Allow any KMS key reference (#4)

cloudposse · Jul 9, 2019 · f5d2551 · f5d2551
1 parent 58cdae5
commit f5d2551
Show file tree

Hide file tree

Showing 6 changed files with 122 additions and 38 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,7 @@
 <!-- This file was automatically generated by the `build-harness`. Make all changes to `README.yaml` and run `make readme` to rebuild this file. -->
+[![README Header][readme_header_img]][readme_header_link]
 
-[![Cloud Posse](https://cloudposse.com/logo-300x69.svg)](https://cloudposse.com)
+[![Cloud Posse][logo]](https://cpco.io/homepage)
 
 # terraform-aws-ssm-iam-role [![Build Status](https://travis-ci.org/cloudposse/terraform-aws-ssm-iam-role.svg?branch=master)](https://travis-ci.org/cloudposse/terraform-aws-ssm-iam-role) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-ssm-iam-role.svg)](https://github.com/cloudposse/terraform-aws-ssm-iam-role/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
 
@@ -10,7 +11,17 @@ Terraform module to provision an IAM role with configurable permissions to acces
 
 ---
 
-This project is part of our comprehensive ["SweetOps"](https://docs.cloudposse.com) approach towards DevOps. 
+This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps. 
+[<img align="right" title="Share via Email" src="https://docs.cloudposse.com/images/ionicons/ios-email-outline-2.0.1-16x16-999999.svg"/>][share_email]
+[<img align="right" title="Share on Google+" src="https://docs.cloudposse.com/images/ionicons/social-googleplus-outline-2.0.1-16x16-999999.svg" />][share_googleplus]
+[<img align="right" title="Share on Facebook" src="https://docs.cloudposse.com/images/ionicons/social-facebook-outline-2.0.1-16x16-999999.svg" />][share_facebook]
+[<img align="right" title="Share on Reddit" src="https://docs.cloudposse.com/images/ionicons/social-reddit-outline-2.0.1-16x16-999999.svg" />][share_reddit]
+[<img align="right" title="Share on LinkedIn" src="https://docs.cloudposse.com/images/ionicons/social-linkedin-outline-2.0.1-16x16-999999.svg" />][share_linkedin]
+[<img align="right" title="Share on Twitter" src="https://docs.cloudposse.com/images/ionicons/social-twitter-outline-2.0.1-16x16-999999.svg" />][share_twitter]
+
+
+[![Terraform Open Source Modules](https://docs.cloudposse.com/images/terraform-open-source-modules.svg)][terraform_modules]
+
 
 
 It's 100% Open Source and licensed under the [APACHE2](LICENSE).
@@ -21,6 +32,11 @@ It's 100% Open Source and licensed under the [APACHE2](LICENSE).
 
 
 
+We literally have [*hundreds of terraform modules*][terraform_modules] that are Open Source and well-maintained. Check them out! 
+
+
+
+
 
 
 ## Introduction
@@ -33,6 +49,11 @@ __NOTE:__ This module can be used to provision IAM roles with SSM permissions fo
 
 ## Usage
 
+
+**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
+Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-ssm-iam-role/releases).
+
+
 This example creates a role with the name `cp-prod-app-all` with permission to read all SSM parameters, 
 and gives permission to the entities specified in `assume_role_arns` to assume the role.
 
@@ -124,12 +145,12 @@ module "ssm_iam_role" {
 ```
 Available targets:
 
-  help                                This help screen
+  help                                Help screen
   help/all                            Display help for all targets
+  help/short                          This help short screen
   lint                                Lint terraform code
 
 ```
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -138,7 +159,7 @@ Available targets:
 | assume_role_arns | List of ARNs to allow assuming the role. Could be AWS services or accounts, Kops nodes, IAM users or groups | list | - | yes |
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |
 | delimiter | Delimiter to be used between `namespace`, `stage`, `name` and `attributes` | string | `-` | no |
-| kms_key_arn | ARN of the KMS key which will encrypt/decrypt SSM secret strings | string | - | yes |
+| kms_key_reference | The Key ID, Key ARN, Key Alias Name, or Key Alias ARN of the KMS key which will encrypt/decrypt SSM secret strings | string | - | yes |
 | max_session_duration | The maximum session duration (in seconds) for the role. Can have a value from 1 hour to 12 hours | string | `3600` | no |
 | name | Name (e.g. `app` or `chamber`) | string | - | yes |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
@@ -155,9 +176,17 @@ Available targets:
 | role_arn | The Amazon Resource Name (ARN) specifying the role |
 | role_id | The stable and unique string identifying the role |
 | role_name | The name of the crated role |
+| role_policy_document | A copy of the IAM policy document (JSON) that grants permissions to this role. |
+
 
