Skip to content

Commit

Permalink
feat: account variable set (#55)
Browse files Browse the repository at this point in the history 
Consolidates account-specific variables into a single variable set for each account, reducing the total number of Terraform resources required by attaching this set to workspaces instead of duplicating variables across them. Leverages new version of `schubergphilis/mcaf-workspace/aws` module to pass down variable set ids.
  • Loading branch information
@jorrite
jorrite authored Aug 5, 2024
1 parent f0c9bfb commit 3e83deb
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 10 deletions.
15 changes: 11 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,15 +210,16 @@ module "aws_account" {
| Name | Version |
|------|---------|
| <a name="provider_aws.account"></a> [aws.account](#provider\_aws.account) | >= 4.9.0 |
| <a name="provider_tfe"></a> [tfe](#provider\_tfe) | >= 0.51.0 |
| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 4.0.4 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_account"></a> [account](#module\_account) | schubergphilis/mcaf-account/aws | ~> 0.5.1 |
| <a name="module_additional_tfe_workspaces"></a> [additional\_tfe\_workspaces](#module\_additional\_tfe\_workspaces) | schubergphilis/mcaf-workspace/aws | ~> 1.2.0 |
| <a name="module_tfe_workspace"></a> [tfe\_workspace](#module\_tfe\_workspace) | schubergphilis/mcaf-workspace/aws | ~> 1.2.0 |
| <a name="module_additional_tfe_workspaces"></a> [additional\_tfe\_workspaces](#module\_additional\_tfe\_workspaces) | schubergphilis/mcaf-workspace/aws | ~> 1.3.0 |
| <a name="module_tfe_workspace"></a> [tfe\_workspace](#module\_tfe\_workspace) | schubergphilis/mcaf-workspace/aws | ~> 1.3.0 |

## Resources

Expand All @@ -231,6 +232,10 @@ module "aws_account" {
| [aws_iam_openid_connect_provider.tfc_provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
| [aws_iam_policy.workload_boundary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.workspace_boundary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [tfe_variable.account_variable_set_clear_text_env_variables](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable) | resource |
| [tfe_variable.account_variable_set_clear_text_hcl_variables](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable) | resource |
| [tfe_variable.account_variable_set_clear_text_terraform_variables](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable) | resource |
| [tfe_variable_set.account](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable_set) | resource |
| [tls_certificate.oidc_certificate](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |

## Inputs
Expand All @@ -239,8 +244,9 @@ module "aws_account" {
|------|-------------|------|---------|:--------:|
| <a name="input_account"></a> [account](#input\_account) | AWS account settings | <pre>object({<br> alias_prefix = optional(string)<br> contact_billing = optional(object({<br> email_address = string<br> name = string<br> phone_number = string<br> title = string<br> }), null)<br> contact_operations = optional(object({<br> email_address = string<br> name = string<br> phone_number = string<br> title = string<br> }), null)<br> contact_security = optional(object({<br> email_address = string<br> name = string<br> phone_number = string<br> title = string<br> }), null)<br> email = string<br> environment = optional(string)<br> organizational_unit = string<br> provisioned_product_name = optional(string)<br> sso_email = string<br> sso_firstname = optional(string, "AWS Control Tower")<br> sso_lastname = optional(string, "Admin")<br> })</pre> | n/a | yes |
| <a name="input_name"></a> [name](#input\_name) | Name of the account and default TFE workspace | `string` | n/a | yes |
| <a name="input_tfe_workspace"></a> [tfe\_workspace](#input\_tfe\_workspace) | TFE workspace settings | <pre>object({<br> add_permissions_boundary = optional(bool, false)<br> agent_pool_id = optional(string)<br> agent_role_arns = optional(list(string))<br> allow_destroy_plan = optional(bool, true)<br> assessments_enabled = optional(bool, true)<br> auth_method = optional(string, "iam_role_oidc")<br> auto_apply = optional(bool, false)<br> auto_apply_run_trigger = optional(bool, false)<br> branch = optional(string, "main")<br> clear_text_env_variables = optional(map(string), {})<br> clear_text_hcl_variables = optional(map(string), {})<br> clear_text_terraform_variables = optional(map(string), {})<br> connect_vcs_repo = optional(bool, true)<br> default_region = string<br> description = optional(string)<br> execution_mode = optional(string, "remote")<br> file_triggers_enabled = optional(bool, true)<br> global_remote_state = optional(bool, false)<br> name = optional(string)<br> organization = string<br> policy = optional(string)<br> policy_arns = optional(list(string), ["arn:aws:iam::aws:policy/AdministratorAccess"])<br> project_id = optional(string)<br> queue_all_runs = optional(bool)<br> remote_state_consumer_ids = optional(set(string))<br> repository_identifier = optional(string)<br> role_name = optional(string, "TFEPipeline")<br> sensitive_env_variables = optional(map(string), {})<br> sensitive_hcl_variables = optional(map(object({ sensitive = string })), {})<br> sensitive_terraform_variables = optional(map(string), {})<br> ssh_key_id = optional(string)<br> terraform_version = optional(string)<br> trigger_patterns = optional(list(string))<br> trigger_prefixes = optional(list(string), ["modules"])<br> username = optional(string, "TFEPipeline")<br> vcs_oauth_token_id = string<br> working_directory = optional(string)<br> workspace_tags = optional(list(string))<br><br> notification_configuration = optional(list(object({<br> destination_type = string<br> enabled = optional(bool, true)<br> url = string<br> triggers = optional(list(string), [<br> "run:created",<br> "run:planning",<br> "run:needs_attention",<br> "run:applying",<br> "run:completed",<br> "run:errored",<br> ])<br> })), [])<br><br> team_access = optional(map(object({<br> access = optional(string, null),<br> permissions = optional(object({<br> run_tasks = bool<br> runs = string<br> sentinel_mocks = string<br> state_versions = string<br> variables = string<br> workspace_locking = bool<br> }), null)<br> })), {})<br> })</pre> | n/a | yes |
| <a name="input_additional_tfe_workspaces"></a> [additional\_tfe\_workspaces](#input\_additional\_tfe\_workspaces) | Additional TFE workspaces | <pre>map(object({<br> add_permissions_boundary = optional(bool, false)<br> agent_pool_id = optional(string)<br> agent_role_arns = optional(list(string))<br> allow_destroy_plan = optional(bool)<br> assessments_enabled = optional(bool)<br> auth_method = optional(string)<br> auto_apply = optional(bool, false)<br> auto_apply_run_trigger = optional(bool, false)<br> branch = optional(string)<br> clear_text_env_variables = optional(map(string), {})<br> clear_text_hcl_variables = optional(map(string), {})<br> clear_text_terraform_variables = optional(map(string), {})<br> connect_vcs_repo = optional(bool, true)<br> default_region = optional(string)<br> description = optional(string)<br> execution_mode = optional(string)<br> file_triggers_enabled = optional(bool, true)<br> global_remote_state = optional(bool, false)<br> name = optional(string)<br> policy = optional(string)<br> policy_arns = optional(list(string), ["arn:aws:iam::aws:policy/AdministratorAccess"])<br> project_id = optional(string)<br> queue_all_runs = optional(bool)<br> remote_state_consumer_ids = optional(set(string))<br> repository_identifier = optional(string)<br> role_name = optional(string)<br> sensitive_env_variables = optional(map(string), {})<br> sensitive_hcl_variables = optional(map(object({ sensitive = string })), {})<br> sensitive_terraform_variables = optional(map(string), {})<br> ssh_key_id = optional(string)<br> terraform_version = optional(string)<br> trigger_patterns = optional(list(string))<br> trigger_prefixes = optional(list(string))<br> username = optional(string)<br> vcs_oauth_token_id = optional(string)<br> working_directory = optional(string)<br> workspace_tags = optional(list(string))<br><br> notification_configuration = optional(list(object({<br> destination_type = string<br> enabled = optional(bool, true)<br> url = string<br> triggers = optional(list(string), [<br> "run:created",<br> "run:planning",<br> "run:needs_attention",<br> "run:applying",<br> "run:completed",<br> "run:errored",<br> ])<br> })), [])<br><br> team_access = optional(map(object({<br> access = optional(string, null),<br> permissions = optional(object({<br> run_tasks = bool<br> runs = string<br> sentinel_mocks = string<br> state_versions = string<br> variables = string<br> workspace_locking = bool<br> }), null)<br> })), {})<br> }))</pre> | `{}` | no |
| <a name="input_tfe_workspace"></a> [tfe\_workspace](#input\_tfe\_workspace) | TFE workspace settings | <pre>object({<br> add_permissions_boundary = optional(bool, false)<br> agent_pool_id = optional(string)<br> agent_role_arns = optional(list(string))<br> allow_destroy_plan = optional(bool, true)<br> assessments_enabled = optional(bool, true)<br> auth_method = optional(string, "iam_role_oidc")<br> auto_apply = optional(bool, false)<br> auto_apply_run_trigger = optional(bool, false)<br> branch = optional(string, "main")<br> clear_text_env_variables = optional(map(string), {})<br> clear_text_hcl_variables = optional(map(string), {})<br> clear_text_terraform_variables = optional(map(string), {})<br> connect_vcs_repo = optional(bool, true)<br> default_region = string<br> description = optional(string)<br> execution_mode = optional(string, "remote")<br> file_triggers_enabled = optional(bool, true)<br> global_remote_state = optional(bool, false)<br> name = optional(string)<br> organization = string<br> policy = optional(string)<br> policy_arns = optional(list(string), ["arn:aws:iam::aws:policy/AdministratorAccess"])<br> project_id = optional(string)<br> queue_all_runs = optional(bool)<br> remote_state_consumer_ids = optional(set(string))<br> repository_identifier = optional(string)<br> role_name = optional(string, "TFEPipeline")<br> sensitive_env_variables = optional(map(string), {})<br> sensitive_hcl_variables = optional(map(object({ sensitive = string })), {})<br> sensitive_terraform_variables = optional(map(string), {})<br> ssh_key_id = optional(string)<br> terraform_version = optional(string)<br> trigger_patterns = optional(list(string))<br> trigger_prefixes = optional(list(string), ["modules"])<br> username = optional(string, "TFEPipeline")<br> vcs_oauth_token_id = string<br> variable_set_ids = optional(map(string), {})<br> working_directory = optional(string)<br> workspace_tags = optional(list(string))<br><br> notification_configuration = optional(list(object({<br> destination_type = string<br> enabled = optional(bool, true)<br> url = string<br> triggers = optional(list(string), [<br> "run:created",<br> "run:planning",<br> "run:needs_attention",<br> "run:applying",<br> "run:completed",<br> "run:errored",<br> ])<br> })), [])<br><br> team_access = optional(map(object({<br> access = optional(string, null),<br> permissions = optional(object({<br> run_tasks = bool<br> runs = string<br> sentinel_mocks = string<br> state_versions = string<br> variables = string<br> workspace_locking = bool<br> }), null)<br> })), {})<br> })</pre> | n/a | yes |
