Merge pull request #90 from lorengordon/ram

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2.0.4
+current_version = 3.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

.gitignore

@@ -18,3 +18,5 @@ tardigrade-ci/
 # eclint
 .git/
 
+# terratest
+tests/go.*

Makefile

@@ -1,4 +1,3 @@
 SHELL := /bin/bash
 
 -include $(shell curl -sSL -o .tardigrade-ci "https://raw.githubusercontent.com/plus3it/tardigrade-ci/master/bootstrap/Makefile.bootstrap"; echo .tardigrade-ci)
-

README.md

@@ -1,45 +1,42 @@
 # terraform-aws-tardigrade-ram-principal-association
 
-Terraform module to share an AWS Resource Access Manager (RAM) resource with another account
+Terraform module to manage a resource share with AWS Resource Access Manager (RAM)
 
 ## Testing
 
-You can find example implementations of this module in the tests folder. Please note that this module
-requires 2 different AWS accounts to test and that the terraform aws provider definitions are assuming
-that you will be using a profile with the name `resource-owner` and `resource-member`
-
+You can find example implementations of this module in the tests folder. Note that the terraform aws
+provider configs for the tests require that you use a profiles with the names `resource-owner` and
+`resource-member`. Also note that the `cross_account` test requires 2 different AWS accounts.
 
 <!-- BEGIN TFDOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12 |
+| terraform | >= 0.13 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | aws | n/a |
-| aws.owner | n/a |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| auto\_accept | Controls whether to automatically accept the invite, in case principal is another account | `bool` | `true` | no |
-| create\_ram\_principal\_association | Controls whether to create the RAM Principal Association | `bool` | `true` | no |
-| principal | The principal to associate with the resource share. Possible values are an AWS account ID, an AWS Organizations Organization ARN, or an AWS Organizations Organization Unit ARN. | `string` | `null` | no |
-| resource\_share\_arn | ARN of the resource share | `string` | `null` | no |
+| name | Name of the resource share | `string` | n/a | yes |
+| allow\_external\_principals | Boolean indicating whether principals outside the AWS organization can be associated with the resource share | `bool` | `false` | no |
+| principals | List of principals to associate with the resource share. Possible values are an AWS account ID, an AWS Organizations Organization ARN, or an AWS Organizations Organization Unit ARN. | `list(string)` | `[]` | no |
+| resources | Schema list of resources to associate to the resource share | <pre>list(object({<br>    name         = string # used as for_each key; cannot be an attribute of a resource in the same tfstate<br>    resource_arn = string # ARN of the resource to associate with the share; *can* be an attribute of a resource in the same tfstate<br>  }))</pre> | `[]` | no |
+| tags | Map of tags to assign to the resource share | `map(string)` | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| principal | Principal associated with the resource share |
-| resource\_share\_arn | ARN of the resource share |
-| resources | A list of the resource ARNs shared via the resource share |
-| share\_id | The ID of the resource share as displayed in the console |
-| share\_name | The name of the resource share |
+| principal\_associations | Object with the AWS RAM principal associations resources |
+| resource\_associations | Object with the AWS RAM resource associations resources |
+| resource\_share | Object with the AWS RAM resource share resource |
 
 <!-- END TFDOCS -->

main.tf

@@ -1,41 +1,22 @@
-provider "aws" {
-}
-
-provider "aws" {
-  alias = "owner"
-}
-
-resource "aws_ram_principal_association" "this" {
-  count = var.create_ram_principal_association ? 1 : 0
-
-  provider = aws.owner
+resource aws_ram_resource_share this {
+  name = var.name
+  tags = var.tags
 
-  principal          = var.principal
-  resource_share_arn = var.resource_share_arn
-
-  # The invitation sometime takes a few seconds to propagate
-  provisioner "local-exec" {
-    command = "python -c 'import time; time.sleep(10)'"
-  }
+  allow_external_principals = var.allow_external_principals
 }
 
-resource "aws_ram_resource_share_accepter" "this" {
-  count = local.create_ram_resource_share_accepter && var.auto_accept ? 1 : 0
-
-  provider = aws
+module resource_associations {
+  source   = "./modules/resource_association"
+  for_each = { for resource in var.resources : resource.name => resource }
 
-  share_arn = aws_ram_principal_association.this[0].resource_share_arn
+  resource_arn       = each.value.resource_arn
+  resource_share_arn = aws_ram_resource_share.this.arn
 }
 
-data "aws_caller_identity" "this" {
-  count = var.create_ram_principal_association ? 1 : 0
-}
-
-data "aws_caller_identity" "owner" {
-  count    = var.create_ram_principal_association ? 1 : 0
-  provider = aws.owner
-}
+module principal_associations {
+  source   = "./modules/principal_association"
+  for_each = toset(var.principals)
 
-locals {
-  create_ram_resource_share_accepter = var.create_ram_principal_association ? join("", data.aws_caller_identity.this.*.account_id) != join("", data.aws_caller_identity.owner.*.account_id) : false
+  principal          = each.value
+  resource_share_arn = aws_ram_resource_share.this.arn
 }

modules/cross_account_principal_association/README.md

@@ -0,0 +1,27 @@
+# terraform-aws-tardigrade-ram-principal-association/cross_account_principal_association
+
+<!-- BEGIN TFDOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| resource\_share\_arn | ARN of the resource share | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| principal\_association | Object with the AWS RAM principal association resource |
+| share\_accepter | Object with the AWS RAM share accepter resource |
+
+<!-- END TFDOCS -->

