From 1d6a7051ddb1001a7ba812ef20ab9b22ccefc58e Mon Sep 17 00:00:00 2001 From: Benjamin Clark Date: Tue, 17 Sep 2024 20:24:08 +0100 Subject: [PATCH 1/4] Initial module setup --- .terraform-version | 1 + README.md | 64 ++++++++++++++++++++++++++++++- aws_iam_policy_document.tf | 77 ++++++++++++++++++++++++++++++++++++++ common_iam_policies.tf | 19 ++++++++++ data.tf | 5 +++ main.tf | 9 +++++ state_machine.tf | 45 ++++++++++++++++++++++ variables.tf | 76 +++++++++++++++++++++++++++++++++++++ 8 files changed, 295 insertions(+), 1 deletion(-) create mode 100644 .terraform-version create mode 100644 aws_iam_policy_document.tf create mode 100644 common_iam_policies.tf create mode 100644 data.tf create mode 100644 main.tf create mode 100644 state_machine.tf create mode 100644 variables.tf diff --git a/.terraform-version b/.terraform-version new file mode 100644 index 0000000..8e03717 --- /dev/null +++ b/.terraform-version @@ -0,0 +1 @@ +1.5.1 \ No newline at end of file diff --git a/README.md b/README.md index 230c18a..5c30729 100644 --- a/README.md +++ b/README.md @@ -42,11 +42,73 @@ The below documentation is intended to assist users in utilising the module, the the module itself, and the [examples](#examples) section which has examples of how to utilise the module. +## Requirements +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.5.0 | +| [aws](#requirement\_aws) | >= 5.61.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.67.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [step\_function\_state\_machine](#module\_step\_function\_state\_machine) | terraform-aws-modules/step-functions/aws | 4.2.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_caller_identity.current_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.attached_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [application\_name](#input\_application\_name) | Name of the application utilising resource. | `string` | n/a | yes | +| [environment](#input\_environment) | Which environment this is being instantiated in. | `string` | n/a | yes | +| [raw\_state\_machines](#input\_raw\_state\_machines) | Data structure
---------------
A list of dictionaries, where each dictionary has the following attributes:

REQUIRED
---------
- template\_file : Which file under application/state\_machine\_definition this machine corresponds to
- template\_input : A dictionary of key/value pairs, outlining in detail the inputs needed for a template to be instantiated
- suffix : Friendly name for the state function
- iam\_policy\_statements : A list of dictionaries where each dictionary is an IAM statement defining glue job permissions
-- Each dictionary in this list must define the following attributes:
--- sid: Friendly name for the policy, no spaces or special characters allowed
--- actions: A list of IAM actions the state machine is allowed to perform
--- resources: Which resource(s) the state machine may perform the above actions against
--- conditions : An OPTIONAL list of dictionaries, which each defines:
---- test : Test condition for limiting the action
---- variable : Value to test
---- values : A list of strings, denoting what to test for


OPTIONAL
---------
- cloudwatch\_retention : How many days logs should be retained for in Cloudwatch, defaults to 90 | 
list(
    object({
      template_file  = string,
      template_input = map(string),
      suffix         = string,
      iam_policy_statements = list(
        object({
          sid       = string,
          actions   = list(string),
          resources = list(string),
          conditions = optional(list(
            object({
              test : string,
              variable : string,
              values = list(string)
            })
          ), [])
        })
      ),
      cloudwatch_retention = optional(number, 90)
    })
  )
| n/a | yes | +| [vpc\_config](#input\_vpc\_config) | AWS VPC ID | `string` | n/a | yes | + +## Outputs + +No outputs. ## Data structure - +``` +Data structure +--------------- +A list of dictionaries, where each dictionary has the following attributes: + +REQUIRED +--------- +- template_file : Which file under application/state_machine_definition this machine corresponds to +- template_input : A dictionary of key/value pairs, outlining in detail the inputs needed for a template to be instantiated +- suffix : Friendly name for the state function +- iam_policy_statements : A list of dictionaries where each dictionary is an IAM statement defining glue job permissions +-- Each dictionary in this list must define the following attributes: +--- sid: Friendly name for the policy, no spaces or special characters allowed +--- actions: A list of IAM actions the state machine is allowed to perform +--- resources: Which resource(s) the state machine may