 
 
+## Share the Love 
+
+Like this project? Please give it a ★ on [our GitHub](https://github.com/cloudposse/terraform-aws-ssm-iam-role)! (it helps us **a lot**) 
+
+Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =)
+
 
 ## Related Projects
 
@@ -175,26 +204,38 @@ Check out these related projects.
 
 File a GitHub [issue](https://github.com/cloudposse/terraform-aws-ssm-iam-role/issues), send us an [email][email] or join our [Slack Community][slack].
 
+[![README Commercial Support][readme_commercial_support_img]][readme_commercial_support_link]
+
 ## Commercial Support
 
 Work directly with our team of DevOps experts via email, slack, and video conferencing. 
 
 We provide [*commercial support*][commercial_support] for all of our [Open Source][github] projects. As a *Dedicated Support* customer, you have access to our team of subject matter experts at a fraction of the cost of a full-time engineer. 
 
-[![E-Mail](https://img.shields.io/badge/email-hello@cloudposse.com-blue.svg)](mailto:hello@cloudposse.com)
+[![E-Mail](https://img.shields.io/badge/email-hello@cloudposse.com-blue.svg)][email]
 
 - **Questions.** We'll use a Shared Slack channel between your team and ours.
 - **Troubleshooting.** We'll help you triage why things aren't working.
 - **Code Reviews.** We'll review your Pull Requests and provide constructive feedback.
 - **Bug Fixes.** We'll rapidly work to fix any bugs in our projects.
-- **Build New Terraform Modules.** We'll develop original modules to provision infrastructure.
+- **Build New Terraform Modules.** We'll [develop original modules][module_development] to provision infrastructure.
 - **Cloud Architecture.** We'll assist with your cloud strategy and design.
 - **Implementation.** We'll provide hands-on support to implement our reference architectures. 
 
 
-## Community Forum
 
-Get access to our [Open Source Community Forum][slack] on Slack. It's **FREE** to join for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build *sweet* infrastructure.
+## Terraform Module Development
+
+Are you interested in custom Terraform module development? Submit your inquiry using [our form][module_development] today and we'll get back to you ASAP.
+
+
+## Slack Community
+
+Join our [Open Source Community][slack] on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure.
+
+## Newsletter
+
+Signup for [our newsletter][newsletter] that covers everything on our technology radar.  Receive updates on what we're up to on GitHub as well as awesome new projects we discover. 
 
 ## Contributing
 
@@ -204,7 +245,7 @@ Please use the [issue tracker](https://github.com/cloudposse/terraform-aws-ssm-i
 
 ### Developing
 
-If you are interested in being a contributor and want to get involved in developing this project or [help out](https://github.com/orgs/cloudposse/projects/3) with our other projects, we would love to hear from you! Shoot us an [email](mailto:hello@cloudposse.com).
+If you are interested in being a contributor and want to get involved in developing this project or [help out](https://cpco.io/help-out) with our other projects, we would love to hear from you! Shoot us an [email][email].
 
 In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
 
@@ -219,7 +260,7 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
 
 ## Copyright
 
-Copyright © 2017-2018 [Cloud Posse, LLC](https://cloudposse.com)
+Copyright © 2017-2019 [Cloud Posse, LLC](https://cpco.io/copyright)
 
 
 
@@ -260,26 +301,16 @@ All other trademarks referenced herein are the property of their respective owne
 
 ## About
 
-This project is maintained and funded by [Cloud Posse, LLC][website]. Like it? Please let us know at <hello@cloudposse.com>
+This project is maintained and funded by [Cloud Posse, LLC][website]. Like it? Please let us know by [leaving a testimonial][testimonial]!
 
-[![Cloud Posse](https://cloudposse.com/logo-300x69.svg)](https://cloudposse.com)
+[![Cloud Posse][logo]][website]
 
-We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. We love [Open Source Software](https://github.com/cloudposse/)!
+We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. We ❤️  [Open Source Software][we_love_open_source].
 
