From 373f9a8b0e2d345e9440b450ff1fe83676a91e07 Mon Sep 17 00:00:00 2001 From: Andrew Hummel Date: Thu, 18 Mar 2021 13:48:37 -0500 Subject: [PATCH 01/13] Add logging_configuration --- README.md | 124 +++++++++++++++--------------- examples/complete/main.tf | 155 +++++++++++++++++++++----------------- main.tf | 20 +++++ variables.tf | 51 +++++++++++++ 4 files changed, 216 insertions(+), 134 deletions(-) diff --git a/README.md b/README.md index bf2e0f1..ff9b7cf 100644 --- a/README.md +++ b/README.md @@ -4,18 +4,16 @@ Terraform module, which creates AWS Step Functions as well as required IAM role This Terraform module is the part of [serverless.tf framework](https://github.com/antonbabenko/serverless.tf), which aims to simplify all operations when working with the serverless in Terraform. - ## Features - [x] Creates AWS Step Function - [x] Conditional creation for many types of resources - [x] Support IAM policy attachments for [Integrated Services (eg, Lambda, SQS, ECS, EKS, Batch, DynamoDB, etc)](https://docs.aws.amazon.com/step-functions/latest/dg/service-integration-iam-templates.html) and various ways to create and attach additional policies - ## Usage ### Step Function - + ```hcl module "step_function" { source = "terraform-aws-modules/step-functions/aws" @@ -39,7 +37,7 @@ module "step_function" { } } EOF - + service_integrations = { dynamodb = { dynamodb = ["arn:aws:dynamodb:eu-west-1:052212379155:table/Test"] @@ -79,7 +77,7 @@ module "step_function" { sqs = { sqs = "arn:aws:sqs:..." # sqs queue ARN is required because there is no default_resources key for such integration } - + # Special case to deny all actions for the step function (this will override all IAM policies allowed for the function) no_tasks = { deny_all = true @@ -88,7 +86,6 @@ module "step_function" { } ``` - ## Additional IAM policies for Step Function In addition to all supported AWS service integrations you may want to create and attach additional policies. @@ -101,7 +98,6 @@ There are 5 supported ways to attach additional IAM policies to IAM role used by 1. `policies` - List of ARNs of existing IAM policies, when `attach_policies = true` and `number_of_policies > 0`. 1. `policy_statements` - Map of maps to define IAM statements which will be generated as IAM policy. Requires `attach_policy_statements = true`. See `examples/complete` for more information. - ## Conditional creation Sometimes you need to have a way to create resources conditionally, so the solution is to specify `create` arguments. @@ -117,25 +113,24 @@ module "step_function" { } ``` - ## Examples -* [Complete](https://github.com/terraform-aws-modules/terraform-aws-step-functions/tree/master/examples/complete) - Create Step Function and required IAM resources in various combinations with all supported features. - +- [Complete](https://github.com/terraform-aws-modules/terraform-aws-step-functions/tree/master/examples/complete) - Create Step Function and required IAM resources in various combinations with all supported features. + ## Requirements -| Name | Version | -|------|---------| +| Name | Version | +| --------- | --------- | | terraform | >= 0.13.1 | -| aws | >= 3.27 | +| aws | >= 3.27 | ## Providers | Name | Version | -|------|---------| -| aws | >= 3.27 | +| ---- | ------- | +| aws | >= 3.27 | ## Modules @@ -143,61 +138,63 @@ No Modules. ## Resources -| Name | -|------| -| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | -| [aws_iam_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | -| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | -| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | +| Name | +| ---------------------------------------------------------------------------------------------------------------------------------------- | +| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | +| [aws_iam_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | +| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | +| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | | [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | -| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | -| [aws_sfn_state_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | +| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | +| [aws_sfn_state_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| attach\_policies | Controls whether list of policies should be added to IAM role | `bool` | `false` | no | -| attach\_policies\_for\_integrations | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no | -| attach\_policy | Controls whether policy should be added to IAM role | `bool` | `false` | no | -| attach\_policy\_json | Controls whether policy\_json should be added to IAM role | `bool` | `false` | no | -| attach\_policy\_jsons | Controls whether policy\_jsons should be added to IAM role | `bool` | `false` | no | -| attach\_policy\_statements | Controls whether policy\_statements should be added to IAM role | `bool` | `false` | no | -| aws\_region\_assume\_role | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no | -| create | Whether to create Step Function resource | `bool` | `true` | no | -| create\_role | Whether to create IAM role for the Step Function | `bool` | `true` | no | -| definition | The Amazon States Language definition of the Step Function | `string` | `""` | no | -| name | The name of the Step Function | `string` | `""` | no | -| number\_of\_policies | Number of policies to attach to IAM role | `number` | `0` | no | -| number\_of\_policy\_jsons | Number of policies JSON to attach to IAM role | `number` | `0` | no | -| policies | List of policy statements ARN to attach to IAM role | `list(string)` | `[]` | no | -| policy | An additional policy document ARN to attach to IAM role | `string` | `null` | no | -| policy\_json | An additional policy document as JSON to attach to IAM role | `string` | `null` | no | -| policy\_jsons | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no | -| policy\_statements | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no | -| role\_arn | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no | -| role\_description | Description of IAM role to use for Step Function | `string` | `null` | no | -| role\_force\_detach\_policies | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no | -| role\_name | Name of IAM role to use for Step Function | `string` | `null` | no | -| role\_path | Path of IAM role to use for Step Function | `string` | `null` | no | -| role\_permissions\_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function | `string` | `null` | no | -| role\_tags | A map of tags to assign to IAM role | `map(string)` | `{}` | no | -| service\_integrations | Map of AWS service integrations to allow in IAM role policy | `any` | `{}` | no | -| tags | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no | -| trusted\_entities | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | -| type | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no | -| use\_existing\_role | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no | +| Name | Description | Type | Default | Required | +| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------- | ------------ | :------: | +| attach_policies | Controls whether list of policies should be added to IAM role | `bool` | `false` | no | +| attach_policies_for_integrations | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no | +| attach_policy | Controls whether policy should be added to IAM role | `bool` | `false` | no | +| attach_policy_json | Controls whether policy_json should be added to IAM role | `bool` | `false` | no | +| attach_policy_jsons | Controls whether policy_jsons should be added to IAM role | `bool` | `false` | no | +| attach_policy_statements | Controls whether policy_statements should be added to IAM role | `bool` | `false` | no | +| aws_region_assume_role | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no | +| create | Whether to create Step Function resource | `bool` | `true` | no | +| create_role | Whether to create IAM role for the Step Function | `bool` | `true` | no | +| definition | The Amazon States Language definition of the Step Function | `string` | `""` | no | +| logging_configuration | Defines what execution history events are logged and where they are logged | `object({})` | `null` | no | +| name | The name of the Step Function | `string` | `""` | no | +| number_of_policies | Number of policies to attach to IAM role | `number` | `0` | no | +| number_of_policy_jsons | Number of policies JSON to attach to IAM role | `number` | `0` | no | +| policies | List of policy statements ARN to attach to IAM role | `list(string)` | `[]` | no | +| policy | An additional policy document ARN to attach to IAM role | `string` | `null` | no | +| policy_json | An additional policy document as JSON to attach to IAM role | `string` | `null` | no | +| policy_jsons | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no | +| policy_statements | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no | +| role_arn | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no | +| role_description | Description of IAM role to use for Step Function | `string` | `null` | no | +| role_force_detach_policies | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no | +| role_name | Name of IAM role to use for Step Function | `string` | `null` | no | +| role_path | Path of IAM role to use for Step Function | `string` | `null` | no | +| role_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function | `string` | `null` | no | +| role_tags | A map of tags to assign to IAM role | `map(string)` | `{}` | no | +| service_integrations | Map of AWS service integrations to allow in IAM role policy | `any` | `{}` | no | +| tags | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no | +| trusted_entities | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | +| type | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no | +| use_existing_role | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no | ## Outputs -| Name | Description | -|------|-------------| -| this\_role\_arn | The ARN of the IAM role created for the Step Function | -| this\_role\_name | The name of the IAM role created for the Step Function | -| this\_state\_machine\_arn | The ARN of the Step Function | -| this\_state\_machine\_creation\_date | The date the Step Function was created | -| this\_state\_machine\_id | The ARN of the Step Function | -| this\_state\_machine\_status | The current status of the Step Function | +| Name | Description | +| -------------------------------- | ------------------------------------------------------ | +| this_role_arn | The ARN of the IAM role created for the Step Function | +| this_role_name | The name of the IAM role created for the Step Function | +| this_state_machine_arn | The ARN of the Step Function | +| this_state_machine_creation_date | The date the Step Function was created | +| this_state_machine_id | The ARN of the Step Function | +| this_state_machine_status | The current status of the Step Function | + ## Authors @@ -206,7 +203,6 @@ Module managed by [Anton Babenko](https://github.com/antonbabenko). Check out [s Please reach out to [Betajob](https://www.betajob.com/) if you are looking for commercial support for your Terraform, AWS, or serverless project. - ## License Apache 2 Licensed. See LICENSE for full details. diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 317c1f1..0a5e28f 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,13 +1,13 @@ -provider "aws" { - region = "eu-west-1" - - # Make it faster by skipping something - skip_get_ec2_platforms = true - skip_metadata_api_check = true - skip_region_validation = true - skip_credentials_validation = true - skip_requesting_account_id = true -} +# provider "aws" { +# region = "eu-west-1" + +# # Make it faster by skipping something +# skip_get_ec2_platforms = true +# skip_metadata_api_check = true +# skip_region_validation = true +# skip_credentials_validation = true +# skip_requesting_account_id = true +# } locals { definition_template = < Date: Thu, 18 Mar 2021 13:55:36 -0500 Subject: [PATCH 02/13] Check for log level instead of null --- examples/complete/main.tf | 142 +++++++++++++++++++------------------- main.tf | 4 +- 2 files changed, 73 insertions(+), 73 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 0a5e28f..298e26c 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,13 +1,13 @@ -# provider "aws" { -# region = "eu-west-1" - -# # Make it faster by skipping something -# skip_get_ec2_platforms = true -# skip_metadata_api_check = true -# skip_region_validation = true -# skip_credentials_validation = true -# skip_requesting_account_id = true -# } +provider "aws" { + region = "eu-west-1" + + # Make it faster by skipping something + skip_get_ec2_platforms = true + skip_metadata_api_check = true + skip_region_validation = true + skip_credentials_validation = true + skip_requesting_account_id = true +} locals { definition_template = < Date: Thu, 18 Mar 2021 13:57:31 -0500 Subject: [PATCH 03/13] Fix example policy json --- examples/complete/main.tf | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 298e26c..c106584 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -100,19 +100,12 @@ EOF "Statement": [ { "Effect": "Allow", - "Action": [ - "xray:*" - ], - "Resource": ["*"] - }, - { - "Effect": "Allow", "Action": [ "cloudwatch:*", - "logs:*" + "logs:*", + "xray:*" ], "Resource": ["*"] - } ] } From b254eef5563f09fe750bdfb088678961753061c9 Mon Sep 17 00:00:00 2001 From: Andrew Hummel Date: Thu, 18 Mar 2021 13:59:50 -0500 Subject: [PATCH 04/13] Fix ternary --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 11d1b51..3b034fb 100644 --- a/main.tf +++ b/main.tf @@ -6,7 +6,7 @@ locals { } resource "aws_cloudwatch_log_group" "log_group_for_sfn" { - count = var.logging_configuration.level != "OFF" ? 1 : 0 + count = var.logging_configuration.level == "OFF" ? 0 : 1 name = var.log_name name_prefix = var.log_name_prefix From 4aaa7c636b4013fc29aa027c70c7eb64053a780b Mon Sep 17 00:00:00 2001 From: Andrew Hummel Date: Thu, 18 Mar 2021 14:30:13 -0500 Subject: [PATCH 05/13] Add inputs to README --- README.md | 70 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 37 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index ff9b7cf..85c4722 100644 --- a/README.md +++ b/README.md @@ -150,39 +150,43 @@ No Modules. ## Inputs -| Name | Description | Type | Default | Required | -| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------- | ------------ | :------: | -| attach_policies | Controls whether list of policies should be added to IAM role | `bool` | `false` | no | -| attach_policies_for_integrations | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no | -| attach_policy | Controls whether policy should be added to IAM role | `bool` | `false` | no | -| attach_policy_json | Controls whether policy_json should be added to IAM role | `bool` | `false` | no | -| attach_policy_jsons | Controls whether policy_jsons should be added to IAM role | `bool` | `false` | no | -| attach_policy_statements | Controls whether policy_statements should be added to IAM role | `bool` | `false` | no | -| aws_region_assume_role | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no | -| create | Whether to create Step Function resource | `bool` | `true` | no | -| create_role | Whether to create IAM role for the Step Function | `bool` | `true` | no | -| definition | The Amazon States Language definition of the Step Function | `string` | `""` | no | -| logging_configuration | Defines what execution history events are logged and where they are logged | `object({})` | `null` | no | -| name | The name of the Step Function | `string` | `""` | no | -| number_of_policies | Number of policies to attach to IAM role | `number` | `0` | no | -| number_of_policy_jsons | Number of policies JSON to attach to IAM role | `number` | `0` | no | -| policies | List of policy statements ARN to attach to IAM role | `list(string)` | `[]` | no | -| policy | An additional policy document ARN to attach to IAM role | `string` | `null` | no | -| policy_json | An additional policy document as JSON to attach to IAM role | `string` | `null` | no | -| policy_jsons | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no | -| policy_statements | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no | -| role_arn | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no | -| role_description | Description of IAM role to use for Step Function | `string` | `null` | no | -| role_force_detach_policies | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no | -| role_name | Name of IAM role to use for Step Function | `string` | `null` | no | -| role_path | Path of IAM role to use for Step Function | `string` | `null` | no | -| role_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function | `string` | `null` | no | -| role_tags | A map of tags to assign to IAM role | `map(string)` | `{}` | no | -| service_integrations | Map of AWS service integrations to allow in IAM role policy | `any` | `{}` | no | -| tags | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no | -| trusted_entities | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | -| type | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no | -| use_existing_role | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no | +| Name | Description | Type | Default | Required | +| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------- | :------: | +| attach_policies | Controls whether list of policies should be added to IAM role | `bool` | `false` | no | +| attach_policies_for_integrations | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no | +| attach_policy | Controls whether policy should be added to IAM role | `bool` | `false` | no | +| attach_policy_json | Controls whether policy_json should be added to IAM role | `bool` | `false` | no | +| attach_policy_jsons | Controls whether policy_jsons should be added to IAM role | `bool` | `false` | no | +| attach_policy_statements | Controls whether policy_statements should be added to IAM role | `bool` | `false` | no | +| aws_region_assume_role | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no | +| create | Whether to create Step Function resource | `bool` | `true` | no | +| create_role | Whether to create IAM role for the Step Function | `bool` | `true` | no | +| definition | The Amazon States Language definition of the Step Function | `string` | `""` | no | +| logging_configuration | Defines what execution history events are logged and where they are logged. Properties are include_execution_data (bool) and level (string). | `object({})` | `false and "OFF"` | no | +| log_name | The name of the log group. | `string` | `null` | no | +| log_name_prefix | Creates a unique name beginning with the specified prefix. Conflicts with name. | `string` | `null` | no | +| log_retention_in_days | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. | `number` | `0` | no | +| log_kms_key_id | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no | +| log_tags | A map of tags to assign to the Cloudwatch logging resource | `map(string)` | `{}` | no | +| number_of_policies | Number of policies to attach to IAM role | `number` | `0` | no | +| number_of_policy_jsons | Number of policies JSON to attach to IAM role | `number` | `0` | no | +| policies | List of policy statements ARN to attach to IAM role | `list(string)` | `[]` | no | +| policy | An additional policy document ARN to attach to IAM role | `string` | `null` | no | +| policy_json | An additional policy document as JSON to attach to IAM role | `string` | `null` | no | +| policy_jsons | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no | +| policy_statements | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no | +| role_arn | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no | +| role_description | Description of IAM role to use for Step Function | `string` | `null` | no | +| role_force_detach_policies | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no | +| role_name | Name of IAM role to use for Step Function | `string` | `null` | no | +| role_path | Path of IAM role to use for Step Function | `string` | `null` | no | +| role_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function | `string` | `null` | no | +| role_tags | A map of tags to assign to IAM role | `map(string)` | `{}` | no | +| service_integrations | Map of AWS service integrations to allow in IAM role policy | `any` | `{}` | no | +| tags | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no | +| trusted_entities | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | +| type | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no | +| use_existing_role | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no | ## Outputs From 355498d275027c08f225f4eff641a838027df8cd Mon Sep 17 00:00:00 2001 From: Andrew Hummel Date: Thu, 18 Mar 2021 15:02:42 -0500 Subject: [PATCH 06/13] Fix example param formatting --- README.md | 2 +- examples/complete/main.