Use only Principals Access Model (#22)

goruha · web-flow · commit 76432038246b · 2019-02-06T19:04:24.000+06:00
## What
* Remove creation role if no participants provided

## Why
* To prevent wrong using of terraform module
diff --git a/README.md b/README.md
@@ -112,17 +112,18 @@ Available targets:
   lint                                Lint terraform code
 
 ```
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | attributes | Additional attributes (e.g. `policy` or `role`) | list | `<list>` | no |
 | delimiter | Delimiter to be used between `name`, `namespace`, `stage`, etc. | string | `-` | no |
+| enabled | Set to false to prevent the module from creating any resources | string | `true` | no |
 | max_image_count | How many Docker Image versions AWS ECR will store | string | `7` | no |
 | name | The Name of the application or solution  (e.g. `bastion` or `portal`) | string | - | yes |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
-| roles | Principal IAM roles to provide with access to the ECR | list | `<list>` | no |
+| principals_full_access | Principal ARN to provide with full access to the ECR | list | `<list>` | no |
+| principals_readonly_access | Principal ARN to provide with readonly access to the ECR | list | `<list>` | no |
 | stage | Stage (e.g. `prod`, `dev`, `staging`) | string | - | yes |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')`) | map | `<map>` | no |
 | use_fullname | Set 'true' to use `namespace-stage-name` for ecr repository name, else `name` | string | `true` | no |
@@ -131,17 +132,9 @@ Available targets:
 
 | Name | Description |
 |------|-------------|
-| policy_login_arn | The IAM Policy ARN to be given access to login in ECR |
-| policy_login_name | The IAM Policy name to be given access to login in ECR |
-| policy_read_arn | The IAM Policy ARN to be given access to pull images from ECR |
-| policy_read_name | The IAM Policy name to be given access to pull images from ECR |
-| policy_write_arn | The IAM Policy ARN to be given access to push images to ECR |
-| policy_write_name | The IAM Policy name to be given access to push images to ECR |
 | registry_id | Registry ID |
 | registry_url | Registry URL |
 | repository_name | Registry name |
-| role_arn | Assume Role ARN to get registry access |
-| role_name | Assume Role name to get registry access |
 
 
 
@@ -224,7 +217,7 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
 
 ## Copyright
 
-Copyright © 2017-2018 [Cloud Posse, LLC](https://cpco.io/copyright)
+Copyright © 2017-2019 [Cloud Posse, LLC](https://cpco.io/copyright)
 
 
 
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -1,14 +1,15 @@
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | attributes | Additional attributes (e.g. `policy` or `role`) | list | `<list>` | no |
 | delimiter | Delimiter to be used between `name`, `namespace`, `stage`, etc. | string | `-` | no |
+| enabled | Set to false to prevent the module from creating any resources | string | `true` | no |
 | max_image_count | How many Docker Image versions AWS ECR will store | string | `7` | no |
 | name | The Name of the application or solution  (e.g. `bastion` or `portal`) | string | - | yes |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
-| roles | Principal IAM roles to provide with access to the ECR | list | `<list>` | no |
+| principals_full_access | Principal ARN to provide with full access to the ECR | list | `<list>` | no |
+| principals_readonly_access | Principal ARN to provide with readonly access to the ECR | list | `<list>` | no |
 | stage | Stage (e.g. `prod`, `dev`, `staging`) | string | - | yes |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')`) | map | `<map>` | no |
 | use_fullname | Set 'true' to use `namespace-stage-name` for ecr repository name, else `name` | string | `true` | no |
@@ -17,15 +18,7 @@
 
 | Name | Description |
 |------|-------------|
-| policy_login_arn | The IAM Policy ARN to be given access to login in ECR |
-| policy_login_name | The IAM Policy name to be given access to login in ECR |
-| policy_read_arn | The IAM Policy ARN to be given access to pull images from ECR |
-| policy_read_name | The IAM Policy name to be given access to pull images from ECR |
-| policy_write_arn | The IAM Policy ARN to be given access to push images to ECR |
-| policy_write_name | The IAM Policy name to be given access to push images to ECR |
 | registry_id | Registry ID |
 | registry_url | Registry URL |
 | repository_name | Registry name |
-| role_arn | Assume Role ARN to get registry access |
-| role_name | Assume Role name to get registry access |
 
diff --git a/main.tf b/main.tf
@@ -1,19 +1,12 @@
 locals {
-  principals_readonly_access_count     = "${length(var.principals_readonly_access)}"
   principals_readonly_access_non_empty = "${signum(length(var.principals_readonly_access))}"
-  principals_readonly_access_empty     = "${signum(length(var.principals_readonly_access)) == 0 ? 1 : 0}"
-
-  principals_full_access_count     = "${length(var.principals_full_access)}"
-  principals_full_access_non_empty = "${signum(length(var.principals_full_access))}"
-  principals_full_access_empty     = "${signum(length(var.principals_full_access)) == 0 ? 1 : 0}"
-
-  principals_total_count     = "${length(var.principals_readonly_access) + length(var.principals_full_access)}"
-  principals_total_non_empty = "${signum(length(var.principals_readonly_access) + length(var.principals_full_access))}"
-  principals_total_empty     = "${signum(length(var.principals_readonly_access) + length(var.principals_full_access)) == 0 ? 1 : 0}"
+  principals_full_access_non_empty     = "${signum(length(var.principals_full_access))}"
+  ecr_need_policy                      = "${length(var.principals_full_access) + length(var.principals_readonly_access) > 0 ? "true" : "false"}"
 }
 
 module "label" {
   source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3"
+  enabled    = "${var.enabled}"
   namespace  = "${var.namespace}"
   stage      = "${var.stage}"
   name       = "${var.name}"
@@ -23,10 +16,12 @@ module "label" {
 }
 
 resource "aws_ecr_repository" "default" {
-  name = "${var.use_fullname == "true" ? module.label.id : module.label.name}"
+  count = "${var.enabled == "true" ? 1 : 0}"
+  name  = "${var.use_fullname == "true" ? module.label.id : module.label.name}"
 }
 
 resource "aws_ecr_lifecycle_policy" "default" {
+  count      = "${var.enabled == "true" ? 1 : 0}"
   repository = "${aws_ecr_repository.default.name}"
 
   policy = <<EOF
@@ -48,77 +43,6 @@ resource "aws_ecr_lifecycle_policy" "default" {
 EOF
 }
 
-## If roles are empty
-## Create default role to provide full access.