-We offer paid support on all of our projects.  
+We offer [paid support][commercial_support] on all of our projects.  
 
-Check out [our other projects][github], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation.
+Check out [our other projects][github], [follow us on twitter][twitter], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation.
 
-  [docs]: https://docs.cloudposse.com/
-  [website]: https://cloudposse.com/
-  [github]: https://github.com/cloudposse/
-  [commercial_support]: https://github.com/orgs/cloudposse/projects
-  [jobs]: https://cloudposse.com/jobs/
-  [hire]: https://cloudposse.com/contact/
-  [slack]: https://slack.cloudposse.com/
-  [linkedin]: https://www.linkedin.com/company/cloudposse
-  [twitter]: https://twitter.com/cloudposse/
-  [email]: mailto:hello@cloudposse.com
 
 
 ### Contributors
@@ -291,3 +322,36 @@ Check out [our other projects][github], [apply for a job][jobs], or [hire us][hi
   [aknysh_avatar]: https://github.com/aknysh.png?size=150
 
 
+
+[![README Footer][readme_footer_img]][readme_footer_link]
+[![Beacon][beacon]][website]
+
+  [logo]: https://cloudposse.com/logo-300x69.svg
+  [docs]: https://cpco.io/docs
+  [website]: https://cpco.io/homepage
+  [github]: https://cpco.io/github
+  [jobs]: https://cpco.io/jobs
+  [hire]: https://cpco.io/hire
+  [slack]: https://cpco.io/slack
+  [linkedin]: https://cpco.io/linkedin
+  [twitter]: https://cpco.io/twitter
+  [testimonial]: https://cpco.io/leave-testimonial
+  [newsletter]: https://cpco.io/newsletter
+  [email]: https://cpco.io/email
+  [commercial_support]: https://cpco.io/commercial-support
+  [we_love_open_source]: https://cpco.io/we-love-open-source
+  [module_development]: https://cpco.io/module-development
+  [terraform_modules]: https://cpco.io/terraform-modules
+  [readme_header_img]: https://cloudposse.com/readme/header/img?repo=cloudposse/terraform-aws-ssm-iam-role
+  [readme_header_link]: https://cloudposse.com/readme/header/link?repo=cloudposse/terraform-aws-ssm-iam-role
+  [readme_footer_img]: https://cloudposse.com/readme/footer/img?repo=cloudposse/terraform-aws-ssm-iam-role
+  [readme_footer_link]: https://cloudposse.com/readme/footer/link?repo=cloudposse/terraform-aws-ssm-iam-role
+  [readme_commercial_support_img]: https://cloudposse.com/readme/commercial-support/img?repo=cloudposse/terraform-aws-ssm-iam-role
+  [readme_commercial_support_link]: https://cloudposse.com/readme/commercial-support/link?repo=cloudposse/terraform-aws-ssm-iam-role
+  [share_twitter]: https://twitter.com/intent/tweet/?text=terraform-aws-ssm-iam-role&url=https://github.com/cloudposse/terraform-aws-ssm-iam-role
+  [share_linkedin]: https://www.linkedin.com/shareArticle?mini=true&title=terraform-aws-ssm-iam-role&url=https://github.com/cloudposse/terraform-aws-ssm-iam-role
+  [share_reddit]: https://reddit.com/submit/?url=https://github.com/cloudposse/terraform-aws-ssm-iam-role
+  [share_facebook]: https://facebook.com/sharer/sharer.php?u=https://github.com/cloudposse/terraform-aws-ssm-iam-role
+  [share_googleplus]: https://plus.google.com/share?url=https://github.com/cloudposse/terraform-aws-ssm-iam-role
+  [share_email]: mailto:?subject=terraform-aws-ssm-iam-role&body=https://github.com/cloudposse/terraform-aws-ssm-iam-role
+  [beacon]: https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-aws-ssm-iam-role?pixel&cs=github&cm=readme&an=terraform-aws-ssm-iam-role
diff --git a/docs/targets.md b/docs/targets.md
@@ -2,8 +2,9 @@
 ```
 Available targets:
 
-  help                                This help screen
+  help                                Help screen
   help/all                            Display help for all targets
+  help/short                          This help short screen
   lint                                Lint terraform code
 
