[feature] Allow specifying aws-iam-role max_session_duration (#299)

chanzuckerberg · Apr 13, 2021 · 9df4395 · 9df4395
1 parent 06c61e5
commit 9df4395
Show file tree

Hide file tree

Showing 54 changed files with 272 additions and 252 deletions.
diff --git a/aws-aurora-mysql/variables.tf b/aws-aurora-mysql/variables.tf
@@ -92,7 +92,7 @@ variable "publicly_accessible" {
 }
 
 variable "rds_cluster_parameters" {
-  type        = list
+  type        = list(any)
   description = "Cluster params you can set. [Doc](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Reference.html#AuroraMySQL.Reference.Parameters.Cluster)"
 
   default = [
@@ -110,7 +110,7 @@ variable "rds_cluster_parameters" {
 }
 
 variable "db_parameters" {
-  type        = list
+  type        = list(any)
   description = "Instance params you can set. [Doc](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Reference.html#AuroraMySQL.Reference.Parameters.Instance)"
 
   default = [
@@ -175,13 +175,13 @@ variable "params_engine_version" {
   default     = "5.7"
 }
 
-variable ca_cert_identifier {
+variable "ca_cert_identifier" {
   type        = string
   description = "Identifier for the certificate authority. rds-ca-2019 is the latest available version."
   default     = "rds-ca-2019"
 }
 
-variable auto_minor_version_upgrade {
+variable "auto_minor_version_upgrade" {
   type        = bool
   description = "Set the databases to automatically upgrade minor versions."
   default     = true

diff --git a/aws-aurora-postgres/variables.tf b/aws-aurora-postgres/variables.tf
@@ -86,13 +86,13 @@ variable "apply_immediately" {
 }
 
 variable "rds_cluster_parameters" {
-  type        = list
+  type        = list(any)
   description = "Cluster params you can set. [Doc](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Reference.html#AuroraPostgreSQL.Reference.Parameters.Cluster)"
   default     = []
 }
 
 variable "db_parameters" {
-  type        = list
+  type        = list(any)
   description = "Instance params you can set. [Doc](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Reference.html#AuroraPostgreSQL.Reference.Parameters.Instance)"
   default     = []
 }
@@ -119,13 +119,13 @@ variable "iam_database_authentication_enabled" {
   default = false
 }
 
-variable ca_cert_identifier {
+variable "ca_cert_identifier" {
   type        = string
   description = "Identifier for the certificate authority."
   default     = "rds-ca-2019"
 }
 
-variable auto_minor_version_upgrade {
+variable "auto_minor_version_upgrade" {
   type        = bool
   description = "Set the databases to automatically upgrade minor versions."
   default     = true

diff --git a/aws-aurora/main.tf b/aws-aurora/main.tf
@@ -17,7 +17,7 @@ resource "aws_security_group" "rds" {
 
   vpc_id = var.vpc_id
 
-  dynamic ingress {
+  dynamic "ingress" {
     for_each = var.ingress_cidr_blocks
     content {
       from_port   = var.port
@@ -27,7 +27,7 @@ resource "aws_security_group" "rds" {
     }
   }
 
-  dynamic ingress {
+  dynamic "ingress" {
     for_each = var.ingress_security_groups
     content {
       from_port       = var.port

diff --git a/aws-aurora/variables.tf b/aws-aurora/variables.tf
@@ -77,13 +77,13 @@ variable "publicly_accessible" {
 }
 
 variable "rds_cluster_parameters" {
-  type = list
+  type = list(any)
 
   default = []
 }
 
 variable "db_parameters" {
-  type = list
+  type = list(any)
 
   default = []
 }
@@ -116,7 +116,7 @@ variable "iam_database_authentication_enabled" {
 }
 
 variable "enabled_cloudwatch_logs_exports" {
-  type    = list
+  type    = list(any)
   default = []
 }
 
@@ -130,13 +130,13 @@ variable "db_deletion_protection" {
   default = false
 }
 
-variable ca_cert_identifier {
+variable "ca_cert_identifier" {
   type        = string
   description = "Identifier for the certificate authority. Use rds-ca-2019 for anything new."
   default     = "rds-ca-2019"
 }
 
-variable auto_minor_version_upgrade {
+variable "auto_minor_version_upgrade" {
   type        = bool
   description = "Set the databases to automatically upgrade minor versions."
   default     = true

diff --git a/aws-cloudfront-domain-redirect/main.tf b/aws-cloudfront-domain-redirect/main.tf
@@ -7,7 +7,7 @@ locals {
   }
 }
 
-resource aws_s3_bucket redirect_bucket {
+resource "aws_s3_bucket" "redirect_bucket" {
   bucket = "redirect-${var.source_domain}-to-${var.target_domain}"
   website {
     redirect_all_requests_to = "https://${var.target_domain}"
@@ -36,7 +36,7 @@ module "cert" {
   service = var.service
 }
 
-resource aws_cloudfront_distribution cf {
+resource "aws_cloudfront_distribution" "cf" {
   enabled = true
   comment = "Redirect requests from ${var.source_domain} to ${var.target_domain}."
 
