From 127b10ba07d57462c73441f3276401c2a27df494 Mon Sep 17 00:00:00 2001 From: Nate McCurdy Date: Wed, 11 Oct 2023 10:42:34 -0700 Subject: [PATCH] fix: Add context tags to the IAM resources (#45) * fix: Add context tags to the IAM resources Prior to this, the `aws_iam_role` and the `aws_iam_policy` created by this module did not include any of the tags passed via `tags` or via `context`. This fixes that problem by specifying `tags = module.this.tags` on each of those resources so that they use the tags specified determined by the null/label context. * chore: update module boilerplate and docs ``` make init make github/init make readme ``` --- .github/renovate.json | 7 ++++--- .github/workflows/release-branch.yml | 1 + .github/workflows/release-published.yml | 2 +- README.md | 4 ---- iam-role.tf | 6 +++++- 5 files changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index b61ed24..909df09 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,13 +1,14 @@ { "extends": [ "config:base", - ":preserveSemverRanges" + ":preserveSemverRanges", + ":rebaseStalePrs" ], - "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"], + "baseBranches": ["main"], "labels": ["auto-update"], "dependencyDashboardAutoclose": true, "enabledManagers": ["terraform"], "terraform": { - "ignorePaths": ["**/context.tf", "examples/**"] + "ignorePaths": ["**/context.tf"] } } diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 3f8fe62..b30901e 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -10,6 +10,7 @@ on: - 'docs/**' - 'examples/**' - 'test/**' + - 'README.*' permissions: contents: write diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml index f86352b..b31232b 100644 --- a/.github/workflows/release-published.yml +++ b/.github/workflows/release-published.yml @@ -11,4 +11,4 @@ permissions: jobs: terraform-module: - uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main + uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main diff --git a/README.md b/README.md index 4fd16d6..76c1207 100644 --- a/README.md +++ b/README.md @@ -90,10 +90,6 @@ We highly recommend that in your code you pin the version to the exact version y using so that your infrastructure remains stable, and update versions in a systematic way so that they do not catch you by surprise. -Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)), -the registry shows many of our inputs as required when in fact they are optional. -The table below correctly indicates which inputs are required. - For a complete example, see [examples/complete](examples/complete). For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest) diff --git a/iam-role.tf b/iam-role.tf index 05a7fe2..1fd1d84 100644 --- a/iam-role.tf +++ b/iam-role.tf @@ -2,8 +2,10 @@ resource "aws_iam_role" "this" { count = local.enabled ? 1 : 0 name = "${var.function_name}-${local.region_name}" - assume_role_policy = join("", data.aws_iam_policy_document.assume_role_policy.*.json) + assume_role_policy = join("", data.aws_iam_policy_document.assume_role_policy[*].json) permissions_boundary = var.permissions_boundary + + tags = module.this.tags } data "aws_iam_policy_document" "assume_role_policy" { @@ -68,6 +70,8 @@ resource "aws_iam_policy" "ssm" { name = "${var.function_name}-ssm-policy-${local.region_name}" description = var.iam_policy_description policy = data.aws_iam_policy_document.ssm[count.index].json + + tags = module.this.tags } resource "aws_iam_role_policy_attachment" "ssm" {