draft

CHANGELOG.md

@@ -2564,4 +2564,4 @@ new synthetics resources use GraphQL API schema
 [v0.4.0]: https://github.com/newrelic/terraform-provider-newrelic/compare/v0.3.0...v0.4.0
 [v0.3.0]: https://github.com/newrelic/terraform-provider-newrelic/compare/v0.2.0...v0.3.0
 [v0.2.0]: https://github.com/newrelic/terraform-provider-newrelic/compare/v0.1.1...v0.2.0
-[v0.1.1]: https://github.com/newrelic/terraform-provider-newrelic/compare/v0.1.0...v0.1.1
+[v0.1.1]: https://github.com/newrelic/terraform-provider-newrelic/compare/v0.1.0...v0.1.1

README.md

@@ -68,4 +68,3 @@ is not supported by the larger Go community. Please see the [Go releases][go_rel
 [provider_docs]: https://www.terraform.io/docs/providers/newrelic/index.html
 [contributing]: https://github.com/newrelic/terraform-provider-newrelic/blob/main/CONTRIBUTING.md
 [go_releases]: https://github.com/golang/go/wiki/Go-Release-Cycle
-

examples/modules/cloud-integrations/aws/main.tf

@@ -47,6 +47,7 @@ resource "aws_iam_policy" "newrelic_aws_permissions" {
         "ec2:DescribeVpcPeeringConnections",
         "ec2:DescribeNetworkInterfaces",
         "ec2:DescribeVpnConnections",
+        "elasticache:DescribeCacheClusters",
         "health:DescribeAffectedEntities",
         "health:DescribeEventDetails",
         "health:DescribeEvents",
@@ -67,12 +68,17 @@ resource "aws_iam_role_policy_attachment" "newrelic_aws_policy_attach" {
   policy_arn = aws_iam_policy.newrelic_aws_permissions.arn
 }
 
+resource "aws_iam_role_policy_attachment" "readonly_access_policy_attach" {
+  role       = aws_iam_role.newrelic_aws_role.name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
 resource "newrelic_cloud_aws_link_account" "newrelic_cloud_integration_push" {
   account_id             = var.newrelic_account_id
   arn                    = aws_iam_role.newrelic_aws_role.arn
   metric_collection_mode = "PUSH"
   name                   = "${var.name} metric stream"
-  depends_on             = [aws_iam_role_policy_attachment.newrelic_aws_policy_attach]
+  depends_on             = [aws_iam_role_policy_attachment.newrelic_aws_policy_attach, aws_iam_role_policy_attachment.readonly_access_policy_attach]
 }
 
 resource "newrelic_api_access_key" "newrelic_aws_access_key" {
@@ -103,6 +109,11 @@ resource "aws_iam_role" "firehose_newrelic_role" {
 EOF
 }
 
+resource "aws_iam_role_policy_attachment" "readonly_access_policy_attach_2" {
+  role       = aws_iam_role.firehose_newrelic_role.name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
 resource "random_string" "s3-bucket-name" {
   length  = 8
   special = false
@@ -223,7 +234,7 @@ resource "newrelic_cloud_aws_link_account" "newrelic_cloud_integration_pull" {
   arn                    = aws_iam_role.newrelic_aws_role.arn
   metric_collection_mode = "PULL"
   name                   = "${var.name} pull"
-  depends_on             = [aws_iam_role_policy_attachment.newrelic_aws_policy_attach]
+  depends_on             = [aws_iam_role_policy_attachment.newrelic_aws_policy_attach, aws_iam_role_policy_attachment.readonly_access_policy_attach]
 }
 
 resource "newrelic_cloud_aws_integrations" "newrelic_cloud_integration_pull" {

examples/modules/cloud-integrations/aws-govcloud/main.tf → examples/modules/cloud-integrations/aws_us_gov/main.tf

@@ -5,7 +5,7 @@ data "aws_iam_policy_document" "newrelic_assume_policy" {
     principals {
       type = "AWS"
       // This is the unique identifier for New Relic account on AWS, there is no need to change this
-      identifiers = [var.new_relic_aws_govcloud_account_id]
+      identifiers = [266471868085]
     }
 
     condition {
@@ -67,14 +67,17 @@ resource "aws_iam_role_policy_attachment" "newrelic_aws_policy_attach" {
   policy_arn = aws_iam_policy.newrelic_aws_permissions.arn
 }
 