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 85c4722..c65a1fe 100644 --- a/README.md +++ b/README.md @@ -163,10 +163,10 @@ No Modules. | create_role | Whether to create IAM role for the Step Function | `bool` | `true` | no | | definition | The Amazon States Language definition of the Step Function | `string` | `""` | no | | logging_configuration | Defines what execution history events are logged and where they are logged. Properties are include_execution_data (bool) and level (string). | `object({})` | `false and "OFF"` | no | +| log_kms_key_id | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no | | log_name | The name of the log group. | `string` | `null` | no | | log_name_prefix | Creates a unique name beginning with the specified prefix. Conflicts with name. | `string` | `null` | no | | log_retention_in_days | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. | `number` | `0` | no | -| log_kms_key_id | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no | | log_tags | A map of tags to assign to the Cloudwatch logging resource | `map(string)` | `{}` | no | | number_of_policies | Number of policies to attach to IAM role | `number` | `0` | no | | number_of_policy_jsons | Number of policies JSON to attach to IAM role | `number` | `0` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index c106584..454b823 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -101,8 +101,8 @@ EOF { "Effect": "Allow", "Action": [ - "cloudwatch:*", - "logs:*", + "cloudwatch:*", + "logs:*", "xray:*" ], "Resource": ["*"] From 2281e976492a8fa932a9a3154eb2362591164bc7 Mon Sep 17 00:00:00 2001 From: Andrew Hummel Date: Thu, 18 Mar 2021 15:58:18 -0500 Subject: [PATCH 07/13] Hook fixes --- README.md | 135 ++++++++++++++++++++------------------ examples/complete/main.tf | 1 + main.tf | 6 +- variables.tf | 100 ++++++++++++++-------------- 4 files changed, 123 insertions(+), 119 deletions(-) diff --git a/README.md b/README.md index c65a1fe..1094927 100644 --- a/README.md +++ b/README.md @@ -4,16 +4,18 @@ Terraform module, which creates AWS Step Functions as well as required IAM role This Terraform module is the part of [serverless.tf framework](https://github.com/antonbabenko/serverless.tf), which aims to simplify all operations when working with the serverless in Terraform. + ## Features - [x] Creates AWS Step Function - [x] Conditional creation for many types of resources - [x] Support IAM policy attachments for [Integrated Services (eg, Lambda, SQS, ECS, EKS, Batch, DynamoDB, etc)](https://docs.aws.amazon.com/step-functions/latest/dg/service-integration-iam-templates.html) and various ways to create and attach additional policies + ## Usage ### Step Function - + ```hcl module "step_function" { source = "terraform-aws-modules/step-functions/aws" @@ -37,7 +39,7 @@ module "step_function" { } } EOF - + service_integrations = { dynamodb = { dynamodb = ["arn:aws:dynamodb:eu-west-1:052212379155:table/Test"] @@ -77,7 +79,7 @@ module "step_function" { sqs = { sqs = "arn:aws:sqs:..." # sqs queue ARN is required because there is no default_resources key for such integration } - + # Special case to deny all actions for the step function (this will override all IAM policies allowed for the function) no_tasks = { deny_all = true @@ -86,6 +88,7 @@ module "step_function" { } ``` + ## Additional IAM policies for Step Function In addition to all supported AWS service integrations you may want to create and attach additional policies. @@ -98,6 +101,7 @@ There are 5 supported ways to attach additional IAM policies to IAM role used by 1. `policies` - List of ARNs of existing IAM policies, when `attach_policies = true` and `number_of_policies > 0`. 1. `policy_statements` - Map of maps to define IAM statements which will be generated as IAM policy. Requires `attach_policy_statements = true`. See `examples/complete` for more information. + ## Conditional creation Sometimes you need to have a way to create resources conditionally, so the solution is to specify `create` arguments. @@ -113,24 +117,25 @@ module "step_function" { } ``` + ## Examples -- [Complete](https://github.com/terraform-aws-modules/terraform-aws-step-functions/tree/master/examples/complete) - Create Step Function and required IAM resources in various combinations with all supported features. +* [Complete](https://github.com/terraform-aws-modules/terraform-aws-step-functions/tree/master/examples/complete) - Create Step Function and required IAM resources in various combinations with all supported features. - + ## Requirements -| Name | Version | -| --------- | --------- | +| Name | Version | +|------|---------| | terraform | >= 0.13.1 | -| aws | >= 3.27 | +| aws | >= 3.27 | ## Providers | Name | Version | -| ---- | ------- | -| aws | >= 3.27 | +|------|---------| +| aws | >= 3.27 | ## Modules @@ -138,67 +143,68 @@ No Modules. ## Resources -| Name | -| ---------------------------------------------------------------------------------------------------------------------------------------- | -| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | -| [aws_iam_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | -| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | -| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | +| Name | +|------| +| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | +| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | +| [aws_iam_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | +| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | +| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | | [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | -| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | -| [aws_sfn_state_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | +| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | +| [aws_sfn_state_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | ## Inputs -| Name | Description | Type | Default | Required | -| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------- | :------: | -| attach_policies | Controls whether list of policies should be added to IAM role | `bool` | `false` | no | -| attach_policies_for_integrations | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no | -| attach_policy | Controls whether policy should be added to IAM role | `bool` | `false` | no | -| attach_policy_json | Controls whether policy_json should be added to IAM role | `bool` | `false` | no | -| attach_policy_jsons | Controls whether policy_jsons should be added to IAM role | `bool` | `false` | no | -| attach_policy_statements | Controls whether policy_statements should be added to IAM role | `bool` | `false` | no | -| aws_region_assume_role | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no | -| create | Whether to create Step Function resource | `bool` | `true` | no | -| create_role | Whether to create IAM role for the Step Function | `bool` | `true` | no | -| definition | The Amazon States Language definition of the Step Function | `string` | `""` | no | -| logging_configuration | Defines what execution history events are logged and where they are logged. Properties are include_execution_data (bool) and level (string). | `object({})` | `false and "OFF"` | no | -| log_kms_key_id | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no | -| log_name | The name of the log group. | `string` | `null` | no | -| log_name_prefix | Creates a unique name beginning with the specified prefix. Conflicts with name. | `string` | `null` | no | -| log_retention_in_days | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. | `number` | `0` | no | -| log_tags | A map of tags to assign to the Cloudwatch logging resource | `map(string)` | `{}` | no | -| number_of_policies | Number of policies to attach to IAM role | `number` | `0` | no | -| number_of_policy_jsons | Number of policies JSON to attach to IAM role | `number` | `0` | no | -| policies | List of policy statements ARN to attach to IAM role | `list(string)` | `[]` | no | -| policy | An additional policy document ARN to attach to IAM role | `string` | `null` | no | -| policy_json | An additional policy document as JSON to attach to IAM role | `string` | `null` | no | -| policy_jsons | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no | -| policy_statements | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no | -| role_arn | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no | -| role_description | Description of IAM role to use for Step Function | `string` | `null` | no | -| role_force_detach_policies | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no | -| role_name | Name of IAM role to use for Step Function | `string` | `null` | no | -| role_path | Path of IAM role to use for Step Function | `string` | `null` | no | -| role_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function | `string` | `null` | no | -| role_tags | A map of tags to assign to IAM role | `map(string)` | `{}` | no | -| service_integrations | Map of AWS service integrations to allow in IAM role policy | `any` | `{}` | no | -| tags | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no | -| trusted_entities | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | -| type | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no | -| use_existing_role | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| attach\_policies | Controls whether list of policies should be added to IAM role | `bool` | `false` | no | +| attach\_policies\_for\_integrations | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no | +| attach\_policy | Controls whether policy should be added to IAM role | `bool` | `false` | no | +| attach\_policy\_json | Controls whether policy\_json should be added to IAM role | `bool` | `false` | no | +| attach\_policy\_jsons | Controls whether policy\_jsons should be added to IAM role | `bool` | `false` | no | +| attach\_policy\_statements | Controls whether policy\_statements should be added to IAM role | `bool` | `false` | no | +| aws\_region\_assume\_role | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no | +| create | Whether to create Step Function resource | `bool` | `true` | no | +| create\_role | Whether to create IAM role for the Step Function | `bool` | `true` | no | +| definition | The Amazon States Language definition of the Step Function | `string` | `""` | no | +| log\_kms\_key\_id | The ARN of the KMS Key to use when encrypting log data. | `string` | `null` | no | +| log\_name | The name of the log group. | `string` | `null` | no | +| log\_name\_prefix | Creates a unique name beginning with the specified prefix. Conflicts with name. | `string` | `null` | no | +| log\_retention\_in\_days | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. | `number` | `0` | no | +| log\_tags | A map of tags to assign to the Cloudwatch logging resource. | `map(string)` | `{}` | no | +| logging\_configuration | Defines what execution history events are logged and where they are logged | `map(string)` | 
{
  "include_execution_data": false,
  "level": "OFF",
  "log_destination": null
}
| no | +| name | The name of the Step Function | `string` | `""` | no | +| number\_of\_policies | Number of policies to attach to IAM role | `number` | `0` | no | +| number\_of\_policy\_jsons | Number of policies JSON to attach to IAM role | `number` | `0` | no | +| policies | List of policy statements ARN to attach to IAM role | `list(string)` | `[]` | no | +| policy | An additional policy document ARN to attach to IAM role | `string` | `null` | no | +| policy\_json | An additional policy document as JSON to attach to IAM role | `string` | `null` | no | +| policy\_jsons | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no | +| policy\_statements | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no | +| role\_arn | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no | +| role\_description | Description of IAM role to use for Step Function | `string` | `null` | no | +| role\_force\_detach\_policies | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no | +| role\_name | Name of IAM role to use for Step Function | `string` | `null` | no | +| role\_path | Path of IAM role to use for Step Function | `string` | `null` | no | +| role\_permissions\_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function | `string` | `null` | no | +| role\_tags | A map of tags to assign to IAM role | `map(string)` | `{}` | no | +| service\_integrations | Map of AWS service integrations to allow in IAM role policy | `any` | `{}` | no | +| tags | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no | +| trusted\_entities | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | +| type | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no | +| use\_existing\_role | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no | ## Outputs -| Name | Description | -| -------------------------------- | ------------------------------------------------------ | -| this_role_arn | The ARN of the IAM role created for the Step Function | -| this_role_name | The name of the IAM role created for the Step Function | -| this_state_machine_arn | The ARN of the Step Function | -| this_state_machine_creation_date | The date the Step Function was created | -| this_state_machine_id | The ARN of the Step Function | -| this_state_machine_status | The current status of the Step Function | - +| Name | Description | +|------|-------------| +| this\_role\_arn | The ARN of the IAM role created for the Step Function | +| this\_role\_name | The name of the IAM role created for the Step Function | +| this\_state\_machine\_arn | The ARN of the Step Function | +| this\_state\_machine\_creation\_date | The date the Step Function was created | +| this\_state\_machine\_id | The ARN of the Step Function | +| this\_state\_machine\_status | The current status of the Step Function | ## Authors @@ -207,6 +213,7 @@ Module managed by [Anton Babenko](https://github.com/antonbabenko). Check out [s Please reach out to [Betajob](https://www.betajob.com/) if you are looking for commercial support for your Terraform, AWS, or serverless project. + ## License Apache 2 Licensed. See LICENSE for full details. diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 454b823..c520f05 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -42,6 +42,7 @@ module "step_function" { log_name = "step-function/log-group" logging_configuration = { + log_destination = null include_execution_data = true level = "ALL" } diff --git a/main.tf b/main.tf index 3b034fb..6507604 100644 --- a/main.tf +++ b/main.tf @@ -6,7 +6,7 @@ locals { } resource "aws_cloudwatch_log_group" "log_group_for_sfn" { - count = var.logging_configuration.level == "OFF" ? 0 : 1 + count = var.logging_configuration.log_destination != null || var.logging_configuration.level == "OFF" ? 0 : 1 name = var.log_name name_prefix = var.log_name_prefix @@ -25,9 +25,9 @@ resource "aws_sfn_state_machine" "this" { definition = var.definition dynamic "logging_configuration" { - for_each = var.logging_configuration.level == "OFF" ? [] : list(var.logging_configuration) + for_each = var.logging_configuration.level == "OFF" ? [] : [var.logging_configuration] content { - log_destination = "${aws_cloudwatch_log_group.log_group_for_sfn[0].arn}:*" + log_destination = var.logging_configuration.log_destination != null ? var.logging_configuration.log_destination : "${aws_cloudwatch_log_group.log_group_for_sfn[0].arn}:*" include_execution_data = var.logging_configuration.include_execution_data level = var.logging_configuration.level } diff --git a/variables.tf b/variables.tf index 53b4424..ff82ac8 100644 --- a/variables.tf +++ b/variables.tf @@ -55,6 +55,54 @@ variable "type" { } } +########################## +# Cloudwatch Logging +########################## +variable "logging_configuration" { + description = "Defines what execution history events are logged and where they are logged" + type = map(string) + default = { + log_destination = null + include_execution_data = false + level = "OFF" + } + + validation { + condition = contains(["ALL", "ERROR", "FATAL", "OFF"], upper(var.logging_configuration.level)) + error_message = "Step Function logging configuration level must be one of the following: (ALL | ERROR | FATAL | OFF)." + } +} + +variable "log_name" { + description = "The name of the log group." + type = string + default = null +} + +variable "log_name_prefix" { + description = "Creates a unique name beginning with the specified prefix. Conflicts with name." + type = string + default = null +} + +variable "log_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0." + type = number + default = 0 +} + +variable "log_kms_key_id" { + description = "The ARN of the KMS Key to use when encrypting log data." + type = string + default = null +} + +variable "log_tags" { + description = "A map of tags to assign to the Cloudwatch logging resource." + type = map(string) + default = {} +} + ########### # IAM Role ########### @@ -145,58 +193,6 @@ variable "attach_policies" { type = bool default = false } - - -########################## -# Cloudwatch Logging -########################## -variable "logging_configuration" { - description = "Defines what execution history events are logged and where they are logged" - type = object({ - include_execution_data = bool - level = string - }) - default = { - include_execution_data = false - level = "OFF" - } - - validation { - condition = contains(["ALL", "ERROR", "FATAL", "OFF"], upper(var.logging_configuration.level)) - error_message = "Step Function logging configuration level must be one of the following: (ALL | ERROR | FATAL | OFF)." - } -} - -variable "log_name" { - description = "The name of the log group." - type = string - default = null -} - -variable "log_name_prefix" { - description = "Creates a unique name beginning with the specified prefix. Conflicts with name." - type = string - default = null -} - -variable "log_retention_in_days" { - description = "Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0." - type = number - default = 0 -} - -variable "log_kms_key_id" { - description = "The ARN of the KMS Key to use when encrypting log data." - type = string - default = null -} - -variable "log_tags" { - description = "A map of tags to assign to the Cloudwatch logging resource." - type = map(string) - default = {} -} - variable "number_of_policy_jsons" { description = "Number of policies JSON to attach to IAM role" type = number From e9e5aa0a3825899a5e4dd43fce7a91e86616825c Mon Sep 17 00:00:00 2001 From: Andrew Hummel Date: Thu, 18 Mar 2021 16:05:16 -0500 Subject: [PATCH 08/13] Add newline back after variable --- variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/variables.tf b/variables.tf index ff82ac8..badb72f 100644 --- a/variables.tf +++ b/variables.tf @@ -193,6 +193,7 @@ variable "attach_policies" { type = bool default = false } + variable "number_of_policy_jsons" { description = "Number of policies JSON to attach to IAM role" type = number From 090bb5d20370e34476d65eb3139bd4e9d12da109 Mon Sep 17 00:00:00 2001 From: Andrew Hummel Date: Fri, 2 Apr 2021 10:21:56 -0500 Subject: [PATCH 09/13] Run pre-commit again --- README.md | 132 +++++++++++++++++------------------- examples/complete/README.md | 36 +++++----- 2 files changed, 82 insertions(+), 86 deletions(-) diff --git a/README.md b/README.md index 208f6f5..0e072d0 100644 --- a/README.md +++ b/README.md @@ -118,91 +118,87 @@ module "step_function" { - [Complete](https://github.com/terraform-aws-modules/terraform-aws-step-functions/tree/master/examples/complete) - Create Step Function and required IAM resources in various combinations with all supported features. - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | --------- | -| [terraform](#requirement_terraform) | >= 0.13.1 | -| [aws](#requirement_aws) | >= 3.27 | +| Name | Version | +|------|---------| +| terraform | >= 0.13.1 | +| aws | >= 3.27 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | >= 3.27 | +| Name | Version | +|------|---------| +| aws | >= 3.27 | ## Modules -No modules. +No Modules. ## Resources -| Name | Type | -| -------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_iam_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy_attachment.