Possibly breaking change:
In this update, account-map/modules/iam-roles
acquired a provider, making it no longer able to be used with count
.
If you have code like
module "optional_role" {
count = local.optional_role_enabled ? 1 : 0
source = "../account-map/modules/iam-roles"
stage = var.optional_role_stage
context = module.this.context
}
You will need to rewrite it, removing the count
parameter. It will be fine to always instantiate the module. If there
are problems with ensuring appropriate settings with the module is disabled, you can always replace them with the
component's inputs:
module "optional_role" {
source = "../account-map/modules/iam-roles"
stage = local.optional_role_enabled ? var.optional_role_stage : var.stage
context = module.this.context
}
The update to components 1.227.0 is huge, and you have options.
- Enable, or not, dynamic Terraform IAM roles, which allow you to give some people (and Spacelift) the ability to run Terraform plan in some accounts without allowing apply. Note that these users will still have read/write access to Terraform state, but will not have IAM permissions to make changes in accounts. terraform_dynamic_role_enabled
- Update to new
aws-teams
team names. The new names are (except for support) distinct from team-roles, making it easier to keep track. Also, the new managers team can run Terraform for identity and root in most (but not all) cases. - Update to new
aws-team-roles
, including new permissions. The custom policies that have been removed are replaced in theaws-team-roles
configuration with AWS managed policy ARNs. This is required to add theplanner
role and support theterraform plan
restriction. - Update the
providers.tf for
all components. Or some of them now, some later. Most components do not require updates, but all of them have updates. The newproviders.tf
, when used with dynamic Terraform roles, allows users directly logged into target accounts (rather than having roles in theidentity
account) to use Terraform in that account, and also allows SuperAdmin to run Terraform in more cases (almost everywhere).
If you do not want any new features, you only need to update account-map
to v1.235 or later, to be compatible with
future components. Note that when updating account-map
this way, you should update the code everywhere (all open PRs
and branches) before applying the Terraform changes, because the applied changes break the old code.
If you want all the new features, we recommend updating all of the following to the current release in 1 PR:
- account-map
- aws-teams
- aws-team-roles
- tfstate-backend
Enable `terraform plan` access via dynamic Terraform roles
Reviewers, please note:
The PR changes a lot of files. In particular, the providers.tf
and therefore the README.md
for nearly every
component. Therefore it will likely be easier to review this PR one commit at a time.
import_role_arn
and import_profile_name
have been removed as they are no longer needed. Current versions of
Terraform (probably beginning with v1.1.0, but maybe as late as 1.3.0, I have not found authoritative information) can
read data sources during plan and so no longer need a role to be explicitly specified while importing. Feel free to
perform your own tests to make yourself more comfortable that this is correct.
What
- Updates to allow Terraform to dynamically assume a role based on the user, to allow some users to run
terraform plan
but notterraform apply
- Deploy standard
providers.tf
to all components that need anaws
provider - Move extra provider configurations to separate file, so that
providers.tf
can remain consistent/identical among components and thus be easily updated - Create
provider-awsutils.mixin.tf
to provide consistent, maintainable implementation
- Deploy standard
- Make
aws-sso
vendor safe - Deprecate
sso
module in favor ofaws-saml
Why
- Allow users to try new code or updated configurations by running
terraform plan
without giving them permission to make changes with Terraform - Make it easier for people directly logged into target accounts to still run Terraform
- Follow-up to , which updated
aws-teams
andaws-team-roles
, to makeaws-sso
consistent - Reduce confusion by moving deprecated code to
deprecated/