feat: Add wrapper modules (#396)

Author: gpdenny

.pre-commit-config.yaml

@@ -1,8 +1,9 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.79.1
+    rev: v1.81.0
     hooks:
       - id: terraform_fmt
+      - id: terraform_wrapper_module_for_each
       - id: terraform_validate
       - id: terraform_docs
         args:

wrappers/iam-account/README.md

@@ -0,0 +1,100 @@
+# Wrapper for module: `modules/iam-account`
+
+The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
+
+You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
+
+This wrapper does not implement any extra functionality.
+
+## Usage with Terragrunt
+
+`terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-account"
+  # Alternative source:
+  # source = "git::[email protected]:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-account?ref=master"
+}
+
+inputs = {
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Usage with Terraform
+
+```hcl
+module "wrapper" {
+  source = "terraform-aws-modules/iam/aws//wrappers/iam-account"
+
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Example: Manage multiple S3 buckets in one Terragrunt layer
+
+`eu-west-1/s3-buckets/terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
+  # Alternative source:
+  # source = "git::[email protected]:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = {
+    force_destroy = true
+
+    attach_elb_log_delivery_policy        = true
+    attach_lb_log_delivery_policy         = true
+    attach_deny_insecure_transport_policy = true
+    attach_require_latest_tls_policy      = true
+  }
+
+  items = {
+    bucket1 = {
+      bucket = "my-random-bucket-1"
+    }
+    bucket2 = {
+      bucket = "my-random-bucket-2"
+      tags = {
+        Secure = "probably"
+      }
+    }
+  }
+}
+```

wrappers/iam-account/main.tf

@@ -0,0 +1,18 @@
+module "wrapper" {
+  source = "../../modules/iam-account"
+
+  for_each = var.items
+
+  get_caller_identity            = try(each.value.get_caller_identity, var.defaults.get_caller_identity, true)
+  account_alias                  = try(each.value.account_alias, var.defaults.account_alias)
+  create_account_password_policy = try(each.value.create_account_password_policy, var.defaults.create_account_password_policy, true)
+  max_password_age               = try(each.value.max_password_age, var.defaults.max_password_age, 0)
+  minimum_password_length        = try(each.value.minimum_password_length, var.defaults.minimum_password_length, 8)
+  allow_users_to_change_password = try(each.value.allow_users_to_change_password, var.defaults.allow_users_to_change_password, true)
+  hard_expiry                    = try(each.value.hard_expiry, var.defaults.hard_expiry, false)
+  password_reuse_prevention      = try(each.value.password_reuse_prevention, var.defaults.password_reuse_prevention, null)
+  require_lowercase_characters   = try(each.value.require_lowercase_characters, var.defaults.require_lowercase_characters, true)
+  require_uppercase_characters   = try(each.value.require_uppercase_characters, var.defaults.require_uppercase_characters, true)
+  require_numbers                = try(each.value.require_numbers, var.defaults.require_numbers, true)
+  require_symbols                = try(each.value.require_symbols, var.defaults.require_symbols, true)
+}

wrappers/iam-account/outputs.tf

@@ -0,0 +1,5 @@
+output "wrapper" {
+  description = "Map of outputs of a wrapper."
+  value       = module.wrapper
+  # sensitive = false # No sensitive module output found
+}

wrappers/iam-account/variables.tf

@@ -0,0 +1,11 @@
+variable "defaults" {
+  description = "Map of default values which will be used for each item."
+  type        = any
+  default     = {}
+}
+
+variable "items" {
+  description = "Maps of items to create a wrapper from. Values are passed through to the module."
+  type        = any
+  default     = {}
+}

wrappers/iam-account/versions.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.13.1"
+}

wrappers/iam-assumable-role-with-oidc/README.md

@@ -0,0 +1,100 @@
+# Wrapper for module: `modules/iam-assumable-role-with-oidc`
+
+The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
+
+You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
+
+This wrapper does not implement any extra functionality.
+
+## Usage with Terragrunt
+
+`terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-assumable-role-with-oidc"
+  # Alternative source:
+  # source = "git::[email protected]:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-assumable-role-with-oidc?ref=master"
+}
+
+inputs = {
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Usage with Terraform
+
+```hcl
+module "wrapper" {
+  source = "terraform-aws-modules/iam/aws//wrappers/iam-assumable-role-with-oidc"
+
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Example: Manage multiple S3 buckets in one Terragrunt layer
+
+`eu-west-1/s3-buckets/terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
+  # Alternative source:
+  # source = "git::[email protected]:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = {
+    force_destroy = true
+
+    attach_elb_log_delivery_policy        = true
+    attach_lb_log_delivery_policy         = true
+    attach_deny_insecure_transport_policy = true
+    attach_require_latest_tls_policy      = true
+  }
+
+  items = {
+    bucket1 = {
+      bucket = "my-random-bucket-1"
+    }
+    bucket2 = {
+      bucket = "my-random-bucket-2"
+      tags = {
+        Secure = "probably"
+      }
+    }
+  }
+}
+```

wrappers/iam-assumable-role-with-oidc/main.tf

@@ -0,0 +1,24 @@
+module "wrapper" {
+  source = "../../modules/iam-assumable-role-with-oidc"
+
+  for_each = var.items
+
+  create_role                    = try(each.value.create_role, var.defaults.create_role, false)
+  provider_url                   = try(each.value.provider_url, var.defaults.provider_url, "")
+  provider_urls                  = try(each.value.provider_urls, var.defaults.provider_urls, [])
+  aws_account_id                 = try(each.value.aws_account_id, var.defaults.aws_account_id, "")
+  tags                           = try(each.value.tags, var.defaults.tags, {})
+  role_name                      = try(each.value.role_name, var.defaults.role_name, null)
+  role_name_prefix               = try(each.value.role_name_prefix, var.defaults.role_name_prefix, null)
+  role_description               = try(each.value.role_description, var.defaults.role_description, "")
+  role_path                      = try(each.value.role_path, var.defaults.role_path, "/")
+  role_permissions_boundary_arn  = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, "")
+  max_session_duration           = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
+  role_policy_arns               = try(each.value.role_policy_arns, var.defaults.role_policy_arns, [])
+  number_of_role_policy_arns     = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
+  oidc_fully_qualified_subjects  = try(each.value.oidc_fully_qualified_subjects, var.defaults.oidc_fully_qualified_subjects, [])
+  oidc_subjects_with_wildcards   = try(each.value.oidc_subjects_with_wildcards, var.defaults.oidc_subjects_with_wildcards, [])
+  oidc_fully_qualified_audiences = try(each.value.oidc_fully_qualified_audiences, var.defaults.oidc_fully_qualified_audiences, [])
+  force_detach_policies          = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
+  allow_self_assume_role         = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
+}

wrappers/iam-assumable-role-with-oidc/outputs.tf

@@ -0,0 +1,5 @@
+output "wrapper" {
+  description = "Map of outputs of a wrapper."
+  value       = module.wrapper
+  # sensitive = false # No sensitive module output found
+}

wrappers/iam-assumable-role-with-oidc/variables.tf

@@ -0,0 +1,11 @@
+variable "defaults" {
+  description = "Map of default values which will be used for each item."
+  type        = any
+  default     = {}
+}
+
+variable "items" {
+  description = "Maps of items to create a wrapper from. Values are passed through to the module."
+  type        = any
+  default     = {}
+}