perform the above actions against +--- conditions : An OPTIONAL list of dictionaries, which each defines: +---- test : Test condition for limiting the action +---- variable : Value to test +---- values : A list of strings, denoting what to test for + + +OPTIONAL +--------- +- cloudwatch_retention : How many days logs should be retained for in Cloudwatch, defaults to 90 +``` ## Examples See `examples` folder for an example setup. diff --git a/aws_iam_policy_document.tf b/aws_iam_policy_document.tf new file mode 100644 index 0000000..4186c0e --- /dev/null +++ b/aws_iam_policy_document.tf @@ -0,0 +1,77 @@ +locals { + actual_iam_policy_documents = { + for state_machine in var.raw_state_machines : + state_machine.suffix => { + statements = concat(state_machine.iam_policy_statements, local.barebones_statemachine_statements, + [ + { + sid = "ListOwnExecutions", + actions = [ + "states:ListExecutions" + ] + resources = [ + format( + "arn:aws:states:%s:%s:stateMachine:%s-%s-%s-stepfunction", + lower(data.aws_region.current_region.name), + lower(data.aws_caller_identity.current_account.id), + lower(var.environment), + lower(var.application_name), + lower(state_machine.suffix) + ) + ] + conditions = [] + }, + { + sid = "AllowCloudwatchStreamAccess", + actions = [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + resources = [ + "arn:aws:logs:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:log-group:/aws/stepfunction/${format("%s-%s-%s-stepfunction", var.environment, var.application_name, state_machine.suffix)}", + "arn:aws:logs:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:log-group:/aws/stepfunction/${format("%s-%s-%s-stepfunction", var.environment, var.application_name, state_machine.suffix)}:*" + ] + }, + { + sid = "AllowCloudwatchLogDelivery", + actions = [ + "logs:CreateLogDelivery", + "logs:PutResourcePolicy", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:DescribeResourcePolicies", + "logs:GetLogDelivery", + "logs:ListLogDeliveries", + "logs:DescribeLogGroups" + ], + resources = ["*"] + } + ] + ) + } + } +} + +data "aws_iam_policy_document" "attached_policies" { + for_each = local.actual_iam_policy_documents + + dynamic "statement" { + for_each = each.value["statements"] + + content { + sid = statement.value["sid"] + actions = statement.value["actions"] + resources = statement.value["resources"] + + dynamic "condition" { + for_each = statement.value["conditions"] + + content { + test = condition.value["test"] + variable = condition.value["variable"] + values = condition.value["values"] + } + } + } + } +} \ No newline at end of file diff --git a/common_iam_policies.tf b/common_iam_policies.tf new file mode 100644 index 0000000..225051b --- /dev/null +++ b/common_iam_policies.tf @@ -0,0 +1,19 @@ +locals { + barebones_statemachine_statements = [ + { + sid = "BarebonesEventActionsForStatemachine" + actions = [ + "events:PutEvents", + "events:DescribeRule", + "events:PutRule", + "events:PutTargets" + ] + resources = [ + "arn:aws:events:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:rule/default/StepFunctionsGetEventsForECSTaskRule", + "arn:aws:events:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:rule/StepFunctionsGetEventsForECSTaskRule", + "arn:aws:events:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:event-bus/default" + ] + conditions = [] + } + ] +} \ No newline at end of file diff --git a/data.tf b/data.tf new file mode 100644 index 0000000..7ae4bae --- /dev/null +++ b/data.tf @@ -0,0 +1,5 @@ +# Get current region +data "aws_region" "current_region" {} + +# Retrieve the current AWS Account info +data "aws_caller_identity" "current_account" {} \ No newline at end of file diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..f022823 --- /dev/null +++ b/main.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.61.0" + } + } + required_version = "~> 1.5.0" +} \ No newline at end of file diff --git a/state_machine.tf b/state_machine.tf new file mode 100644 index 0000000..194ff72 --- /dev/null +++ b/state_machine.tf @@ -0,0 +1,45 @@ +locals { + actual_state_machines = { + for state_machine in var.raw_state_machines : + state_machine.suffix => merge(state_machine, { + state_machine_definition = templatefile(state_machine.template_file, state_machine.template_input) + policy_json = data.aws_iam_policy_document.attached_policies[state_machine.suffix].json + state_machine_name = format("%s-%s-%s-stepfunction", var.environment, var.application_name, state_machine.suffix) + }) + } +} + +module "step_function_state_machine" { + for_each = local.actual_state_machines + + depends_on = [ + data.aws_iam_policy_document.attached_policies + ] + + + source = "terraform-aws-modules/step-functions/aws" + version = "4.2.0" + + name = each.value["state_machine_name"] + create_role = true + policy_jsons = [each.value["policy_json"]] + + definition = each.value["state_machine_definition"] + + logging_configuration = { + "include_execution_data" = true + "level" = "ALL" + } + cloudwatch_log_group_name = "/aws/vendedlogs/states/${each.value["state_machine_name"]}" + cloudwatch_log_group_retention_in_days = each.value["cloudwatch_retention"] + + service_integrations = { + stepfunction_Sync = { + # Set to true to use the default events (otherwise, set this to a list of ARNs; see the docs linked in locals.tf + # for more information). Without events permissions, you will get an error similar to this: + # Error: AccessDeniedException: 'arn:aws:iam::xxxx:role/step-functions-role' is not authorized to + # create managed-rule + events = true + } + } +} \ No newline at end of file diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..bd3f204 --- /dev/null +++ b/variables.tf @@ -0,0 +1,76 @@ +# Input variable definitions +variable "environment" { + description = "Which environment this is being instantiated in." + type = string + validation { + condition = contains(["dev", "test", "prod"], var.environment) + error_message = "Must be either dev, test or prod" + } +} + +variable "application_name" { + description = "Name of the application utilising resource." + type = string +} + +variable "vpc_config" { + description = "AWS VPC ID" + type = string +} + +variable "raw_state_machines" { + description = <= 0) + ]) + error_message = "cloudwatch_retention for each state machine should be a valid integer greater than or equal to 0" + } +} \ No newline at end of file From f48476af51fbed70f39d39b90e4496723ef25dfc Mon Sep 17 00:00:00 2001 From: Benjamin Clark Date: Wed, 18 Sep 2024 14:49:34 +0100 Subject: [PATCH 2/4] Add examples --- README.md | 4 ++-- aws_iam_policy_document.tf | 4 +++- examples/step-function/.terraform-version | 1 + examples/step-function/data.tf | 8 +++++++ .../step-function/files/step-function.json | 11 +++++++++ examples/step-function/locals.tf | 23 +++++++++++++++++++ examples/step-function/main.tf | 23 +++++++++++++++++++ examples/step-function/variables.tf | 15 ++++++++++++ variables.tf | 2 +- 9 files changed, 87 insertions(+), 4 deletions(-) create mode 100644 examples/step-function/.terraform-version create mode 100644 examples/step-function/data.tf create mode 100644 examples/step-function/files/step-function.json create mode 100644 examples/step-function/locals.tf create mode 100644 examples/step-function/main.tf create mode 100644 examples/step-function/variables.tf diff --git a/README.md b/README.md index 5c30729..eb62eb2 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ the module itself, and the [examples](#examples) section which has examples of h |------|-------------|------|---------|:--------:| | [application\_name](#input\_application\_name) | Name of the application utilising resource. | `string` | n/a | yes | | [environment](#input\_environment) | Which environment this is being instantiated in. | `string` | n/a | yes | -| [raw\_state\_machines](#input\_raw\_state\_machines) | Data structure
---------------
A list of dictionaries, where each dictionary has the following attributes:

REQUIRED
---------
- template\_file : Which file under application/state\_machine\_definition this machine corresponds to
- template\_input : A dictionary of key/value pairs, outlining in detail the inputs needed for a template to be instantiated
- suffix : Friendly name for the state function
- iam\_policy\_statements : A list of dictionaries where each dictionary is an IAM statement defining glue job permissions
-- Each dictionary in this list must define the following attributes:
--- sid: Friendly name for the policy, no spaces or special characters allowed
--- actions: A list of IAM actions the state machine is allowed to perform
--- resources: Which resource(s) the state machine may perform the above actions against
--- conditions : An OPTIONAL list of dictionaries, which each defines:
---- test : Test condition for limiting the action
---- variable : Value to test
---- values : A list of strings, denoting what to test for


OPTIONAL
---------
- cloudwatch\_retention : How many days logs should be retained for in Cloudwatch, defaults to 90 | 
list(
    object({
      template_file  = string,
      template_input = map(string),
      suffix         = string,
      iam_policy_statements = list(
        object({
          sid       = string,
          actions   = list(string),
          resources = list(string),
          conditions = optional(list(
            object({
              test : string,
              variable : string,
              values = list(string)
            })
          ), [])
        })
      ),
      cloudwatch_retention = optional(number, 90)
