Merge pull request #55 from lorengordon/accepter

plus3it · May 13, 2020 · 374a67e · 374a67e
2 parents 7516cc5 + 3b1c97b
commit 374a67e
Show file tree

Hide file tree

Showing 13 changed files with 58 additions and 332 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.0.2
+current_version = 2.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/README.md b/README.md
@@ -20,28 +20,26 @@ that you will be using a profile with the name `resource-owner` and `resource-me
 
 | Name | Version |
 |------|---------|
+| aws | n/a |
 | aws.owner | n/a |
-| null | n/a |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | auto\_accept | Controls whether to automatically accept the invite, in case principal is another account | `bool` | `true` | no |
 | create\_ram\_principal\_association | Controls whether to create the RAM Principal Association | `bool` | `true` | no |
-| cross\_account | Boolean to indicate whether principal is another account | `bool` | `true` | no |
 | principal | The principal to associate with the resource share. Possible values are an AWS account ID, an AWS Organizations Organization ARN, or an AWS Organizations Organization Unit ARN. | `string` | `null` | no |
-| profile | (Optional) Used by null\_resource to establish botocore session | `string` | `""` | no |
-| region | (Optional) Used by null\_resource to establish botocore client | `string` | `null` | no |
 | resource\_share\_arn | ARN of the resource share | `string` | `null` | no |
-| role\_arn | (Optional) Used by null\_resource to assume a role in the accepter account | `string` | `""` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| accepter\_id | ID of the null resource used to accept the share |
-| principal | Principal associated with the resource share. |
+| principal | Principal associated with the resource share |
 | resource\_share\_arn | ARN of the resource share |
+| resources | A list of the resource ARNs shared via the resource share |
+| share\_id | The ID of the resource share as displayed in the console |
+| share\_name | The name of the resource share |
 
 <!-- END TFDOCS -->
diff --git a/main.tf b/main.tf
@@ -14,43 +14,23 @@ resource "aws_ram_principal_association" "this" {
   resource_share_arn = var.resource_share_arn
 }
 
-resource "null_resource" "this" {
-  count = var.create_ram_principal_association && var.cross_account && var.auto_accept ? 1 : 0
-
-  # The invite for the principal association sometimes takes a few seconds to register
-  # before it can be accepted in the target account, so we pause for 3 seconds to let
-  # the invite propagate
-  provisioner "local-exec" {
-    command = "python -c 'import time; time.sleep(3)'"
-  }
-
-  provisioner "local-exec" {
-    command = join(" ", local.command)
-  }
+resource "aws_ram_resource_share_accepter" "this" {
+  count = var.create_ram_principal_association && local.cross_account && var.auto_accept ? 1 : 0
+
+  provider = aws
+
+  share_arn = aws_ram_principal_association.this[0].resource_share_arn
+}
+
+data "aws_caller_identity" "this" {
+  count = var.create_ram_principal_association ? 1 : 0
+}
+
+data "aws_caller_identity" "owner" {
+  count    = var.create_ram_principal_association ? 1 : 0
+  provider = aws.owner
 }
 
 locals {
-  # Replace a terraform-aws-provider sts assumed role with the equivalent iam role, i.e:
-  #     arn:aws:sts::<account-id>:assumed-role/<role-name>/<numeric-session-id>
-  # =>
-  #     arn:aws:iam::<account-id>:role/<role-name>
-  # This allows a user to simply pass `role_arn = "${data.aws_caller_identity.this.arn}"`
-  role_arn = replace(
-    var.role_arn,
-    "/(.*):sts:(.*):assumed-role/(.*)/[0-9]*$/",
-    "$1:iam:$2:role/$3",
-  )
-
-  command = [
-    "python",
-    "\"${path.module}/ram_principal_association_accepter.py\"",
-    "--resource-share-arn",
-    "\"${join("", aws_ram_principal_association.this.*.resource_share_arn)}\"",
-    "--profile",
-    "\"${var.profile}\"",
-    "--role-arn",
-    "\"${local.role_arn}\"",
-    "--region",
-    "\"${var.region}\"",
-  ]
+  cross_account = join("", data.aws_caller_identity.this.*.account_id) != join("", data.aws_caller_identity.owner.*.account_id)
 }
diff --git a/outputs.tf b/outputs.tf
@@ -5,12 +5,21 @@ output "resource_share_arn" {
 }
 
 output "principal" {
-  description = "Principal associated with the resource share."
+  description = "Principal associated with the resource share"
   value       = join("", aws_ram_principal_association.this.*.principal)
 }
 
-output "accepter_id" {
-  description = "ID of the null resource used to accept the share"
-  value       = join("", null_resource.this.*.id)
+output "share_id" {
+  description = "The ID of the resource share as displayed in the console"
+  value       = join("", aws_ram_resource_share_accepter.this.*.share_id)
 }
 
+output "share_name" {
+  description = "The name of the resource share"
+  value       = join("", aws_ram_resource_share_accepter.this.*.share_name)
+}
+
+output "resources" {
+  description = "A list of the resource ARNs shared via the resource share"
+  value       = aws_ram_resource_share_accepter.this.*.resources
+}
diff --git a/ram_principal_association_accepter.py b/ram_principal_association_accepter.py
diff --git a/tests/create_ram/README.md b/tests/create_ram/README.md
diff --git a/tests/create_ram/main.tf b/tests/create_ram/main.tf
@@ -23,15 +23,17 @@ data "terraform_remote_state" "prereq" {
 module "create_ram_accept" {
   source = "../../"
   providers = {
-    aws       = "aws"
-    aws.owner = "aws.resource-owner"
+    aws       = aws
+    aws.owner = aws.resource-owner
   }
 
   create_ram_principal_association = true
-  profile                          = "resource-member"
-  region                           = "us-east-1"
-  cross_account                    = true
-  auto_accept                      = true
-  principal                        = data.aws_caller_identity.current.account_id
-  resource_share_arn               = data.terraform_remote_state.prereq.outputs.ram_arn
+
+  auto_accept        = true
+  principal          = data.aws_caller_identity.current.account_id
+  resource_share_arn = data.terraform_remote_state.prereq.outputs.ram_arn
+}
+
+output "create_ram_accept" {
+  value = module.create_ram_accept
 }
diff --git a/tests/create_ram/prereq/README.md b/tests/create_ram/prereq/README.md
diff --git a/tests/create_ram/prereq/main.tf b/tests/create_ram/prereq/main.tf
@@ -69,8 +69,8 @@ resource "aws_ram_resource_share" "this" {
 }
 
 resource "aws_ram_resource_association" "this" {
-  resource_arn       = "${aws_route53_resolver_rule.this.arn}"
-  resource_share_arn = "${aws_ram_resource_share.this.arn}"
+  resource_arn       = aws_route53_resolver_rule.this.arn
+  resource_share_arn = aws_ram_resource_share.this.arn
 }
 
 output "ram_arn" {