modules/cross_account_principal_association/main.tf

@@ -0,0 +1,22 @@
+provider aws {
+  alias = "owner"
+}
+
+module principal_association {
+  source = "../principal_association"
+
+  providers = {
+    aws = aws.owner
+  }
+
+  principal          = data.aws_caller_identity.this.account_id
+  resource_share_arn = var.resource_share_arn
+}
+
+module accepter {
+  source = "../share_accepter"
+
+  resource_share_arn = module.principal_association.principal_association.resource_share_arn
+}
+
+data aws_caller_identity this {}

modules/cross_account_principal_association/outputs.tf

@@ -0,0 +1,9 @@
+output principal_association {
+  description = "Object with the AWS RAM principal association resource"
+  value       = module.principal_association.principal_association
+}
+
+output share_accepter {
+  description = "Object with the AWS RAM share accepter resource"
+  value       = module.accepter.share_accepter
+}

modules/cross_account_principal_association/variables.tf

@@ -0,0 +1,4 @@
+variable resource_share_arn {
+  description = "ARN of the resource share"
+  type        = string
+}

modules/principal_association/README.md

@@ -0,0 +1,27 @@
+# terraform-aws-tardigrade-ram-principal-association/principal_association
+
+<!-- BEGIN TFDOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| principal | The principal to associate with the resource share. Possible values are an AWS account ID, an AWS Organizations Organization ARN, or an AWS Organizations Organization Unit ARN. | `string` | n/a | yes |
+| resource\_share\_arn | ARN of the resource share | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| principal\_association | Object with the AWS RAM principal association resource |
+
+<!-- END TFDOCS -->

modules/principal_association/main.tf

@@ -0,0 +1,9 @@
+resource aws_ram_principal_association this {
+  principal          = var.principal
+  resource_share_arn = var.resource_share_arn
+
+  # The invitation sometime takes a few seconds to propagate
+  provisioner local-exec {
+    command = "python -c 'import time; time.sleep(10)'"
+  }
+}

modules/principal_association/outputs.tf

@@ -0,0 +1,4 @@
+output principal_association {
+  description = "Object with the AWS RAM principal association resource"
+  value       = aws_ram_principal_association.this
+}

modules/principal_association/variables.tf

@@ -0,0 +1,9 @@
+variable principal {
+  description = "The principal to associate with the resource share. Possible values are an AWS account ID, an AWS Organizations Organization ARN, or an AWS Organizations Organization Unit ARN."
+  type        = string
+}
+
+variable resource_share_arn {
+  description = "ARN of the resource share"
+  type        = string
+}

modules/resource_association/README.md

@@ -0,0 +1,27 @@
+# terraform-aws-tardigrade-ram-principal-association/resource_association
+
+<!-- BEGIN TFDOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| resource\_arn | ARN of the resource to associate with the RAM Resource Share | `string` | n/a | yes |
+| resource\_share\_arn | ARN of the resource share | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| resource\_association | Object with the AWS RAM resource association resource |
+
+<!-- END TFDOCS -->

modules/resource_association/main.tf

@@ -0,0 +1,4 @@
+resource aws_ram_resource_association this {
+  resource_arn       = var.resource_arn
+  resource_share_arn = var.resource_share_arn
+}

modules/resource_association/outputs.tf

@@ -0,0 +1,4 @@
+output resource_association {
+  description = "Object with the AWS RAM resource association resource"
+  value       = aws_ram_resource_association.this
+}

modules/resource_association/variables.tf

@@ -0,0 +1,9 @@
+variable resource_arn {
+  description = "ARN of the resource to associate with the RAM Resource Share"
+  type        = string
+}
+
+variable resource_share_arn {
+  description = "ARN of the resource share"
+  type        = string
+}

modules/share_accepter/README.md

@@ -0,0 +1,26 @@
+# terraform-aws-tardigrade-ram-principal-association/share_accepter
+
+<!-- BEGIN TFDOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| resource\_share\_arn | ARN of the resource share | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| share\_accepter | Object with the AWS RAM share accepter resource |
+
+<!-- END TFDOCS -->

modules/share_accepter/main.tf

@@ -0,0 +1,3 @@
+resource aws_ram_resource_share_accepter this {
+  share_arn = var.resource_share_arn
+}

modules/share_accepter/outputs.tf

@@ -0,0 +1,4 @@
+output share_accepter {
+  description = "Object with the AWS RAM share accepter resource"
+  value       = aws_ram_resource_share_accepter.this
+}

modules/share_accepter/variables.tf

@@ -0,0 +1,4 @@
+variable resource_share_arn {
+  description = "ARN of the resource share"
+  type        = string
+}

outputs.tf

@@ -1,25 +1,14 @@
-# RAM Principal Association
-output "resource_share_arn" {
-  description = "ARN of the resource share"
-  value       = join("", aws_ram_principal_association.this.*.resource_share_arn)
+output resource_share {
+  description = "Object with the AWS RAM resource share resource"
+  value       = aws_ram_resource_share.this
 }
 
-output "principal" {
-  description = "Principal associated with the resource share"
-  value       = join("", aws_ram_principal_association.this.*.principal)
+output resource_associations {
+  description = "Object with the AWS RAM resource associations resources"
+  value       = module.resource_associations
 }
 
-output "share_id" {
-  description = "The ID of the resource share as displayed in the console"
-  value       = join("", aws_ram_resource_share_accepter.this.*.share_id)
-}
-
-output "share_name" {
-  description = "The name of the resource share"
-  value       = join("", aws_ram_resource_share_accepter.this.*.share_name)
-}
-
-output "resources" {
-  description = "A list of the resource ARNs shared via the resource share"
-  value       = aws_ram_resource_share_accepter.this.*.resources
+output principal_associations {
+  description = "Object with the AWS RAM principal associations resources"
+  value       = module.principal_associations
 }