    })
  )
| n/a | yes | +| [raw\_state\_machines](#input\_raw\_state\_machines) | Data structure
---------------
A list of dictionaries, where each dictionary has the following attributes:

REQUIRED
---------
- template\_file : File path which this machine corresponds to
- template\_input : A dictionary of key/value pairs, outlining in detail the inputs needed for a template to be instantiated
- suffix : Friendly name for the state function
- iam\_policy\_statements : A list of dictionaries where each dictionary is an IAM statement defining glue job permissions
-- Each dictionary in this list must define the following attributes:
--- sid: Friendly name for the policy, no spaces or special characters allowed
--- actions: A list of IAM actions the state machine is allowed to perform
--- resources: Which resource(s) the state machine may perform the above actions against
--- conditions : An OPTIONAL list of dictionaries, which each defines:
---- test : Test condition for limiting the action
---- variable : Value to test
---- values : A list of strings, denoting what to test for


OPTIONAL
---------
- cloudwatch\_retention : How many days logs should be retained for in Cloudwatch, defaults to 90 | 
list(
    object({
      template_file  = string,
      template_input = map(string),
      suffix         = string,
      iam_policy_statements = list(
        object({
          sid       = string,
          actions   = list(string),
          resources = list(string),
          conditions = optional(list(
            object({
              test : string,
              variable : string,
              values = list(string)
            })
          ), [])
        })
      ),
      cloudwatch_retention = optional(number, 90)
    })
  )
| n/a | yes | | [vpc\_config](#input\_vpc\_config) | AWS VPC ID | `string` | n/a | yes | ## Outputs @@ -91,7 +91,7 @@ A list of dictionaries, where each dictionary has the following attributes: REQUIRED --------- -- template_file : Which file under application/state_machine_definition this machine corresponds to +- template_file : File path which this machine corresponds to - template_input : A dictionary of key/value pairs, outlining in detail the inputs needed for a template to be instantiated - suffix : Friendly name for the state function - iam_policy_statements : A list of dictionaries where each dictionary is an IAM statement defining glue job permissions diff --git a/aws_iam_policy_document.tf b/aws_iam_policy_document.tf index 4186c0e..e0d1e45 100644 --- a/aws_iam_policy_document.tf +++ b/aws_iam_policy_document.tf @@ -31,6 +31,7 @@ locals { "arn:aws:logs:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:log-group:/aws/stepfunction/${format("%s-%s-%s-stepfunction", var.environment, var.application_name, state_machine.suffix)}", "arn:aws:logs:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:log-group:/aws/stepfunction/${format("%s-%s-%s-stepfunction", var.environment, var.application_name, state_machine.suffix)}:*" ] + conditions = [] }, { sid = "AllowCloudwatchLogDelivery", @@ -44,7 +45,8 @@ locals { "logs:ListLogDeliveries", "logs:DescribeLogGroups" ], - resources = ["*"] + resources = ["*"] + conditions = [] } ] ) diff --git a/examples/step-function/.terraform-version b/examples/step-function/.terraform-version new file mode 100644 index 0000000..8e03717 --- /dev/null +++ b/examples/step-function/.terraform-version @@ -0,0 +1 @@ +1.5.1 \ No newline at end of file diff --git a/examples/step-function/data.tf b/examples/step-function/data.tf new file mode 100644 index 0000000..d352dcc --- /dev/null +++ b/examples/step-function/data.tf @@ -0,0 +1,8 @@ +# Get current region +data "aws_region" "current_region" {} + +# Retrieve the current AWS Account info +data "aws_caller_identity" "current_account" {} + +# Retrieve the default VPC +data "aws_vpc" "current" {} \ No newline at end of file diff --git a/examples/step-function/files/step-function.json b/examples/step-function/files/step-function.json new file mode 100644 index 0000000..852cd87 --- /dev/null +++ b/examples/step-function/files/step-function.json @@ -0,0 +1,11 @@ +{ + "Comment": "A Hello World example of the Amazon States Language using an AWS Lambda Function", + "StartAt": "HelloWorld", + "States": { + "HelloWorld": { + "Type": "Task", + "Resource": "${lambda-arn}", + "End": true + } + } +} \ No newline at end of file diff --git a/examples/step-function/locals.tf b/examples/step-function/locals.tf new file mode 100644 index 0000000..94f45ba --- /dev/null +++ b/examples/step-function/locals.tf @@ -0,0 +1,23 @@ +locals { + raw_state_machines = [ + { + suffix : "hello-world", + template_file : "${path.module}/files/step-function.json", + template_input : { + "lambda-arn" : "arn:aws:lambda:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:function:hello-world-function" + }, + iam_policy_statements : [ + { + sid : "AllowLambdaExecution", + actions : [ + "lambda:InvokeFunction", + "lambda:InvokeAsync", + ], + resources : [ + "arn:aws:lambda:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:function:hello-world-function" + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/examples/step-function/main.tf b/examples/step-function/main.tf new file mode 100644 index 0000000..ab6dc0d --- /dev/null +++ b/examples/step-function/main.