| <a name="input_account_variable_set"></a> [account\_variable\_set](#input\_account\_variable\_set) | Settings of variable set that is attached to each workspace | <pre>object({<br> name = optional(string)<br> clear_text_env_variables = optional(map(string), {})<br> clear_text_hcl_variables = optional(map(string), {})<br> clear_text_terraform_variables = optional(map(string), {})<br> })</pre> | `{}` | no |
| <a name="input_additional_tfe_workspaces"></a> [additional\_tfe\_workspaces](#input\_additional\_tfe\_workspaces) | Additional TFE workspaces | <pre>map(object({<br> add_permissions_boundary = optional(bool, false)<br> agent_pool_id = optional(string)<br> agent_role_arns = optional(list(string))<br> allow_destroy_plan = optional(bool)<br> assessments_enabled = optional(bool)<br> auth_method = optional(string)<br> auto_apply = optional(bool, false)<br> auto_apply_run_trigger = optional(bool, false)<br> branch = optional(string)<br> clear_text_env_variables = optional(map(string), {})<br> clear_text_hcl_variables = optional(map(string), {})<br> clear_text_terraform_variables = optional(map(string), {})<br> connect_vcs_repo = optional(bool, true)<br> default_region = optional(string)<br> description = optional(string)<br> execution_mode = optional(string)<br> file_triggers_enabled = optional(bool, true)<br> global_remote_state = optional(bool, false)<br> name = optional(string)<br> policy = optional(string)<br> policy_arns = optional(list(string), ["arn:aws:iam::aws:policy/AdministratorAccess"])<br> project_id = optional(string)<br> queue_all_runs = optional(bool)<br> remote_state_consumer_ids = optional(set(string))<br> repository_identifier = optional(string)<br> role_name = optional(string)<br> sensitive_env_variables = optional(map(string), {})<br> sensitive_hcl_variables = optional(map(object({ sensitive = string })), {})<br> sensitive_terraform_variables = optional(map(string), {})<br> ssh_key_id = optional(string)<br> terraform_version = optional(string)<br> trigger_patterns = optional(list(string))<br> trigger_prefixes = optional(list(string))<br> username = optional(string)<br> vcs_oauth_token_id = optional(string)<br> variable_set_ids = optional(map(string), {})<br> working_directory = optional(string)<br> workspace_tags = optional(list(string))<br><br> notification_configuration = optional(list(object({<br> destination_type = string<br> enabled = optional(bool, true)<br> url = string<br> triggers = optional(list(string), [<br> "run:created",<br> "run:planning",<br> "run:needs_attention",<br> "run:applying",<br> "run:completed",<br> "run:errored",<br> ])<br> })), [])<br><br> team_access = optional(map(object({<br> access = optional(string, null),<br> permissions = optional(object({<br> run_tasks = bool<br> runs = string<br> sentinel_mocks = string<br> state_versions = string<br> variables = string<br> workspace_locking = bool<br> }), null)<br> })), {})<br> }))</pre> | `{}` | no |
| <a name="input_create_default_workspace"></a> [create\_default\_workspace](#input\_create\_default\_workspace) | Set to false to skip creating default workspace | `bool` | `true` | no |
| <a name="input_path"></a> [path](#input\_path) | Optional path for all IAM users, user groups, roles, and customer managed policies created by this module | `string` | `"/"` | no |
| <a name="input_permissions_boundaries"></a> [permissions\_boundaries](#input\_permissions\_boundaries) | n/a | <pre>object({<br> workspace_boundary = optional(string)<br> workspace_boundary_name = optional(string)<br> workload_boundary = optional(string)<br> workload_boundary_name = optional(string)<br> })</pre> | `{}` | no |
Expand All @@ -250,6 +256,7 @@ module "aws_account" {

| Name | Description |
|------|-------------|
| <a name="output_account_variable_set_id"></a> [account\_variable\_set\_id](#output\_account\_variable\_set\_id) | The ID of the account variable set |
| <a name="output_additional_tfe_workspaces"></a> [additional\_tfe\_workspaces](#output\_additional\_tfe\_workspaces) | Map of any additional Terraform Cloud workspace names and IDs |
| <a name="output_environment"></a> [environment](#output\_environment) | The environment name |
| <a name="output_id"></a> [id](#output\_id) | The AWS account ID |
Expand Down
Loading

0 comments on commit 3e83deb

Please sign in to comment.