feat: enforce External ID v2 format via iam-role module (#76)

--------- Co-authored-by: Pengyuan Zhao <pengyuan.zhao@lacework.net>
lacework · Sep 15, 2023 · ce9b91e · ce9b91e
1 parent de3fd4d
commit ce9b91e
Show file tree

Hide file tree

Showing 6 changed files with 2 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -30,7 +30,6 @@ Terraform module for configuring an integration with Lacework and AWS for cloud
 
 | Name                         | Description                                                                                                                                                         | Type          | Default          | Required |
 | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------- | :------: |
-| external_id_length           | The length of the external ID to generate. Max length is 1224. Ignored when use_existing_iam_role is set to `true`                                                  | `number`      | `16`             |    no    |
 | iam_role_arn                 | The IAM role ARN is required when setting use_existing_iam_role to `true`                                                                                           | `string`      | `""`             |    no    |
 | iam_role_external_id         | The external ID configured inside the IAM role is required when setting use_existing_iam_role to `true`                                                             | `string`      | `""`             |    no    |
 | iam_role_name                | The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to `true`                                                                    | `string`      | `""`             |    no    |

diff --git a/examples/custom-config/README.md b/examples/custom-config/README.md
@@ -10,7 +10,6 @@ display name in Lacework, the Lacework audit policy name, and the external_id le
 | `iam_role_name`              | The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to `true`                                                                    | `string` |
 | `lacework_integration_name`  | Specifies the name of the integration in Lacework                                                                                                                   | `string` |
 | `lacework_audit_policy_name` | The name of the custom audit policy (which extends SecurityAudit) to allow Lacework to read configs.  Defaults to `lwaudit-policy-${random_id.uniq.hex}` when empty | `string` |
-| `external_id_length`         | The length of the external ID to generate. Max length is 1224. Ignored when use_existing_iam_role is set to `true`                                                  | `number` |
 
 ## Sample Code
 
@@ -34,7 +33,6 @@ module "aws_config" {
   iam_role_name              = "lw-custom-role"
   lacework_integration_name  = "account-abc"
   lacework_audit_policy_name = "policy-abc"
-  external_id_length         = 1000
 }
 ```
 

diff --git a/examples/custom-config/main.tf b/examples/custom-config/main.tf
@@ -8,5 +8,4 @@ module "aws_config" {
   iam_role_name              = "lw-custom-role"
   lacework_integration_name  = "account-abc"
   lacework_audit_policy_name = "policy-abc"
-  external_id_length         = 1000
 }
diff --git a/examples/existing-iam-role-config/README.md b/examples/existing-iam-role-config/README.md
@@ -6,7 +6,6 @@ This scenario integrates an AWS account with Lacework for cloud resource configu
 
 | Name                        | Description                                                                                                        | Type     |
 | --------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------- |
-| `external_id_length`        | The length of the external ID to generate. Max length is 1224. Ignored when use_existing_iam_role is set to `true` | `number` |
 | `iam_role_arn`              | The IAM role ARN is required when setting use_existing_iam_role to `true`                                          | `string` |
 | `iam_role_external_id`      | The external ID configured inside the IAM role is required when setting use_existing_iam_role to `true`            | `string` |
 | `iam_role_name`             | The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to `true`                   | `string` |

diff --git a/main.tf b/main.tf
@@ -13,12 +13,11 @@ resource "random_id" "uniq" {
 
 module "lacework_cfg_iam_role" {
   source                  = "lacework/iam-role/aws"
-  version                 = "~> 0.3"
+  version                 = "~> 0.4"
   create                  = var.use_existing_iam_role ? false : true
   iam_role_name           = var.iam_role_name
   permission_boundary_arn = var.permission_boundary_arn
   lacework_aws_account_id = var.lacework_aws_account_id
-  external_id_length      = var.external_id_length
   tags                    = var.tags
 }
 

diff --git a/variables.tf b/variables.tf
@@ -38,7 +38,7 @@ variable "permission_boundary_arn" {
 variable "external_id_length" {
   type        = number
   default     = 16
-  description = "The length of the external ID to generate. Max length is 1224. Ignored when use_existing_iam_role is set to `true`"
+  description = "**Deprecated** - Will be removed on our next major release v1.0.0"
 }
 
 variable "lacework_aws_account_id" {