 ```
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -1,4 +1,3 @@
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -7,7 +6,7 @@
 | assume_role_arns | List of ARNs to allow assuming the role. Could be AWS services or accounts, Kops nodes, IAM users or groups | list | - | yes |
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |
 | delimiter | Delimiter to be used between `namespace`, `stage`, `name` and `attributes` | string | `-` | no |
-| kms_key_arn | ARN of the KMS key which will encrypt/decrypt SSM secret strings | string | - | yes |
+| kms_key_reference | The Key ID, Key ARN, Key Alias Name, or Key Alias ARN of the KMS key which will encrypt/decrypt SSM secret strings | string | - | yes |
 | max_session_duration | The maximum session duration (in seconds) for the role. Can have a value from 1 hour to 12 hours | string | `3600` | no |
 | name | Name (e.g. `app` or `chamber`) | string | - | yes |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
@@ -24,4 +23,5 @@
 | role_arn | The Amazon Resource Name (ARN) specifying the role |
 | role_id | The stable and unique string identifying the role |
 | role_name | The name of the crated role |
+| role_policy_document | A copy of the IAM policy document (JSON) that grants permissions to this role. |
 
diff --git a/main.tf b/main.tf
@@ -8,7 +8,17 @@ module "label" {
   tags       = "${var.tags}"
 }
 
+locals {
+  policy_only = "${length(var.assume_role_arns) > 0 ? 1 : 0}"
+}
+
+data "aws_kms_key" "default" {
+  key_id = "${var.kms_key_reference}"
+}
+
 data "aws_iam_policy_document" "assume_role" {
+  count = "${local.policy_only}"
+
   statement {
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
@@ -45,7 +55,7 @@ data "aws_iam_policy_document" "default" {
 
   statement {
     actions   = ["kms:Decrypt"]
-    resources = ["${var.kms_key_arn}"]
+    resources = ["${data.aws_kms_key.default.arn}"]
     effect    = "Allow"
   }
 }
@@ -57,13 +67,17 @@ resource "aws_iam_policy" "default" {
 }
 
 resource "aws_iam_role" "default" {
+  count = "${local.policy_only}"
+
   name                 = "${module.label.id}"
-  assume_role_policy   = "${data.aws_iam_policy_document.assume_role.json}"
+  assume_role_policy   = "${join("",data.aws_iam_policy_document.assume_role.*.json)}"
   description          = "IAM Role with permissions to perform actions on SSM resources"
   max_session_duration = "${var.max_session_duration}"
 }
 
 resource "aws_iam_role_policy_attachment" "default" {
-  role       = "${aws_iam_role.default.name}"
-  policy_arn = "${aws_iam_policy.default.arn}"
+  count = "${local.policy_only}"
+
+  role       = "${join("",aws_iam_role.default.*.name)}"
+  policy_arn = "${join("",aws_iam_policy.default.*.arn)}"
 }
diff --git a/output.tf b/output.tf
@@ -1,14 +1,19 @@
 output "role_name" {
-  value       = "${aws_iam_role.default.name}"
+  value       = "${join("",aws_iam_role.default.*.name)}"
   description = "The name of the crated role"
 }
 
 output "role_id" {
-  value       = "${aws_iam_role.default.unique_id}"
+  value       = "${join("",aws_iam_role.default.*.unique_id)}"
   description = "The stable and unique string identifying the role"
 }
 
 output "role_arn" {
-  value       = "${aws_iam_role.default.arn}"
+  value       = "${join("",aws_iam_role.default.*.arn)}"
   description = "The Amazon Resource Name (ARN) specifying the role"
 }
+
+output "role_policy_document" {
+  value       = "${data.aws_iam_policy_document.default.json}"
+  description = "A copy of the IAM policy document (JSON) that grants permissions to this role."
+}
diff --git a/variables.tf b/variables.tf
@@ -41,8 +41,8 @@ variable "account_id" {
   description = "AWS account ID"
 }
 
-variable "kms_key_arn" {
-  description = "ARN of the KMS key which will encrypt/decrypt SSM secret strings"
+variable "kms_key_reference" {
+  description = "The Key ID, Key ARN, Key Alias Name, or Key Alias ARN of the KMS key which will encrypt/decrypt SSM secret strings"
 }
 
 variable "assume_role_arns" {