Merge pull request #5 from schubergphilis/feature/toggle-provider-cre…

…ation * docs(readme): update module usage * feature(migrations): add migration to allow seamless state migration --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
schubergphilis · Jul 29, 2024 · 434443c · 434443c
2 parents c40f290 + f7a340c
commit 434443c
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -31,15 +31,17 @@ IMPORTANT: We do not pin modules to versions in our examples. We highly recommen
 | Name | Type |
 |------|------|
 | [aws_iam_openid_connect_provider.gitlab](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
+| [aws_iam_openid_connect_provider.gitlab](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
 | [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [tls_certificate.gitlab](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_iam_roles"></a> [iam\_roles](#input\_iam\_roles) | Configuration for IAM roles, the key of the map is used as the IAM role name. Unless overwritten by setting the name field. | <pre>map(object({<br>    description              = optional(string, "Role assumed by the Gitlab IAM OIDC provider")<br>    name                     = optional(string, null)<br>    path                     = optional(string, "/")<br>    permissions_boundary_arn = optional(string, "")<br>    policy                   = optional(string, null)<br>    policy_arns              = optional(set(string), [])<br><br>    subject_filter_allowed = object({<br>      path     = string<br>      ref_type = string<br>      ref      = string<br>    })<br>  }))</pre> | n/a | yes |
+| <a name="input_create_provider"></a> [create\_provider](#input\_create\_provider) | Toggle to whether or not create the provider. Put to false to not create the provider but instead data source it and create roles only. | `bool` | `true` | no |
 | <a name="input_gitlab_url"></a> [gitlab\_url](#input\_gitlab\_url) | GitLab URL. The address of your GitLab instance, such as https://gitlab.com or https://gitlab.example.com. | `string` | `"https://gitlab.com"` | no |
+| <a name="input_iam_roles"></a> [iam\_roles](#input\_iam\_roles) | Configuration for IAM roles, the key of the map is used as the IAM role name. Unless overwritten by setting the name field. | <pre>map(object({<br>    description              = optional(string, "Role assumed by the Gitlab IAM OIDC provider")<br>    name                     = optional(string, null)<br>    path                     = optional(string, "/")<br>    permissions_boundary_arn = optional(string, "")<br>    policy                   = optional(string, null)<br>    policy_arns              = optional(set(string), [])<br><br>    subject_filter_allowed = object({<br>      path     = string<br>      ref_type = string<br>      ref      = string<br>    })<br>  }))</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to all resources. | `map(string)` | `null` | no |
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -1,10 +1,23 @@
+locals {
+  provider_arn = var.create_provider ? aws_iam_openid_connect_provider.gitlab["instance"].arn : data.aws_iam_openid_connect_provider.gitlab["instance"].arn
+  provider_url = var.create_provider ? aws_iam_openid_connect_provider.gitlab["instance"].url : data.aws_iam_openid_connect_provider.gitlab["instance"].url
+}
+
 # We avoid using https scheme because the Hashicorp TLS provider has started following redirects starting v4.
 # See https://github.com/hashicorp/terraform-provider-tls/issues/249
 data "tls_certificate" "gitlab" {
   url = "${replace(var.gitlab_url, "https", "tls")}:443"
 }
 
+data "aws_iam_openid_connect_provider" "gitlab" {
+  for_each = !var.create_provider ? { instance = true } : {}
+
+  url = var.gitlab_url
+}
+
 resource "aws_iam_openid_connect_provider" "gitlab" {
+  for_each = var.create_provider ? { instance = true } : {}
+
   url             = var.gitlab_url
   client_id_list  = [var.gitlab_url]
   thumbprint_list = [data.tls_certificate.gitlab.certificates[0].sha1_fingerprint]
@@ -20,15 +33,15 @@ data "aws_iam_policy_document" "assume_role_policy" {
 
     principals {
       type        = "Federated"
-      identifiers = [aws_iam_openid_connect_provider.gitlab.arn]
+      identifiers = [local.provider_arn]
     }
 
     # A concatenation of metadata describing the GitLab CI/CD workflow including the group, project, branch, and tag. The sub field is in the following format:
-    # project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}  
-    # https://docs.gitlab.com/ee/ci/cloud_services/index.html#configure-a-conditional-role-with-oidc-claims  
+    # project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}
+    # https://docs.gitlab.com/ee/ci/cloud_services/index.html#configure-a-conditional-role-with-oidc-claims
     condition {
       test     = "StringLike"
-      variable = "${aws_iam_openid_connect_provider.gitlab.url}:sub"
+      variable = "${local.provider_url}:sub"
       values   = ["project_path:${each.value.subject_filter_allowed.path}:ref_type:${each.value.subject_filter_allowed.ref_type}:ref:${each.value.subject_filter_allowed.ref}"]
     }
   }

diff --git a/migrations.tf b/migrations.tf
@@ -0,0 +1,4 @@
+moved {
+  from = aws_iam_openid_connect_provider.gitlab
+  to   = aws_iam_openid_connect_provider.gitlab["instance"]
+}
diff --git a/variables.tf b/variables.tf
@@ -1,3 +1,9 @@
+variable "create_provider" {
+  type        = bool
+  default     = true
+  description = "Toggle to whether or not create the provider. Put to false to not create the provider but instead data source it and create roles only."
+}
+
 variable "gitlab_url" {
   type        = string
   default     = "https://gitlab.com"
@@ -24,6 +30,7 @@ variable "iam_roles" {
       ref      = string
     })
   }))
+  default     = {}
   description = "Configuration for IAM roles, the key of the map is used as the IAM role name. Unless overwritten by setting the name field."
 
   validation {