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.61.0" + } + } + required_version = "~> 1.5.0" +} + +provider "aws" { + region = "eu-west-2" +} + +module "step_function" { + source = "github.com/sudoblark/sudoblark.terraform.module.aws.state_machine?ref=1.0.0" + + application_name = var.application_name + environment = var.environment + raw_state_machines = local.raw_state_machines + vpc_config = data.aws_vpc.current.id + +} \ No newline at end of file diff --git a/examples/step-function/variables.tf b/examples/step-function/variables.tf new file mode 100644 index 0000000..9ccf4b8 --- /dev/null +++ b/examples/step-function/variables.tf @@ -0,0 +1,15 @@ +variable "environment" { + description = "Which environment this is being instantiated in." + type = string + validation { + condition = contains(["dev", "test", "prod"], var.environment) + error_message = "Must be either dev, test or prod" + } + default = "prod" +} + +variable "application_name" { + description = "Name of the application utilising the resource resource." + type = string + default = "demo-app" +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index bd3f204..02761f9 100644 --- a/variables.tf +++ b/variables.tf @@ -27,7 +27,7 @@ A list of dictionaries, where each dictionary has the following attributes: REQUIRED --------- -- template_file : Which file under application/state_machine_definition this machine corresponds to +- template_file : File path which this machine corresponds to - template_input : A dictionary of key/value pairs, outlining in detail the inputs needed for a template to be instantiated - suffix : Friendly name for the state function - iam_policy_statements : A list of dictionaries where each dictionary is an IAM statement defining glue job permissions From 3df3b08feeb76b9aa4a1afa39a035b305f2d4afd Mon Sep 17 00:00:00 2001 From: Benjamin Clark Date: Wed, 18 Sep 2024 14:54:17 +0100 Subject: [PATCH 3/4] Fix incorrect CI pipeline --- .github/workflows/commit-to-pr.yaml | 6 +++--- README.md | 2 +- .../{step-function => step_function}/.terraform-version | 0 examples/{step-function => step_function}/data.tf | 0 .../files/step-function.json | 0 examples/{step-function => step_function}/locals.tf | 0 examples/{step-function => step_function}/main.tf | 0 examples/{step-function => step_function}/variables.tf | 0 8 files changed, 4 insertions(+), 4 deletions(-) rename examples/{step-function => step_function}/.terraform-version (100%) rename examples/{step-function => step_function}/data.tf (100%) rename examples/{step-function => step_function}/files/step-function.json (100%) rename examples/{step-function => step_function}/locals.tf (100%) rename examples/{step-function => step_function}/main.tf (100%) rename examples/{step-function => step_function}/variables.tf (100%) diff --git a/.github/workflows/commit-to-pr.yaml b/.github/workflows/commit-to-pr.yaml index 2bd9dc0..904c5fb 100644 --- a/.github/workflows/commit-to-pr.yaml +++ b/.github/workflows/commit-to-pr.yaml @@ -20,7 +20,7 @@ jobs: validation: strategy: matrix: - folder: ["add", "folders", "here"] + folder: ["./", "examples/step_function"] name: Terraform validate for ${{ matrix.folder }} runs-on: ubuntu-20.04 steps: @@ -41,7 +41,7 @@ jobs: linting: strategy: matrix: - folder: ["add", "folders", "here"] + folder: ["./", "examples/step_function"] name: Terraform lint for ${{ matrix.folder }} runs-on: ubuntu-20.04 steps: @@ -59,7 +59,7 @@ jobs: plan: strategy: matrix: - folder: ["add", "folders", "here"] + folder: ["examples/step_function"] name: Terraform plan for ${{ matrix.folder }} runs-on: ubuntu-20.04 needs: [validation, linting] diff --git a/README.md b/README.md index eb62eb2..3bacd0c 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ REQUIRED OPTIONAL --------- -- cloudwatch_retention : How many days logs should be retained for in Cloudwatch, defaults to 90 +- cloudwatch_retention : How many days logs should be retained for in Cloudwatch, defaults to 90gi ``` ## Examples diff --git a/examples/step-function/.terraform-version b/examples/step_function/.terraform-version similarity index 100% rename from examples/step-function/.terraform-version rename to examples/step_function/.terraform-version diff --git a/examples/step-function/data.tf b/examples/step_function/data.tf similarity index 100% rename from examples/step-function/data.tf rename to examples/step_function/data.tf diff --git a/examples/step-function/files/step-function.json b/examples/step_function/files/step-function.json similarity index 100% rename from examples/step-function/files/step-function.json rename to examples/step_function/files/step-function.json diff --git a/examples/step-function/locals.tf b/examples/step_function/locals.tf similarity index 100% rename from examples/step-function/locals.tf rename to examples/step_function/locals.tf diff --git a/examples/step-function/main.tf b/examples/step_function/main.tf similarity index 100% rename from examples/step-function/main.tf rename to examples/step_function/main.tf diff --git a/examples/step-function/variables.tf b/examples/step_function/variables.tf similarity index 100% rename from examples/step-function/variables.tf rename to examples/step_function/variables.tf From 4ed88d5be9da225539006dc513c33ca7eed2cb0a Mon Sep 17 00:00:00 2001 From: Benjamin Clark Date: Wed, 18 Sep 2024 15:00:29 +0100 Subject: [PATCH 4/4] Remove VPC_CONFIG variable --- README.md | 1 - examples/step_function/data.tf | 5 +---- examples/step_function/main.tf | 2 -- variables.tf | 5 ----- 4 files changed, 1 insertion(+), 12 deletions(-) diff --git a/README.md b/README.md index 3bacd0c..e560d0f 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,6 @@ the module itself, and the [examples](#examples) section which has examples of h | [application\_name](#input\_application\_name) | Name of the application utilising resource. | `string` | n/a | yes | | [environment](#input\_environment) | Which environment this is being instantiated in. | `string` | n/a | yes | | [raw\_state\_machines](#input\_raw\_state\_machines) | Data structure
---------------
A list of dictionaries, where each dictionary has the following attributes:

REQUIRED
---------
- template\_file : File path which this machine corresponds to
- template\_input : A dictionary of key/value pairs, outlining in detail the inputs needed for a template to be instantiated
- suffix : Friendly name for the state function
- iam\_policy\_statements : A list of dictionaries where each dictionary is an IAM statement defining glue job permissions
-- Each dictionary in this list must define the following attributes:
--- sid: Friendly name for the policy, no spaces or special characters allowed
--- actions: A list of IAM actions the state machine is allowed to perform
--- resources: Which resource(s) the state machine may perform the above actions against
--- conditions : An OPTIONAL list of dictionaries, which each defines:
---- test : Test condition for limiting the action
---- variable : Value to test
---- values : A list of strings, denoting what to test for


OPTIONAL
---------
- cloudwatch\_retention : How many days logs should be retained for in Cloudwatch, defaults to 90 | 
list(
    object({
      template_file  = string,
      template_input = map(string),
      suffix         = string,
      iam_policy_statements = list(
        object({
          sid       = string,
          actions   = list(string),
          resources = list(string),
          conditions = optional(list(
            object({
              test : string,
              variable : string,
              values = list(string)
            })
          ), [])
        })
      ),
      cloudwatch_retention = optional(number, 90)
    })
  )
| n/a | yes | -| [vpc\_config](#input\_vpc\_config) | AWS VPC ID | `string` | n/a | yes | ## Outputs diff --git a/examples/step_function/data.tf b/examples/step_function/data.tf index d352dcc..7ae4bae 100644 --- a/examples/step_function/data.tf +++ b/examples/step_function/data.tf @@ -2,7 +2,4 @@ data "aws_region" "current_region" {} # Retrieve the current AWS Account info -data "aws_caller_identity" "current_account" {} - -# Retrieve the default VPC -data "aws_vpc" "current" {} \ No newline at end of file +data "aws_caller_identity" "current_account" {} \ No newline at end of file diff --git a/examples/step_function/main.tf b/examples/step_function/main.tf index ab6dc0d..8a7561d 100644 --- a/examples/step_function/main.tf +++ b/examples/step_function/main.tf @@ -18,6 +18,4 @@ module "step_function" { application_name = var.application_name environment = var.environment raw_state_machines = local.raw_state_machines - vpc_config = data.aws_vpc.current.id - } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 02761f9..068ffe6 100644 --- a/variables.tf +++ b/variables.tf @@ -13,11 +13,6 @@ variable "application_name" { type = string } -variable "vpc_config" { - description = "AWS VPC ID" - type = string -} - variable "raw_state_machines" { description = <