam_role_requires_mfa | Whether readonly IAM role requires MFA |
+| admin\_iam\_role\_arn | ARN of admin IAM role |
+| admin\_iam\_role\_name | Name of admin IAM role |
+| admin\_iam\_role\_path | Path of admin IAM role |
+| admin\_iam\_role\_requires\_mfa | Whether admin IAM role requires MFA |
+| poweruser\_iam\_role\_arn | ARN of poweruser IAM role |
+| poweruser\_iam\_role\_name | Name of poweruser IAM role |
+| poweruser\_iam\_role\_path | Path of poweruser IAM role |
+| poweruser\_iam\_role\_requires\_mfa | Whether poweruser IAM role requires MFA |
+| readonly\_iam\_role\_arn | ARN of readonly IAM role |
+| readonly\_iam\_role\_name | Name of readonly IAM role |
+| readonly\_iam\_role\_path | Path of readonly IAM role |
+| readonly\_iam\_role\_requires\_mfa | Whether readonly IAM role requires MFA |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->