-## The role can be attached or assumed
-
-data "aws_iam_policy_document" "assume_role" {
-  count = "${local.principals_total_empty}"
-
-  statement {
-    sid     = "EC2AssumeRole"
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-
-    principals = {
-      type        = "Service"
-      identifiers = ["ec2.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "default" {
-  count              = "${local.principals_total_empty}"
-  name               = "${module.label.id}"
-  assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
-}
-
-resource "aws_iam_instance_profile" "default" {
-  count = "${local.principals_total_empty}"
-  name  = "${module.label.id}"
-  role  = "${aws_iam_role.default.name}"
-}
-
-## Grant access to default role
-data "aws_iam_policy_document" "default_ecr" {
-  count = "${local.principals_total_empty}"
-
-  statement {
-    sid    = "ECR"
-    effect = "Allow"
-
-    principals = {
-      type = "AWS"
-
-      identifiers = [
-        "${aws_iam_role.default.arn}",
-      ]
-    }
-
-    actions = [
-      "ecr:GetDownloadUrlForLayer",
-      "ecr:BatchGetImage",
-      "ecr:BatchCheckLayerAvailability",
-      "ecr:PutImage",
-      "ecr:InitiateLayerUpload",
-      "ecr:UploadLayerPart",
-      "ecr:CompleteLayerUpload",
-      "ecr:DescribeRepositories",
-      "ecr:ListImages",
-      "ecr:DescribeImages",
-    ]
-  }
-}
-
-resource "aws_ecr_repository_policy" "default_ecr" {
-  count      = "${local.principals_total_empty}"
-  repository = "${aws_ecr_repository.default.name}"
-  policy     = "${data.aws_iam_policy_document.default_ecr.json}"
-}
-
-## If any roles provided
-## Grant access to them
-
 data "aws_iam_policy_document" "empty" {}
 
 data "aws_iam_policy_document" "resource_readonly_access" {
@@ -178,14 +102,13 @@ data "aws_iam_policy_document" "resource_full_access" {
 }
 
 data "aws_iam_policy_document" "resource" {
-  count = "${local.principals_total_non_empty}"
-
   source_json   = "${local.principals_readonly_access_non_empty ? data.aws_iam_policy_document.resource_readonly_access.json : data.aws_iam_policy_document.empty.json}"
   override_json = "${local.principals_full_access_non_empty ? data.aws_iam_policy_document.resource_full_access.json : data.aws_iam_policy_document.empty.json}"
+  "statement"   = []
 }
 
 resource "aws_ecr_repository_policy" "default" {
-  count      = "${local.principals_total_non_empty}"
+  count      = "${(local.ecr_need_policy == "true" && var.enabled == "true") ? 1 : 0}"
   repository = "${aws_ecr_repository.default.name}"
   policy     = "${data.aws_iam_policy_document.resource.json}"
 }
diff --git a/output.tf b/output.tf
@@ -1,24 +1,14 @@
 output "registry_id" {
-  value       = "${aws_ecr_repository.default.registry_id}"
+  value       = "${join("", aws_ecr_repository.default.*.registry_id)}"
   description = "Registry ID"
 }
 
 output "registry_url" {
-  value       = "${aws_ecr_repository.default.repository_url}"
+  value       = "${join("", aws_ecr_repository.default.*.repository_url)}"
   description = "Registry URL"
 }
 
 output "repository_name" {
-  value       = "${aws_ecr_repository.default.name}"
+  value       = "${join("", aws_ecr_repository.default.*.name)}"
   description = "Registry name"
 }
-
-output "role_name" {
-  value       = "${join("", aws_iam_role.default.*.name)}"
-  description = "Assume Role name to get registry access"
-}
-
-output "role_arn" {
-  value       = "${join("", aws_iam_role.default.*.arn)}"
-  description = "Assume Role ARN to get registry access"
-}
diff --git a/variables.tf b/variables.tf
@@ -10,6 +10,11 @@ variable "stage" {
   description = "Stage (e.g. `prod`, `dev`, `staging`)"
 }
 
+variable "enabled" {
+  description = "Set to false to prevent the module from creating any resources"
+  default     = "true"
+}
+
 variable "use_fullname" {
   type        = "string"
   default     = "true"