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | -| [aws_iam_policy_attachment.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | -| [aws_iam_policy_attachment.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | -| [aws_iam_policy_attachment.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | -| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.additional_many](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.additional_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_sfn_state_machine.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource | -| [aws_iam_policy_document.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| Name | +|------| +| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | +| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | +| [aws_iam_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | +| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | +| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | +| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | +| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | +| [aws_sfn_state_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------- | ------------ | :------: | -| [attach_policies](#input_attach_policies) | Controls whether list of policies should be added to IAM role | `bool` | `false` | no | -| [attach_policies_for_integrations](#input_attach_policies_for_integrations) | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no | -| [attach_policy](#input_attach_policy) | Controls whether policy should be added to IAM role | `bool` | `false` | no | -| [attach_policy_json](#input_attach_policy_json) | Controls whether policy_json should be added to IAM role | `bool` | `false` | no | -| [attach_policy_jsons](#input_attach_policy_jsons) | Controls whether policy_jsons should be added to IAM role | `bool` | `false` | no | -| [attach_policy_statements](#input_attach_policy_statements) | Controls whether policy_statements should be added to IAM role | `bool` | `false` | no | -| [aws_region_assume_role](#input_aws_region_assume_role) | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no | -| [create](#input_create) | Whether to create Step Function resource | `bool` | `true` | no | -| [create_role](#input_create_role) | Whether to create IAM role for the Step Function | `bool` | `true` | no | -| [definition](#input_definition) | The Amazon States Language definition of the Step Function | `string` | `""` | no | -| [name](#input_name) | The name of the Step Function | `string` | `""` | no | -| [number_of_policies](#input_number_of_policies) | Number of policies to attach to IAM role | `number` | `0` | no | -| [number_of_policy_jsons](#input_number_of_policy_jsons) | Number of policies JSON to attach to IAM role | `number` | `0` | no | -| [policies](#input_policies) | List of policy statements ARN to attach to IAM role | `list(string)` | `[]` | no | -| [policy](#input_policy) | An additional policy document ARN to attach to IAM role | `string` | `null` | no | -| [policy_json](#input_policy_json) | An additional policy document as JSON to attach to IAM role | `string` | `null` | no | -| [policy_jsons](#input_policy_jsons) | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no | -| [policy_statements](#input_policy_statements) | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no | -| [role_arn](#input_role_arn) | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no | -| [role_description](#input_role_description) | Description of IAM role to use for Step Function | `string` | `null` | no | -| [role_force_detach_policies](#input_role_force_detach_policies) | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no | -| [role_name](#input_role_name) | Name of IAM role to use for Step Function | `string` | `null` | no | -| [role_path](#input_role_path) | Path of IAM role to use for Step Function | `string` | `null` | no | -| [role_permissions_boundary](#input_role_permissions_boundary) | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function | `string` | `null` | no | -| [role_tags](#input_role_tags) | A map of tags to assign to IAM role | `map(string)` | `{}` | no | -| [service_integrations](#input_service_integrations) | Map of AWS service integrations to allow in IAM role policy | `any` | `{}` | no | -| [tags](#input_tags) | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no | -| [trusted_entities](#input_trusted_entities) | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | -| [type](#input_type) | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no | -| [use_existing_role](#input_use_existing_role) | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| attach\_policies | Controls whether list of policies should be added to IAM role | `bool` | `false` | no | +| attach\_policies\_for\_integrations | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no | +| attach\_policy | Controls whether policy should be added to IAM role | `bool` | `false` | no | +| attach\_policy\_json | Controls whether policy\_json should be added to IAM role | `bool` | `false` | no | +| attach\_policy\_jsons | Controls whether policy\_jsons should be added to IAM role | `bool` | `false` | no | +| attach\_policy\_statements | Controls whether policy\_statements should be added to IAM role | `bool` | `false` | no | +| aws\_region\_assume\_role | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no | +| create | Whether to create Step Function resource | `bool` | `true` | no | +| create\_role | Whether to create IAM role for the Step Function | `bool` | `true` | no | +| definition | The Amazon States Language definition of the Step Function | `string` | `""` | no | +| log\_kms\_key\_id | The ARN of the KMS Key to use when encrypting log data. | `string` | `null` | no | +| log\_name | The name of the log group. | `string` | `null` | no | +| log\_name\_prefix | Creates a unique name beginning with the specified prefix. Conflicts with name. | `string` | `null` | no | +| log\_retention\_in\_days | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. | `number` | `0` | no | +| log\_tags | A map of tags to assign to the Cloudwatch logging resource. | `map(string)` | `{}` | no | +| logging\_configuration | Defines what execution history events are logged and where they are logged | `map(string)` | 
{
  "include_execution_data": false,
  "level": "OFF",
  "log_destination": null
}
| no | +| name | The name of the Step Function | `string` | `""` | no | +| number\_of\_policies | Number of policies to attach to IAM role | `number` | `0` | no | +| number\_of\_policy\_jsons | Number of policies JSON to attach to IAM role | `number` | `0` | no | +| policies | List of policy statements ARN to attach to IAM role | `list(string)` | `[]` | no | +| policy | An additional policy document ARN to attach to IAM role | `string` | `null` | no | +| policy\_json | An additional policy document as JSON to attach to IAM role | `string` | `null` | no | +| policy\_jsons | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no | +| policy\_statements | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no | +| role\_arn | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no | +| role\_description | Description of IAM role to use for Step Function | `string` | `null` | no | +| role\_force\_detach\_policies | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no | +| role\_name | Name of IAM role to use for Step Function | `string` | `null` | no | +| role\_path | Path of IAM role to use for Step Function | `string` | `null` | no | +| role\_permissions\_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function | `string` | `null` | no | +| role\_tags | A map of tags to assign to IAM role | `map(string)` | `{}` | no | +| service\_integrations | Map of AWS service integrations to allow in IAM role policy | `any` | `{}` | no | +| tags | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no | +| trusted\_entities | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | +| type | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no | +| use\_existing\_role | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | -| [this_role_arn](#output_this_role_arn) | The ARN of the IAM role created for the Step Function | -| [this_role_name](#output_this_role_name) | The name of the IAM role created for the Step Function | -| [this_state_machine_arn](#output_this_state_machine_arn) | The ARN of the Step Function | -| [this_state_machine_creation_date](#output_this_state_machine_creation_date) | The date the Step Function was created | -| [this_state_machine_id](#output_this_state_machine_id) | The ARN of the Step Function | -| [this_state_machine_status](#output_this_state_machine_status) | The current status of the Step Function | - +| Name | Description | +|------|-------------| +| this\_role\_arn | The ARN of the IAM role created for the Step Function | +| this\_role\_name | The name of the IAM role created for the Step Function | +| this\_state\_machine\_arn | The ARN of the Step Function | +| this\_state\_machine\_creation\_date | The date the Step Function was created | +| this\_state\_machine\_id | The ARN of the Step Function | +| this\_state\_machine\_status | The current status of the Step Function | ## Authors diff --git a/examples/complete/README.md b/examples/complete/README.md index dd1ab5b..2e2a2ff 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -22,43 +22,43 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.27 | -| [random](#requirement\_random) | >= 2 | +| terraform | >= 0.13.1 | +| aws | >= 3.27 | +| random | >= 2 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.27 | -| [random](#provider\_random) | >= 2 | +| aws | >= 3.27 | +| random | >= 2 | ## Modules | Name | Source | Version | |------|--------|---------| -| [disabled\_step\_function](#module\_disabled\_step\_function) | ../../ | | -| [step\_function](#module\_step\_function) | ../../ | | +| disabled_step_function | ../../ | | +| step_function | ../../ | | ## Resources -| Name | Type | -|------|------| -| [aws_sqs_queue.