@@ -93,7 +93,7 @@ resource aws_cloudfront_distribution cf {
   tags = local.tags
 }
 
-resource aws_route53_record alias_ipv4 {
+resource "aws_route53_record" "alias_ipv4" {
   zone_id = var.source_domain_zone_id
   name    = var.source_domain
   type    = "A"
@@ -105,7 +105,7 @@ resource aws_route53_record alias_ipv4 {
   }
 }
 
-resource aws_route53_record alias_ipv6 {
+resource "aws_route53_record" "alias_ipv6" {
   zone_id = var.source_domain_zone_id
   name    = var.source_domain
   type    = "AAAA"

diff --git a/aws-cloudfront-domain-redirect/variables.tf b/aws-cloudfront-domain-redirect/variables.tf
@@ -1,34 +1,34 @@
-variable project {
+variable "project" {
   type        = string
   description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable env {
+variable "env" {
   type        = string
   description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable service {
+variable "service" {
   type        = string
   description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable owner {
+variable "owner" {
   type        = string
   description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable source_domain {
+variable "source_domain" {
   type        = string
   description = "The domain that will be redirected from."
 }
 
-variable source_domain_zone_id {
+variable "source_domain_zone_id" {
   type        = string
   description = "Route53 zone id for the source domain."
 }
 
-variable target_domain {
+variable "target_domain" {
   type        = string
   description = "The domain that will be redirected to."
 }
diff --git a/aws-cloudfront-logs-bucket/variables.tf b/aws-cloudfront-logs-bucket/variables.tf
@@ -58,7 +58,7 @@ variable "lifecycle_rules" {
   ]
 }
 
-variable public_access_block {
+variable "public_access_block" {
   type    = bool
   default = true
 }
diff --git a/aws-cloudwatch-log-retention-manager/main.tf b/aws-cloudwatch-log-retention-manager/main.tf
@@ -10,7 +10,7 @@ locals {
   lambda_name = "${var.project}-${var.env}-${var.service}-cloudwatch-retention"
 }
 
-data archive_file lambda {
+data "archive_file" "lambda" {
   type        = "zip"
   output_path = "${path.module}/build/lambda.zip"
   source {
@@ -60,7 +60,7 @@ data archive_file lambda {
   }
 }
 
-module lambda {
+module "lambda" {
   source = "../aws-lambda-function"
 
   function_name    = local.lambda_name
@@ -78,26 +78,26 @@ module lambda {
   service = var.service
 }
 
-resource aws_cloudwatch_event_rule trigger {
+resource "aws_cloudwatch_event_rule" "trigger" {
   name                = "${var.project}-${var.env}-${var.service}-retention-trigger"
   schedule_expression = "rate(12 hours)"
   tags                = local.tags
 }
 
-resource aws_cloudwatch_event_target trigger {
+resource "aws_cloudwatch_event_target" "trigger" {
   rule = aws_cloudwatch_event_rule.trigger.id
   arn  = module.lambda.arn
 }
 
-resource aws_lambda_permission permission {
+resource "aws_lambda_permission" "permission" {
   statement_id  = "AllowScheduledLambdaExecution"
   action        = "lambda:InvokeFunction"
   function_name = local.lambda_name
   principal     = "events.amazonaws.com"
   source_arn    = aws_cloudwatch_event_rule.trigger.arn
 }
 
-data aws_iam_policy_document policy {
+data "aws_iam_policy_document" "policy" {
   statement {
     effect = "Allow"
     actions = [
@@ -110,7 +110,7 @@ data aws_iam_policy_document policy {
   }
 }
 
-resource aws_iam_role_policy policy {
+resource "aws_iam_role_policy" "policy" {
   name   = "allow-managing-log-groups"
   role   = module.lambda.role_id
   policy = data.aws_iam_policy_document.policy.json

diff --git a/aws-cloudwatch-log-retention-manager/variables.tf b/aws-cloudwatch-log-retention-manager/variables.tf
@@ -1,24 +1,24 @@
-variable project {
+variable "project" {
   type        = string
   description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable env {
+variable "env" {
   type        = string
   description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable service {
+variable "service" {
   type        = string
   description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable owner {
+variable "owner" {
   type        = string
   description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable maximum_retention {
+variable "maximum_retention" {
   type        = number
   description = "The default days of retention to apply to untagged Cloudwatch Log Groups."
 }
diff --git a/aws-iam-group-assume-role/variables.tf b/aws-iam-group-assume-role/variables.tf
@@ -1,5 +1,5 @@
 variable "target_accounts" {
-  type        = list
+  type        = list(any)
   description = "List of accounts in which this role should be assume-able."
 }
 
@@ -15,7 +15,7 @@ variable "group_name" {
 }
 
 variable "users" {
-  type        = list
+  type        = list(any)
   default     = []
   description = "List of user's names who should be added to this group."
 }
@@ -29,5 +29,5 @@ variable "target_role" {
 # Pseudo depends_on because Terraform modules do not support depends_on
 variable "dependencies" {
   default = []
-  type    = list
+  type    = list(any)
 }
diff --git a/aws-iam-role-bless/variables.tf b/aws-iam-role-bless/variables.tf
@@ -15,7 +15,7 @@ variable "source_account_ids" {
 }
 
 variable "bless_lambda_arns" {
-  type        = list
+  type        = list(any)
   description = "List of bless lambda arns"
 }
 
@@ -25,22 +25,22 @@ variable "iam_path" {
   description = "IAM path"
 }
 
-variable project {
+variable "project" {
   type        = string
   description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable env {
+variable "env" {
   type        = string
   description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable service {
+variable "service" {
   type        = string
   description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable owner {
+variable "owner" {
   type        = string
   description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
diff --git a/aws-iam-role-cloudfront-poweruser/variables.tf b/aws-iam-role-cloudfront-poweruser/variables.tf
@@ -4,7 +4,7 @@ variable "role_name" {
 }
 
 variable "s3_bucket_prefixes" {
-  type        = list
+  type        = list(any)
   description = "Limits role permissions to buckets with specific prefixes. Empty for all buckets."
 
   default = [
@@ -35,22 +35,22 @@ variable "saml_idp_arn" {
   description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
 }
 
-variable project {
+variable "project" {
   type        = string
   description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable env {
+variable "env" {
   type        = string
   description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable service {
+variable "service" {
   type        = string
   description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable owner {
+variable "owner" {
   type        = string
   description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }