Merge pull request #62 from cisagov/improvement/optional-ssm-parameters

dav3r · web-flow · commit edb543f67ba4 · 2025-03-07T11:35:38.000-05:00
Make SSM parameters optional
diff --git a/README.md b/README.md
@@ -82,14 +82,14 @@ module "example" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | entity | The name of the entity (usually a GitHub repository) being tested (e.g. molecule-iam-user-tf-module). | `string` | n/a | yes |
-| ssm\_parameters | The AWS SSM parameters that the IAM user needs to be able to read (e.g. ["/example/parameter1", "/example/config/*"]). | `list(string)` | n/a | yes |
+| ssm\_parameters | The AWS SSM parameters that the IAM user needs to be able to read (e.g. ["/example/parameter1", "/example/config/*"]). | `list(string)` | `[]` | no |
 
 ## Outputs ##
 
 | Name | Description |
 |------|-------------|
 | access\_key | The IAM access key associated with the CI IAM user created by this module. |
-| role | The IAM role that the CI user can assume to read SSM parameters. |
+| role | The IAM role that the CI user can assume to perform testing. |
 | user | The CI IAM user created by this module. |
 <!-- END_TF_DOCS -->
 
diff --git a/assume_parameterstorereadonly_role.tf b/assume_parameterstorereadonly_role.tf
@@ -1,22 +1,26 @@
 # IAM policy document that allows assumption of the ParameterStoreReadOnly
 # role in the Images account for this user
 data "aws_iam_policy_document" "assume_parameterstorereadonly_role_doc" {
+  count = local.ssm_needed
+
   statement {
     actions = [
       "sts:AssumeRole",
       "sts:TagSession",
     ]
     effect = "Allow"
     resources = [
-      module.parameterstorereadonly_role.role.arn
+      module.parameterstorereadonly_role[0].role.arn
     ]
   }
 }
 
 # The IAM policy allowing this user to assume their custom
 # ParameterStoreReadOnly role in the Images account
 resource "aws_iam_user_policy" "assume_parameterstorereadonly" {
-  name   = "Images-Assume${module.parameterstorereadonly_role.role.name}"
-  policy = data.aws_iam_policy_document.assume_parameterstorereadonly_role_doc.json
+  count = local.ssm_needed
+
+  name   = "Images-Assume${module.parameterstorereadonly_role[0].role.name}"
+  policy = data.aws_iam_policy_document.assume_parameterstorereadonly_role_doc[0].json
   user   = module.ci_user.user.name
 }
diff --git a/locals.tf b/locals.tf
@@ -1,5 +1,9 @@
 locals {
-  user_name        = format("test-%s", var.entity)
-  role_name        = format("Test-%s", var.entity)
   role_description = format("A role that can be assumed to allow for CI testing of %s via Molecule.", var.entity)
+  role_name        = format("Test-%s", var.entity)
+
+  # Determine if the CI user needs to be able to read SSM parameters
+  ssm_needed = length(var.ssm_parameters) > 0 ? 1 : 0
+
+  user_name = format("test-%s", var.entity)
 }
diff --git a/outputs.tf b/outputs.tf
@@ -5,7 +5,7 @@ output "access_key" {
 }
 
 output "role" {
-  description = "The IAM role that the CI user can assume to read SSM parameters."
+  description = "The IAM role that the CI user can assume to perform testing."
   value       = module.ci_user.role
 }
 
diff --git a/parameterstorereadonly_role.tf b/parameterstorereadonly_role.tf
@@ -9,6 +9,7 @@ data "aws_caller_identity" "users" {
 }
 
 module "parameterstorereadonly_role" {
+  count  = local.ssm_needed
   source = "github.com/cisagov/ssm-read-role-tf-module"
 
   providers = {
diff --git a/user.tf b/user.tf
@@ -13,8 +13,9 @@ module "ci_user" {
 
 # Attach the AWS SSM Parameter Store read role policy to the CI role
 resource "aws_iam_role_policy_attachment" "ssm" {
+  count    = local.ssm_needed
   provider = aws.images-provisionaccount
 