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | -| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | +| Name | +|------| +| [aws_sqs_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | +| [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | ## Inputs -No inputs. +No input. ## Outputs | Name | Description | |------|-------------| -| [this\_role\_arn](#output\_this\_role\_arn) | The ARN of the IAM role created for the State Machine | -| [this\_role\_name](#output\_this\_role\_name) | The name of the IAM role created for the State Machine | -| [this\_state\_machine\_arn](#output\_this\_state\_machine\_arn) | The ARN of the State Machine | -| [this\_state\_machine\_creation\_date](#output\_this\_state\_machine\_creation\_date) | The date the State Machine was created | -| [this\_state\_machine\_id](#output\_this\_state\_machine\_id) | The ARN of the State Machine | -| [this\_state\_machine\_status](#output\_this\_state\_machine\_status) | The current status of the State Machine | +| this\_role\_arn | The ARN of the IAM role created for the State Machine | +| this\_role\_name | The name of the IAM role created for the State Machine | +| this\_state\_machine\_arn | The ARN of the State Machine | +| this\_state\_machine\_creation\_date | The date the State Machine was created | +| this\_state\_machine\_id | The ARN of the State Machine | +| this\_state\_machine\_status | The current status of the State Machine | From ff805540067499b66399a605d974850b33aaed74 Mon Sep 17 00:00:00 2001 From: Andrew Hummel Date: Fri, 2 Apr 2021 10:25:47 -0500 Subject: [PATCH 10/13] Trigger Build From 0819ce25227e8af1ba2db3270c4c94fe68bf5057 Mon Sep 17 00:00:00 2001 From: Andrew Hummel Date: Sat, 3 Apr 2021 18:11:22 -0500 Subject: [PATCH 11/13] Update workflow pre-commit.yml per @bryantbiggs --- .github/workflows/pre-commit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 7eaa782..cbf80b6 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -94,7 +94,7 @@ jobs: - name: Install pre-commit dependencies run: | pip install pre-commit - curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-v0.12.0-linux-amd64" | head -n1)" > terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ + curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E "https://.+?-v0.12\..+?-linux-amd64" | head -n1)" > terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/ curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/ - name: Execute pre-commit # Run all pre-commit checks on max version supported From 3b667f5c76fc92cdb5d84b5f917ef5a3719d97f1 Mon Sep 17 00:00:00 2001 From: Andrew Hummel Date: Sat, 3 Apr 2021 18:26:06 -0500 Subject: [PATCH 12/13] Run updated pre-commit hooks and fix terraform-docs --- README.md | 121 +++++++++++++++++++----------------- examples/complete/README.md | 36 +++++------ 2 files changed, 83 insertions(+), 74 deletions(-) diff --git a/README.md b/README.md index 0e072d0..505fdf0 100644 --- a/README.md +++ b/README.md @@ -122,83 +122,92 @@ module "step_function" { | Name | Version | |------|---------| -| terraform | >= 0.13.1 | -| aws | >= 3.27 | +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | >= 3.27 | ## Providers | Name | Version | |------|---------| -| aws | >= 3.27 | +| [aws](#provider\_aws) | >= 3.27 | ## Modules -No Modules. +No modules. ## Resources -| Name | -|------| -| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | -| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | -| [aws_iam_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | -| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | -| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | -| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | -| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | -| [aws_sfn_state_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.log_group_for_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy_attachment.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_policy_attachment.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_policy_attachment.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_policy_attachment.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.additional_many](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.additional_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_sfn_state_machine.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource | +| [aws_iam_policy_document.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| attach\_policies | Controls whether list of policies should be added to IAM role | `bool` | `false` | no | -| attach\_policies\_for\_integrations | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no | -| attach\_policy | Controls whether policy should be added to IAM role | `bool` | `false` | no | -| attach\_policy\_json | Controls whether policy\_json should be added to IAM role | `bool` | `false` | no | -| attach\_policy\_jsons | Controls whether policy\_jsons should be added to IAM role | `bool` | `false` | no | -| attach\_policy\_statements | Controls whether policy\_statements should be added to IAM role | `bool` | `false` | no | -| aws\_region\_assume\_role | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no | -| create | Whether to create Step Function resource | `bool` | `true` | no | -| create\_role | Whether to create IAM role for the Step Function | `bool` | `true` | no | -| definition | The Amazon States Language definition of the Step Function | `string` | `""` | no | -| log\_kms\_key\_id | The ARN of the KMS Key to use when encrypting log data. | `string` | `null` | no | -| log\_name | The name of the log group. | `string` | `null` | no | -| log\_name\_prefix | Creates a unique name beginning with the specified prefix. Conflicts with name. | `string` | `null` | no | -| log\_retention\_in\_days | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. | `number` | `0` | no | -| log\_tags | A map of tags to assign to the Cloudwatch logging resource. | `map(string)` | `{}` | no | -| logging\_configuration | Defines what execution history events are logged and where they are logged | `map(string)` | 
{
  "include_execution_data": false,
  "level": "OFF",
  "log_destination": null
}
| no | -| name | The name of the Step Function | `string` | `""` | no | -| number\_of\_policies | Number of policies to attach to IAM role | `number` | `0` | no | -| number\_of\_policy\_jsons | Number of policies JSON to attach to IAM role | `number` | `0` | no | -| policies | List of policy statements ARN to attach to IAM role | `list(string)` | `[]` | no | -| policy | An additional policy document ARN to attach to IAM role | `string` | `null` | no | -| policy\_json | An additional policy document as JSON to attach to IAM role | `string` | `null` | no | -| policy\_jsons | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no | -| policy\_statements | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no | -| role\_arn | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no | -| role\_description | Description of IAM role to use for Step Function | `string` | `null` | no | -| role\_force\_detach\_policies | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no | -| role\_name | Name of IAM role to use for Step Function | `string` | `null` | no | -| role\_path | Path of IAM role to use for Step Function | `string` | `null` | no | -| role\_permissions\_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function | `string` | `null` | no | -| role\_tags | A map of tags to assign to IAM role | `map(string)` | `{}` | no | -| service\_integrations | Map of AWS service integrations to allow in IAM role policy | `any` | `{}` | no | -| tags | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no | -| trusted\_entities | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | -| type | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no | -| use\_existing\_role | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no | +| [attach\_policies](#input\_attach\_policies) | Controls whether list of policies should be added to IAM role | `bool` | `false` | no | +| [attach\_policies\_for\_integrations](#input\_attach\_policies\_for\_integrations) | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no | +| [attach\_policy](#input\_attach\_policy) | Controls whether policy should be added to IAM role | `bool` | `false` | no | +| [attach\_policy\_json](#input\_attach\_policy\_json) | Controls whether policy\_json should be added to IAM role | `bool` | `false` | no | +| [attach\_policy\_jsons](#input\_attach\_policy\_jsons) | Controls whether policy\_jsons should be added to IAM role | `bool` | `false` | no | +| [attach\_policy\_statements](#input\_attach\_policy\_statements) | Controls whether policy\_statements should be added to IAM role | `bool` | `false` | no | +| [aws\_region\_assume\_role](#input\_aws\_region\_assume\_role) | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no | +| [create](#input\_create) | Whether to create Step Function resource | `bool` | `true` | no | +| [create\_role](#input\_create\_role) | Whether to create IAM role for the Step Function | `bool` | `true` | no | +| [definition](#input\_definition) | The Amazon States Language definition of the Step Function | `string` | `""` | no | +| [log\_kms\_key\_id](#input\_log\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data. | `string` | `null` | no | +| [log\_name](#input\_log\_name) | The name of the log group. | `string` | `null` | no | +| [log\_name\_prefix](#input\_log\_name\_prefix) | Creates a unique name beginning with the specified prefix. Conflicts with name. | `string` | `null` | no | +| [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. | `number` | `0` | no | +| [log\_tags](#input\_log\_tags) | A map of tags to assign to the Cloudwatch logging resource. | `map(string)` | `{}` | no | +| [logging\_configuration](#input\_logging\_configuration) | Defines what execution history events are logged and where they are logged | `map(string)` | 
