Change role name to list of role arns (#13)

* Change role name to list of role arns

README.md

@@ -87,7 +87,9 @@ module "organization_access_group" {
   stage             = "dev"
   name              = "cluster"
   user_names        = ["User1","User2"]
-  member_account_id = "XXXXXXXXXXXXXX"
+  role_arns         = {
+    "cp@dev" = "arn:aws:iam::XXXXXXXXX:role/OrganizationAccountAccessRole"
+  }
   require_mfa       = "true"
 }
 ```
@@ -114,13 +116,12 @@ Available targets:
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |
 | delimiter | Delimiter to be used between `namespace`, `stage`, `name`, and `attributes` | string | `-` | no |
 | enabled | Whether to create these resources | string | `true` | no |
-| member_account_id | The ID of the member account to grant access permissions to the users in the Group | string | - | yes |
 | name | Name  (e.g. `app` or `cluster`) | string | - | yes |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
 | require_mfa | Require the users to have MFA enabled | string | `false` | no |
-| role_name | The name of the Role in the member account to grant permissions to the users in the Group | string | `OrganizationAccountAccessRole` | no |
+| role_arns | A map of alias -> IAM Role ARNs the users in the Group can assume | map | `<map>` | no |
 | stage | Stage (e.g. `prod`, `dev`, `staging`, `infra`) | string | - | yes |
-| switchrole_url | URL to the IAM console to switch to a role | string | `https://signin.aws.amazon.com/switchrole?account=%s&roleName=%s&displayName=%s` | no |
+| switchrole_url_template | URL template for the IAM console to switch to the roles | string | `https://signin.aws.amazon.com/switchrole?account=%s&roleName=%s&displayName=%s` | no |
 | tags | Additional tags (e.g. map(`BusinessUnit`,`XYZ`) | map | `<map>` | no |
 | user_names | A list of IAM User names to associate with the Group | list | - | yes |
 
@@ -134,7 +135,7 @@ Available targets:
 | group_unique_id | Group's unique ID assigned by AWS |
 | policy_id | The policy ID |
 | policy_name | The name of the policy |
-| switchrole_url | URL to the IAM console to switch to the role |
+| switchrole_urls | List of URL to the IAM console to switch to the roles |
 
 
 

README.yaml

@@ -98,7 +98,9 @@ usage: |-
     stage             = "dev"
     name              = "cluster"
     user_names        = ["User1","User2"]
-    member_account_id = "XXXXXXXXXXXXXX"
+    role_arns         = {
+      "cp@dev" = "arn:aws:iam::XXXXXXXXX:role/OrganizationAccountAccessRole"
+    }
     require_mfa       = "true"
   }
   ```

docs/terraform.md

@@ -5,13 +5,12 @@
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |
 | delimiter | Delimiter to be used between `namespace`, `stage`, `name`, and `attributes` | string | `-` | no |
 | enabled | Whether to create these resources | string | `true` | no |
-| member_account_id | The ID of the member account to grant access permissions to the users in the Group | string | - | yes |
 | name | Name  (e.g. `app` or `cluster`) | string | - | yes |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
 | require_mfa | Require the users to have MFA enabled | string | `false` | no |
-| role_name | The name of the Role in the member account to grant permissions to the users in the Group | string | `OrganizationAccountAccessRole` | no |
+| role_arns | A map of alias -> IAM Role ARNs the users in the Group can assume | map | `<map>` | no |
 | stage | Stage (e.g. `prod`, `dev`, `staging`, `infra`) | string | - | yes |
-| switchrole_url | URL to the IAM console to switch to a role | string | `https://signin.aws.amazon.com/switchrole?account=%s&roleName=%s&displayName=%s` | no |
+| switchrole_url_template | URL template for the IAM console to switch to the roles | string | `https://signin.aws.amazon.com/switchrole?account=%s&roleName=%s&displayName=%s` | no |
 | tags | Additional tags (e.g. map(`BusinessUnit`,`XYZ`) | map | `<map>` | no |
 | user_names | A list of IAM User names to associate with the Group | list | - | yes |
 
@@ -25,5 +24,5 @@
 | group_unique_id | Group's unique ID assigned by AWS |
 | policy_id | The policy ID |
 | policy_name | The name of the policy |
-| switchrole_url | URL to the IAM console to switch to the role |
+| switchrole_urls | List of URL to the IAM console to switch to the roles |
 

example/main.tf

@@ -0,0 +1,15 @@
+# Provision group access to data account
+module "organization_access_group_data" {
+  source      = "../"
+  enabled     = "true"
+  namespace   = "eg"
+  stage       = "prod"
+  name        = "chamber"
+  user_names  = []
+  require_mfa = "true"
+
+  role_arns = {
+    "cp@prod" = "arn:aws:iam::324440167066:role/OrganizationAccountAccessRole"
+    "cp@dev"  = "arn:aws:iam::321110167044:role/OrganizationAccountAccessRole"
+  }
+}

example/outputs.tf

@@ -0,0 +1,4 @@
+output "data_switchrole_urls" {
+  description = "List of URL to the IAM console to switch to the roles"
+  value       = ["${module.organization_access_group_data.switchrole_urls}"]
+}

example/provider.tf

@@ -0,0 +1,10 @@
+provider "aws" {
+  region = "eu-west-2"
+
+  # Make it faster by skipping the checks
+  skip_get_ec2_platforms      = true
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_credentials_validation = true
+  skip_requesting_account_id  = true
+}

main.tf

@@ -9,8 +9,24 @@ module "label" {
 }
 
 locals {
-  enabled     = "${var.enabled == "true" ? true : false }"
-  require_mfa = "${var.require_mfa == "true" ? true : false}"
+  enabled      = "${var.enabled == "true" ? true : false }"
+  require_mfa  = "${var.require_mfa == "true" ? true : false}"
+  role_arns    = ["${values(var.role_arns)}"]
+  role_aliases = ["${keys(var.role_arns)}"]
+}
+
+resource "null_resource" "role" {
+  count = "${length(values(var.role_arns))}"
+
+  triggers = {
+    account_id = "${element(split(":", element(local.role_arns, count.index)), 4)}"
+    role_name  = "${element(split("/", element(split(":", element(local.role_arns, count.index)), 5)), 1)}"
+    alias      = "${element(local.role_aliases, count.index)}"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 # https://www.terraform.io/docs/providers/aws/r/iam_group.html
@@ -35,9 +51,7 @@ data "aws_iam_policy_document" "with_mfa" {
       "sts:AssumeRole",
     ]
 
-    resources = [
-      "arn:aws:iam::${var.member_account_id}:role/${var.role_name}",
-    ]
+    resources = ["${local.role_arns}"]
 
     condition {
       test     = "Bool"
@@ -64,9 +78,7 @@ data "aws_iam_policy_document" "without_mfa" {
       "sts:AssumeRole",
     ]
 
-    resources = [
-      "arn:aws:iam::${var.member_account_id}:role/${var.role_name}",
-    ]
+    resources = ["${local.role_arns}"]
 
     effect = "Allow"
   }

output.tf

@@ -28,7 +28,7 @@ output "policy_id" {
   description = "The policy ID"
 }
 
-output "switchrole_url" {
-  description = "URL to the IAM console to switch to the role"
-  value       = "${local.enabled ? format(var.switchrole_url, var.member_account_id, var.role_name, module.label.id) : ""}"
+output "switchrole_urls" {
+  description = "List of URL to the IAM console to switch to the roles"
+  value       = ["${formatlist(var.switchrole_url_template, null_resource.role.*.triggers.account_id, null_resource.role.*.triggers.role_name, null_resource.role.*.triggers.alias)}"]
 }

variables.tf

@@ -3,15 +3,10 @@ variable "user_names" {
   description = "A list of IAM User names to associate with the Group"
 }
 
-variable "member_account_id" {
-  type        = "string"
-  description = "The ID of the member account to grant access permissions to the users in the Group"
-}
-
-variable "role_name" {
-  type        = "string"
-  default     = "OrganizationAccountAccessRole"
-  description = "The name of the Role in the member account to grant permissions to the users in the Group"
+variable "role_arns" {
+  type        = "map"
+  default     = {}
+  description = "A map of alias -> IAM Role ARNs the users in the Group can assume"
 }
 
 variable "require_mfa" {
@@ -41,9 +36,9 @@ variable "name" {
   description = "Name  (e.g. `app` or `cluster`)"
 }
 
-variable "switchrole_url" {
+variable "switchrole_url_template" {
   type        = "string"
-  description = "URL to the IAM console to switch to a role"
+  description = "URL template for the IAM console to switch to the roles"
   default     = "https://signin.aws.amazon.com/switchrole?account=%s&roleName=%s&displayName=%s"
 }