-  policy_arn = module.parameterstorereadonly_role.policy.arn
+  policy_arn = module.parameterstorereadonly_role[0].policy.arn
   role       = module.ci_user.role.name
 }
diff --git a/variables.tf b/variables.tf
@@ -10,14 +10,15 @@ variable "entity" {
   type        = string
 }
 
-variable "ssm_parameters" {
-  description = "The AWS SSM parameters that the IAM user needs to be able to read (e.g. [\"/example/parameter1\", \"/example/config/*\"])."
-  nullable    = false
-  type        = list(string)
-}
-
 # ------------------------------------------------------------------------------
 # OPTIONAL PARAMETERS
 #
 # These parameters have reasonable defaults.
 # ------------------------------------------------------------------------------
+
+variable "ssm_parameters" {
+  default     = []
+  description = "The AWS SSM parameters that the IAM user needs to be able to read (e.g. [\"/example/parameter1\", \"/example/config/*\"])."
+  nullable    = false
+  type        = list(string)
+}

Original file line number	Diff line number	Diff line change
`@@ -1,22 +1,26 @@`
`1`	`1`	`# IAM policy document that allows assumption of the ParameterStoreReadOnly`
`2`	`2`	`# role in the Images account for this user`
`3`	`3`	`data "aws_iam_policy_document" "assume_parameterstorereadonly_role_doc" {`
	`4`	`+ count = local.ssm_needed`
	`5`	`+`
`4`	`6`	`statement {`
`5`	`7`	`actions = [`
`6`	`8`	`"sts:AssumeRole",`
`7`	`9`	`"sts:TagSession",`
`8`	`10`	`]`
`9`	`11`	`effect = "Allow"`
`10`	`12`	`resources = [`
`11`		`- module.parameterstorereadonly_role.role.arn`
	`13`	`+ module.parameterstorereadonly_role[0].role.arn`
`12`	`14`	`]`
`13`	`15`	`}`
`14`	`16`	`}`
`15`	`17`
`16`	`18`	`# The IAM policy allowing this user to assume their custom`
`17`	`19`	`# ParameterStoreReadOnly role in the Images account`
`18`	`20`	`resource "aws_iam_user_policy" "assume_parameterstorereadonly" {`
`19`		`- name = "Images-Assume${module.parameterstorereadonly_role.role.name}"`
`20`		`- policy = data.aws_iam_policy_document.assume_parameterstorereadonly_role_doc.json`
	`21`	`+ count = local.ssm_needed`
	`22`	`+`
	`23`	`+ name = "Images-Assume${module.parameterstorereadonly_role[0].role.name}"`
	`24`	`+ policy = data.aws_iam_policy_document.assume_parameterstorereadonly_role_doc[0].json`
`21`	`25`	`user = module.ci_user.user.name`
`22`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ output "access_key" {`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`output "role" {`
`8`		`- description = "The IAM role that the CI user can assume to read SSM parameters."`
	`8`	`+ description = "The IAM role that the CI user can assume to perform testing."`
`9`	`9`	`value = module.ci_user.role`
`10`	`10`	`}`
`11`	`11`
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ data "aws_caller_identity" "users" {`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`module "parameterstorereadonly_role" {`
	`12`	`+ count = local.ssm_needed`
`12`	`13`	`source = "github.com/cisagov/ssm-read-role-tf-module"`
`13`	`14`
`14`	`15`	`providers = {`
Original file line number	Diff line number	Diff line change
`@@ -13,8 +13,9 @@ module "ci_user" {`
`13`	`13`
`14`	`14`	`# Attach the AWS SSM Parameter Store read role policy to the CI role`
`15`	`15`	`resource "aws_iam_role_policy_attachment" "ssm" {`
	`16`	`+ count = local.ssm_needed`
`16`	`17`	`provider = aws.images-provisionaccount`
`17`	`18`
`18`		`- policy_arn = module.parameterstorereadonly_role.policy.arn`
	`19`	`+ policy_arn = module.parameterstorereadonly_role[0].policy.arn`
`19`	`20`	`role = module.ci_user.role.name`
`20`	`21`	`}`