{
  "include_execution_data": false,
  "level": "OFF",
  "log_destination": null
}
| no | +| [name](#input\_name) | The name of the Step Function | `string` | `""` | no | +| [number\_of\_policies](#input\_number\_of\_policies) | Number of policies to attach to IAM role | `number` | `0` | no | +| [number\_of\_policy\_jsons](#input\_number\_of\_policy\_jsons) | Number of policies JSON to attach to IAM role | `number` | `0` | no | +| [policies](#input\_policies) | List of policy statements ARN to attach to IAM role | `list(string)` | `[]` | no | +| [policy](#input\_policy) | An additional policy document ARN to attach to IAM role | `string` | `null` | no | +| [policy\_json](#input\_policy\_json) | An additional policy document as JSON to attach to IAM role | `string` | `null` | no | +| [policy\_jsons](#input\_policy\_jsons) | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no | +| [policy\_statements](#input\_policy\_statements) | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no | +| [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no | +| [role\_description](#input\_role\_description) | Description of IAM role to use for Step Function | `string` | `null` | no | +| [role\_force\_detach\_policies](#input\_role\_force\_detach\_policies) | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no | +| [role\_name](#input\_role\_name) | Name of IAM role to use for Step Function | `string` | `null` | no | +| [role\_path](#input\_role\_path) | Path of IAM role to use for Step Function | `string` | `null` | no | +| [role\_permissions\_boundary](#input\_role\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function | `string` | `null` | no | +| [role\_tags](#input\_role\_tags) | A map of tags to assign to IAM role | `map(string)` | `{}` | no | +| [service\_integrations](#input\_service\_integrations) | Map of AWS service integrations to allow in IAM role policy | `any` | `{}` | no | +| [tags](#input\_tags) | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no | +| [trusted\_entities](#input\_trusted\_entities) | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | +| [type](#input\_type) | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no | +| [use\_existing\_role](#input\_use\_existing\_role) | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no | ## Outputs | Name | Description | |------|-------------| -| this\_role\_arn | The ARN of the IAM role created for the Step Function | -| this\_role\_name | The name of the IAM role created for the Step Function | -| this\_state\_machine\_arn | The ARN of the Step Function | -| this\_state\_machine\_creation\_date | The date the Step Function was created | -| this\_state\_machine\_id | The ARN of the Step Function | -| this\_state\_machine\_status | The current status of the Step Function | +| [this\_role\_arn](#output\_this\_role\_arn) | The ARN of the IAM role created for the Step Function | +| [this\_role\_name](#output\_this\_role\_name) | The name of the IAM role created for the Step Function | +| [this\_state\_machine\_arn](#output\_this\_state\_machine\_arn) | The ARN of the Step Function | +| [this\_state\_machine\_creation\_date](#output\_this\_state\_machine\_creation\_date) | The date the Step Function was created | +| [this\_state\_machine\_id](#output\_this\_state\_machine\_id) | The ARN of the Step Function | +| [this\_state\_machine\_status](#output\_this\_state\_machine\_status) | The current status of the Step Function | ## Authors diff --git a/examples/complete/README.md b/examples/complete/README.md index 2e2a2ff..dd1ab5b 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -22,43 +22,43 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| terraform | >= 0.13.1 | -| aws | >= 3.27 | -| random | >= 2 | +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | >= 3.27 | +| [random](#requirement\_random) | >= 2 | ## Providers | Name | Version | |------|---------| -| aws | >= 3.27 | -| random | >= 2 | +| [aws](#provider\_aws) | >= 3.27 | +| [random](#provider\_random) | >= 2 | ## Modules | Name | Source | Version | |------|--------|---------| -| disabled_step_function | ../../ | | -| step_function | ../../ | | +| [disabled\_step\_function](#module\_disabled\_step\_function) | ../../ | | +| [step\_function](#module\_step\_function) | ../../ | | ## Resources -| Name | -|------| -| [aws_sqs_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | -| [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | +| Name | Type | +|------|------| +| [aws_sqs_queue.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | ## Inputs -No input. +No inputs. ## Outputs | Name | Description | |------|-------------| -| this\_role\_arn | The ARN of the IAM role created for the State Machine | -| this\_role\_name | The name of the IAM role created for the State Machine | -| this\_state\_machine\_arn | The ARN of the State Machine | -| this\_state\_machine\_creation\_date | The date the State Machine was created | -| this\_state\_machine\_id | The ARN of the State Machine | -| this\_state\_machine\_status | The current status of the State Machine | +| [this\_role\_arn](#output\_this\_role\_arn) | The ARN of the IAM role created for the State Machine | +| [this\_role\_name](#output\_this\_role\_name) | The name of the IAM role created for the State Machine | +| [this\_state\_machine\_arn](#output\_this\_state\_machine\_arn) | The ARN of the State Machine | +| [this\_state\_machine\_creation\_date](#output\_this\_state\_machine\_creation\_date) | The date the State Machine was created | +| [this\_state\_machine\_id](#output\_this\_state\_machine\_id) | The ARN of the State Machine | +| [this\_state\_machine\_status](#output\_this\_state\_machine\_status) | The current status of the State Machine | From ceea40de50a2dea6146915c18c0fbb2b6d480b2f Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Wed, 7 Apr 2021 12:37:08 +0200 Subject: [PATCH 13/13] Updated code and examples --- README.md | 19 +++++---- examples/complete/README.md | 2 + examples/complete/main.tf | 40 ++++++++++++++---- main.tf | 84 ++++++++++++++++++++++++++++++------- variables.tf | 52 +++++++++++------------ 5 files changed, 141 insertions(+), 56 deletions(-) diff --git a/README.md b/README.md index 505fdf0..c336ab5 100644 --- a/README.md +++ b/README.md @@ -139,21 +139,25 @@ No modules. | Name | Type | |------|------| -| [aws_cloudwatch_log_group.log_group_for_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_iam_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy_attachment.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | [aws_iam_policy_attachment.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | [aws_iam_policy_attachment.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_policy_attachment.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | [aws_iam_policy_attachment.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.additional_many](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.additional_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_sfn_state_machine.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource | +| [aws_cloudwatch_log_group.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudwatch_log_group) | data source | | [aws_iam_policy_document.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | @@ -161,6 +165,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [attach\_cloudwatch\_logs\_policy](#input\_attach\_cloudwatch\_logs\_policy) | Controls whether CloudWatch Logs policy should be added to IAM role for Lambda Function | `bool` | `true` | no | | [attach\_policies](#input\_attach\_policies) | Controls whether list of policies should be added to IAM role | `bool` | `false` | no | | [attach\_policies\_for\_integrations](#input\_attach\_policies\_for\_integrations) | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no | | [attach\_policy](#input\_attach\_policy) | Controls whether policy should be added to IAM role | `bool` | `false` | no | @@ -168,15 +173,14 @@ No modules. | [attach\_policy\_jsons](#input\_attach\_policy\_jsons) | Controls whether policy\_jsons should be added to IAM role | `bool` | `false` | no | | [attach\_policy\_statements](#input\_attach\_policy\_statements) | Controls whether policy\_statements should be added to IAM role | `bool` | `false` | no | | [aws\_region\_assume\_role](#input\_aws\_region\_assume\_role) | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no | +| [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data. | `string` | `null` | no | +| [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | Name of Cloudwatch Logs group name to use. | `string` | `null` | no | +| [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `null` | no | +| [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `{}` | no | | [create](#input\_create) | Whether to create Step Function resource | `bool` | `true` | no | | [create\_role](#input\_create\_role) | Whether to create IAM role for the Step Function | `bool` | `true` | no | | [definition](#input\_definition) | The Amazon States Language definition of the Step Function | `string` | `""` | no | -| [log\_kms\_key\_id](#input\_log\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data. | `string` | `null` | no | -| [log\_name](#input\_log\_name) | The name of the log group. | `string` | `null` | no | -| [log\_name\_prefix](#input\_log\_name\_prefix) | Creates a unique name beginning with the specified prefix. Conflicts with name. | `string` | `null` | no | -| [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. | `number` | `0` | no | -| [log\_tags](#input\_log\_tags) | A map of tags to assign to the Cloudwatch logging resource. | `map(string)` | `{}` | no | -| [logging\_configuration](#input\_logging\_configuration) | Defines what execution history events are logged and where they are logged | `map(string)` | 