+resource "aws_iam_role_policy_attachment" "readonly_access_policy_attach" {
+  role       = aws_iam_role.newrelic_aws_role.name
+  policy_arn = "arn:aws-us-gov:iam::aws:policy/ReadOnlyAccess"
+}
+
 resource "newrelic_cloud_aws_govcloud_link_account" "newrelic_cloud_integration_push" {
   account_id             = var.newrelic_account_id
+  arn                    = aws_iam_role.newrelic_aws_role.arn
   metric_collection_mode = "PUSH"
   name                   = "${var.name} metric stream"
-  depends_on             = [aws_iam_role_policy_attachment.newrelic_aws_policy_attach]
-  access_key_id          = newrelic_api_access_key.newrelic_aws_access_key.key
-  secret_access_key      = newrelic_api_access_key.newrelic_aws_access_key.key
-  aws_account_id         = var.new_relic_aws_govcloud_account_id
+  depends_on             = [aws_iam_role_policy_attachment.newrelic_aws_policy_attach, aws_iam_role_policy_attachment.readonly_access_policy_attach]
 }
 
 resource "newrelic_api_access_key" "newrelic_aws_access_key" {
@@ -105,6 +108,11 @@ resource "aws_iam_role" "firehose_newrelic_role" {
 EOF
 }
 
+resource "aws_iam_role_policy_attachment" "readonly_access_policy_attach_2" {
+  role       = aws_iam_role.firehose_newrelic_role.name
+  policy_arn = "arn:aws-us-gov:iam::aws:policy/ReadOnlyAccess"
+}
+
 resource "random_string" "s3-bucket-name" {
   length  = 8
   special = false
@@ -215,12 +223,10 @@ resource "aws_cloudwatch_metric_stream" "newrelic_metric_stream" {
 
 resource "newrelic_cloud_aws_govcloud_link_account" "newrelic_cloud_integration_pull" {
   account_id             = var.newrelic_account_id
+  arn                    = aws_iam_role.newrelic_aws_role.arn
   metric_collection_mode = "PULL"
   name                   = "${var.name} pull"
-  depends_on             = [aws_iam_role_policy_attachment.newrelic_aws_policy_attach]
-  access_key_id          = newrelic_api_access_key.newrelic_aws_access_key.key
-  secret_access_key      = newrelic_api_access_key.newrelic_aws_access_key.key
-  aws_account_id         = var.new_relic_aws_govcloud_account_id
+  depends_on             = [aws_iam_role_policy_attachment.newrelic_aws_policy_attach, aws_iam_role_policy_attachment.readonly_access_policy_attach]
 }
 
 resource "newrelic_cloud_aws_govcloud_integrations" "newrelic_cloud_integration_pull" {
@@ -235,7 +241,7 @@ resource "newrelic_cloud_aws_govcloud_integrations" "newrelic_cloud_integration_
   auto_scaling {}
   aws_direct_connect {}
   aws_states {}
-  dynamo_db {}
+   dynamo_db {}
   ec2 {}
   elastic_search {}
   elb {}
@@ -297,7 +303,7 @@ POLICY
 
 resource "aws_iam_role_policy_attachment" "newrelic_configuration_recorder" {
   role       = aws_iam_role.newrelic_configuration_recorder.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
+  policy_arn = "arn:aws-us-gov:iam::aws:policy/service-role/AWS_ConfigRole"
 }
 
 resource "aws_config_configuration_recorder" "newrelic_recorder" {

examples/modules/cloud-integrations/aws-govcloud/variables.tf → examples/modules/cloud-integrations/aws_us_gov/variables.tf

@@ -18,8 +18,3 @@ variable "include_metric_filters" {
   type        = map(list(string))
   default     = {}
 }
-
-variable "new_relic_aws_govcloud_account_id" {
-  type    = string
-  default = "266471868085"
-}

website/docs/r/cloud_aws_govcloud_link_account.html.markdown

@@ -50,4 +50,4 @@ Linked AWS GovCloud accounts can be imported using the `id`, e.g.
 
 ```bash
 $ terraform import newrelic_cloud_aws_govcloud_link_account.foo <id>
-```
+```