This module uses the terraform-tfe-mcaf-workspace module to create a Terraform Cloud workspace and extends the features to manage AWS resources. This is done by creating either a IAM user or role and adding those credentials to the workspace.
This module supports assigning an existing team access to the created workspace.
To do this, pass a map to var.team_access
using the team name as the key and either access
or permissions
to assign a team access to the workspace.
Example using a pre-existing role (see this link for allowed values):
team_access = {
"MyTeamName" = {
access = "write"
}
}
Example using a custom role (see this link for a list of keys and their allowed values):
team_access = {
"MyTeamName" = {
permissions = {
run_tasks = false
runs = "apply"
sentinel_mocks = "read"
state_versions = "read-outputs"
variables = "write"
workspace_locking = true
}
}
}
The above custom role is similar to the "write" pre-existing role, but blocks access to the workspace state (which is considered sensitive).
Name | Version |
---|---|
terraform | >= 1.3.0 |
aws | >= 4.0.0 |
random | >= 3.0.0 |
tfe | >= 0.61.0 |
Name | Version |
---|---|
random | >= 3.0.0 |
tfe | >= 0.61.0 |
Name | Source | Version |
---|---|---|
tfe-workspace | schubergphilis/mcaf-workspace/tfe | ~> 2.1.0 |
workspace_iam_role | schubergphilis/mcaf-role/aws | ~> 0.4.0 |
workspace_iam_role_oidc | schubergphilis/mcaf-role/aws | ~> 0.4.0 |
workspace_iam_user | schubergphilis/mcaf-user/aws | ~> 0.4.0 |
Name | Type |
---|---|
random_uuid.external_id | resource |
tfe_team_access.default | resource |
tfe_variable.aws_access_key_id | resource |
tfe_variable.aws_assume_role | resource |
tfe_variable.aws_assume_role_external_id | resource |
tfe_variable.aws_secret_access_key | resource |
tfe_variable.tfc_aws_provider_auth | resource |
tfe_variable.tfc_aws_run_role_arn | resource |
tfe_variable.tfc_aws_workload_identity_audience | resource |
tfe_team.default | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
name | A name for the Terraform workspace | string |
n/a | yes |
terraform_organization | The Terraform Enterprise organization to create the workspace in | string |
n/a | yes |
agent_pool_id | Agent pool ID, requires "execution_mode" to be set to agent | string |
null |
no |
agent_role_arns | IAM role ARNs used by Terraform Cloud Agent to assume role in the created account | list(string) |
null |
no |
allow_destroy_plan | Whether destroy plans can be queued on the workspace | bool |
true |
no |
assessments_enabled | Whether to regularly run health assessments such as drift detection on the workspace | bool |
true |
no |
auth_method | Configures how the workspace authenticates with the AWS account (can be iam_user, iam_role, or iam_role_oidc) | string |
"iam_role_oidc" |
no |
auto_apply | Whether to automatically apply changes when a Terraform plan is successful | bool |
false |
no |
auto_apply_run_trigger | Whether to automatically apply changes for runs that were created by run triggers from another workspace | bool |
false |
no |
branch | The git branch to trigger the TFE workspace for | string |
"main" |
no |
clear_text_env_variables | An optional map with clear text environment variables | map(string) |
{} |
no |
clear_text_hcl_variables | An optional map with clear text HCL Terraform variables | map(string) |
{} |
no |
clear_text_terraform_variables | An optional map with clear text Terraform variables | map(string) |
{} |
no |
description | A description for the workspace | string |
null |
no |
execution_mode | Which execution mode to use | string |
"remote" |
no |
file_triggers_enabled | Whether to filter runs based on the changed files in a VCS push | bool |
true |
no |
github_app_installation_id | The GitHub App installation ID to use | string |
null |
no |
global_remote_state | Allow all workspaces in the organization to read the state of this workspace | bool |
null |
no |
notification_configuration | Notification configuration, using name as key and config as value | map(object({ |
{} |
no |
oauth_token_id | The OAuth token ID of the VCS provider | string |
null |
no |
oidc_settings | OIDC settings to use if "auth_method" is set to "iam_role_oidc" | object({ |
null |
no |
path | Path in which to create the IAM role or user | string |
null |
no |
permissions_boundary_arn | ARN of the policy that is used to set the permissions boundary for the IAM role or IAM user | string |
null |
no |
policy | The policy to attach to the pipeline role or user | string |
null |
no |
policy_arns | A set of policy ARNs to attach to the pipeline user | set(string) |
[] |
no |
project_id | ID of the project where the workspace should be created | string |
null |
no |
queue_all_runs | When set to false no initial run is queued and all runs triggered by a webhook will not be queued, necessary if you need to set variable sets after creation. | bool |
true |
no |
region | The default region of the account | string |
null |
no |
remote_state_consumer_ids | A set of workspace IDs set as explicit remote state consumers for this workspace | set(string) |
null |
no |
repository_identifier | The repository identifier to connect the workspace to | string |
null |
no |
role_name | The IAM role name for a new pipeline role | string |
null |
no |
sensitive_env_variables | An optional map with sensitive environment variables | map(string) |
{} |
no |
sensitive_hcl_variables | An optional map with sensitive HCL Terraform variables | map(object({ |
{} |
no |
sensitive_terraform_variables | An optional map with sensitive Terraform variables | map(string) |
{} |
no |
ssh_key_id | The SSH key ID to assign to the workspace | string |
null |
no |
tags | A mapping of tags to assign to resource | map(string) |
null |
no |
team_access | Map of team names and either type of fixed access or custom permissions to assign | map(object({ |
{} |
no |
terraform_version | The version of Terraform to use for this workspace | string |
"latest" |
no |
trigger_patterns | List of glob patterns that describe the files Terraform Cloud monitors for changes. Trigger patterns are always appended to the root directory of the repository. Mutually exclusive with trigger-prefixes | list(string) |
null |
no |
trigger_prefixes | List of repository-root-relative paths which should be tracked for changes | list(string) |
[ |
no |
username | The username for a new pipeline user | string |
null |
no |
variable_set_ids | Map of variable set ids to attach to the workspace | map(string) |
{} |
no |
working_directory | A relative path that Terraform will execute within | string |
"terraform" |
no |
workspace_tags | A list of tag names for this workspace. Note that tags must only contain lowercase letters, numbers, colons, or hyphens | list(string) |
null |
no |
Name | Description |
---|---|
arn | The workspace IAM user ARN |
workspace_id | The Terraform Cloud workspace ID |
workspace_name | The Terraform Cloud workspace name |