{
  "include_execution_data": false,
  "level": "OFF",
  "log_destination": null
}
| no | +| [logging\_configuration](#input\_logging\_configuration) | Defines what execution history events are logged and where they are logged | `map(string)` | `{}` | no | | [name](#input\_name) | The name of the Step Function | `string` | `""` | no | | [number\_of\_policies](#input\_number\_of\_policies) | Number of policies to attach to IAM role | `number` | `0` | no | | [number\_of\_policy\_jsons](#input\_number\_of\_policy\_jsons) | Number of policies JSON to attach to IAM role | `number` | `0` | no | @@ -196,6 +200,7 @@ No modules. | [tags](#input\_tags) | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no | | [trusted\_entities](#input\_trusted\_entities) | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | | [type](#input\_type) | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no | +| [use\_existing\_cloudwatch\_log\_group](#input\_use\_existing\_cloudwatch\_log\_group) | Whether to use an existing CloudWatch log group or create new | `bool` | `false` | no | | [use\_existing\_role](#input\_use\_existing\_role) | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no | ## Outputs diff --git a/examples/complete/README.md b/examples/complete/README.md index dd1ab5b..28f8a52 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -39,11 +39,13 @@ Note that this example may create resources which cost money. Run `terraform des |------|--------|---------| | [disabled\_step\_function](#module\_disabled\_step\_function) | ../../ | | | [step\_function](#module\_step\_function) | ../../ | | +| [step\_function\_with\_existing\_log\_group](#module\_step\_function\_with\_existing\_log\_group) | ../../ | | ## Resources | Name | Type | |------|------| +| [aws_cloudwatch_log_group.external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_sqs_queue.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index c520f05..48a8916 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -30,7 +30,6 @@ locals { EOF } - module "step_function" { source = "../../" @@ -40,9 +39,7 @@ module "step_function" { definition = local.definition_template - log_name = "step-function/log-group" logging_configuration = { - log_destination = null include_execution_data = true level = "ALL" } @@ -68,9 +65,10 @@ module "step_function" { xray = true } - no_tasks = { - deny_all = true - } + # # NB: This will "Deny" everything (including logging)! + # no_tasks = { + # deny_all = true + # } } ###################### @@ -102,8 +100,6 @@ EOF { "Effect": "Allow", "Action": [ - "cloudwatch:*", - "logs:*", "xray:*" ], "Resource": ["*"] @@ -144,6 +140,34 @@ EOF } } +############################################### +# With CloudWatch log group created externally +############################################### + +resource "aws_cloudwatch_log_group" "external" { + name = "${random_pet.this.id}-my-log-group" +} + +module "step_function_with_existing_log_group" { + source = "../../" + + name = "${random_pet.this.id}-existing-log-group" + + type = "express" + + definition = local.definition_template + + use_existing_cloudwatch_log_group = true + cloudwatch_log_group_name = aws_cloudwatch_log_group.external.name + + logging_configuration = { + include_execution_data = false + level = "ERROR" + } + + depends_on = [aws_cloudwatch_log_group.external] +} + ########### # Disabled ########### diff --git a/main.tf b/main.tf index 6507604..76a5860 100644 --- a/main.tf +++ b/main.tf @@ -2,18 +2,12 @@ locals { create_role = var.create && var.create_role && !var.use_existing_role aws_region = local.create_role && var.aws_region_assume_role == "" ? data.aws_region.current[0].name : var.aws_region_assume_role - role_name = local.create_role ? coalesce(var.role_name, var.name) : null -} + enable_logging = try(var.logging_configuration["level"], "OFF") != "OFF" -resource "aws_cloudwatch_log_group" "log_group_for_sfn" { - count = var.logging_configuration.log_destination != null || var.logging_configuration.level == "OFF" ? 0 : 1 + # Normalize ARN by trimming ":*" because data-source has it, but resource does not have it + log_group_arn = trimsuffix(element(concat(data.aws_cloudwatch_log_group.sfn.*.arn, aws_cloudwatch_log_group.sfn.*.arn, [""]), 0), ":*") - name = var.log_name - name_prefix = var.log_name_prefix - retention_in_days = var.log_retention_in_days - kms_key_id = var.log_kms_key_id - - tags = merge(var.tags, var.log_tags) + role_name = local.create_role ? coalesce(var.role_name, var.name) : null } resource "aws_sfn_state_machine" "this" { @@ -25,11 +19,12 @@ resource "aws_sfn_state_machine" "this" { definition = var.definition dynamic "logging_configuration" { - for_each = var.logging_configuration.level == "OFF" ? [] : [var.logging_configuration] + for_each = local.enable_logging ? [true] : [] + content { - log_destination = var.logging_configuration.log_destination != null ? var.logging_configuration.log_destination : "${aws_cloudwatch_log_group.log_group_for_sfn[0].arn}:*" - include_execution_data = var.logging_configuration.include_execution_data - level = var.logging_configuration.level + log_destination = lookup(var.logging_configuration, "log_destination", "${local.log_group_arn}:*") + include_execution_data = lookup(var.logging_configuration, "include_execution_data", null) + level = lookup(var.logging_configuration, "level", null) } } @@ -237,3 +232,64 @@ resource "aws_iam_policy_attachment" "additional_inline" { roles = [aws_iam_role.this[0].name] policy_arn = aws_iam_policy.additional_inline[0].arn } + +################################# +# IAM policy for Cloudwatch Logs +################################# + +data "aws_iam_policy_document" "logs" { + count = local.create_role && local.enable_logging && var.attach_cloudwatch_logs_policy ? 1 : 0 + + # Copied from https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html + statement { + effect = "Allow" + + actions = [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + "logs:PutResourcePolicy", + "logs:DescribeResourcePolicies", + "logs:DescribeLogGroups", + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "logs" { + count = local.create_role && local.enable_logging && var.attach_cloudwatch_logs_policy ? 1 : 0 + + name = "${local.role_name}-logs" + policy = data.aws_iam_policy_document.logs[0].json +} + +resource "aws_iam_policy_attachment" "logs" { + count = local.create_role && local.enable_logging && var.attach_cloudwatch_logs_policy ? 1 : 0 + + name = "${local.role_name}-logs" + roles = [aws_iam_role.this[0].name] + policy_arn = aws_iam_policy.logs[0].arn +} + +################## +# CloudWatch Logs +################## + +data "aws_cloudwatch_log_group" "sfn" { + count = var.create && local.enable_logging && var.use_existing_cloudwatch_log_group ? 1 : 0 + + name = var.cloudwatch_log_group_name +} + +resource "aws_cloudwatch_log_group" "sfn" { + count = var.create && local.enable_logging && !var.use_existing_cloudwatch_log_group ? 1 : 0 + + name = coalesce(var.cloudwatch_log_group_name, var.name) + retention_in_days = var.cloudwatch_log_group_retention_in_days + kms_key_id = var.cloudwatch_log_group_kms_key_id + + tags = merge(var.tags, var.cloudwatch_log_group_tags) +} diff --git a/variables.tf b/variables.tf index badb72f..befa7d2 100644 --- a/variables.tf +++ b/variables.tf @@ -16,6 +16,12 @@ variable "use_existing_role" { default = false } +variable "use_existing_cloudwatch_log_group" { + description = "Whether to use an existing CloudWatch log group or create new" + type = bool + default = false +} + ################ # Step Function ################ @@ -55,54 +61,46 @@ variable "type" { } } -########################## -# Cloudwatch Logging -########################## +################# +# CloudWatch Logs +################# + variable "logging_configuration" { description = "Defines what execution history events are logged and where they are logged" type = map(string) - default = { - log_destination = null - include_execution_data = false - level = "OFF" - } - - validation { - condition = contains(["ALL", "ERROR", "FATAL", "OFF"], upper(var.logging_configuration.level)) - error_message = "Step Function logging configuration level must be one of the following: (ALL | ERROR | FATAL | OFF)." - } -} - -variable "log_name" { - description = "The name of the log group." - type = string - default = null + default = {} } -variable "log_name_prefix" { - description = "Creates a unique name beginning with the specified prefix. Conflicts with name." +variable "cloudwatch_log_group_name" { + description = "Name of Cloudwatch Logs group name to use." type = string default = null } -variable "log_retention_in_days" { - description = "Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0." +variable "cloudwatch_log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653." type = number - default = 0 + default = null } -variable "log_kms_key_id" { +variable "cloudwatch_log_group_kms_key_id" { description = "The ARN of the KMS Key to use when encrypting log data." type = string default = null } -variable "log_tags" { - description = "A map of tags to assign to the Cloudwatch logging resource." +variable "cloudwatch_log_group_tags" { + description = "A map of tags to assign to the resource." type = map(string) default = {} } +variable "attach_cloudwatch_logs_policy" { + description = "Controls whether CloudWatch Logs policy should be added to IAM role for Lambda Function" + type = bool + default = true +} + ########### # IAM Role ###########