Added pre-commit hook to autogenerate terraform-docs

.pre-commit-config.yaml

 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  sha: v1.4.0
+  rev: v1.7.1
   hooks:
     - id: terraform_fmt
+    - id: terraform_docs
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  sha: v1.2.0
+  rev: v1.2.3
   hooks:
     - id: check-merge-conflict

README.md

@@ -96,7 +96,6 @@ Terraform can't configure MFA for the user. It is only possible via [AWS Console
 
 [iam-assumable-roles module](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-assumable-roles) can be configured to require valid MFA token when different roles are assumed (for example, admin role requires MFA, but readonly - does not).
 
-
 ## Examples
 
 * [complete](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/complete) - Create all required resources to allow one group of users to assume privileged role, while another group of users can only assume readonly role.
@@ -104,6 +103,8 @@ Terraform can't configure MFA for the user. It is only possible via [AWS Console
 * [iam-assumable-roles](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles) - Create IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
 * [iam-user](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-user) - Add IAM user, login profile and access keys
 
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Authors
 

examples/iam-account/README.md

@@ -13,3 +13,14 @@ $ terraform apply
 ```
 
 Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| this_caller_identity_account_id | The ID of the AWS account |
+| this_iam_account_password_policy_expire_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/iam-assumable-roles/README.md

@@ -13,3 +13,24 @@ $ terraform apply
 ```
 
 Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| admin_iam_role_arn | Admin |
+| admin_iam_role_name | Name of admin IAM role |
+| admin_iam_role_path | Path of admin IAM role |
+| admin_iam_role_requires_mfa | Whether admin IAM role requires MFA |
+| poweruser_iam_role_arn | Poweruser |
+| poweruser_iam_role_name | Name of poweruser IAM role |
+| poweruser_iam_role_path | Path of poweruser IAM role |
+| poweruser_iam_role_requires_mfa | Whether poweruser IAM role requires MFA |
+| readonly_iam_role_arn | Readonly |
+| readonly_iam_role_name | Name of readonly IAM role |
+| readonly_iam_role_path | Path of readonly IAM role |
+| readonly_iam_role_requires_mfa | Whether readonly IAM role requires MFA |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/iam-user/README.md

@@ -14,3 +14,27 @@ $ terraform apply
 ```
 
 Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| keybase_password_decrypt_command |  |
+| keybase_password_pgp_message |  |
+| keybase_secret_key_decrypt_command |  |
+| keybase_secret_key_pgp_message |  |
+| pgp_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
+| this_iam_access_key_encrypted_secret | The encrypted secret, base64 encoded |
+| this_iam_access_key_id | The access key ID |
+| this_iam_access_key_key_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
+| this_iam_access_key_ses_smtp_password | The secret access key converted into an SES SMTP password |
+| this_iam_access_key_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
+| this_iam_user_arn | The ARN assigned by AWS for this user |
+| this_iam_user_login_profile_encrypted_password | The encrypted password, base64 encoded |
+| this_iam_user_login_profile_key_fingerprint | The fingerprint of the PGP key used to encrypt the password |
+| this_iam_user_name | The user's name |
+| this_iam_user_unique_id | The unique ID assigned by AWS |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/iam-account/README.md

@@ -20,3 +20,33 @@ module.iam_account.aws_iam_account_alias.this: Refreshing state... (ID: this)
 
 Import successful!
 ``` 
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| account_alias | AWS IAM account alias for this account | string | - | yes |
+| allow_users_to_change_password | Whether to allow users to change their own password | string | `true` | no |
+| create_account_password_policy | Whether to create AWS IAM account password policy | string | `true` | no |
+| get_caller_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | string | `true` | no |
+| hard_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | string | `false` | no |
+| max_password_age | The number of days that an user password is valid. | string | `0` | no |
+| minimum_password_length | Minimum length to require for user passwords | string | `8` | no |
+| password_reuse_prevention | The number of previous passwords that users are prevented from reusing | string | `true` | no |
+| require_lowercase_characters | Whether to require lowercase characters for user passwords | string | `true` | no |
+| require_numbers | Whether to require numbers for user passwords | string | `true` | no |
+| require_symbols | Whether to require symbols for user passwords | string | `true` | no |
+| require_uppercase_characters | Whether to require uppercase characters for user passwords | string | `true` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| this_caller_identity_account_id | The AWS Account ID number of the account that owns or contains the calling entity |
+| this_caller_identity_arn | The AWS ARN associated with the calling entity |
+| this_caller_identity_user_id | The unique identifier of the calling entity |
+| this_iam_account_password_policy_expire_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/iam-assumable-roles/README.md

@@ -3,3 +3,46 @@
 Creates predefined IAM roles (admin, poweruser and readonly) which can be assumed by trusted resources.
 
 Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - typically, AWS accounts and users.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| admin_role_name | IAM role with admin access | string | `admin` | no |
+| admin_role_path | Path of admin IAM role | string | `/` | no |
+| admin_role_policy_arn | Policy ARN to use for admin role | string | `arn:aws:iam::aws:policy/AdministratorAccess` | no |
+| admin_role_requires_mfa | Whether admin role requires MFA | string | `true` | no |
+| create_admin_role | Whether to create admin role | string | `false` | no |
+| create_poweruser_role | Whether to create poweruser role | string | `false` | no |
+| create_readonly_role | Whether to create poweruser role | string | `false` | no |
+| mfa_age | Max age of valid MFA (in seconds) for roles which require MFA | string | `86400` | no |
+| poweruser_role_name | IAM role with poweruser access | string | `poweruser` | no |
+| poweruser_role_path | Path of poweruser IAM role | string | `/` | no |
+| poweruser_role_policy_arn | Policy ARN to use for admin role | string | `arn:aws:iam::aws:policy/PowerUserAccess` | no |
+| poweruser_role_requires_mfa | Whether poweruser role requires MFA | string | `true` | no |
+| readonly_role_name | IAM role with readonly access | string | `readonly` | no |
+| readonly_role_path | Path of poweruser IAM role | string | `/` | no |
+| readonly_role_policy_arn | Policy ARN to use for admin role | string | `arn:aws:iam::aws:policy/ReadOnlyAccess` | no |
+| readonly_role_requires_mfa | Whether readonly role requires MFA | string | `true` | no |
+| trusted_role_arns | ARNs of AWS entities who can assume these roles | string | `<list>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| admin_iam_role_arn | Admin |
+| admin_iam_role_name | Name of admin IAM role |
+| admin_iam_role_path | Path of admin IAM role |
+| admin_iam_role_requires_mfa | Whether admin IAM role requires MFA |
+| poweruser_iam_role_arn | Poweruser |
+| poweruser_iam_role_name | Name of poweruser IAM role |
+| poweruser_iam_role_path | Path of poweruser IAM role |
+| poweruser_iam_role_requires_mfa | Whether poweruser IAM role requires MFA |
+| readonly_iam_role_arn | Readonly |
+| readonly_iam_role_name | Name of readonly IAM role |
+| readonly_iam_role_path | Path of readonly IAM role |
+| readonly_iam_role_requires_mfa | Whether readonly IAM role requires MFA |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/iam-user/README.md

@@ -17,3 +17,41 @@ This module outputs commands and PGP messages which can be decrypted either usin
 - `keybase_secret_key_decrypt_command`
 - `keybase_password_pgp_message`
 - `keybase_secret_key_pgp_message`
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| create_iam_access_key | Whether to create IAM access key | string | `true` | no |
+| create_iam_user_login_profile | Whether to create IAM user login profile | string | `true` | no |
+| create_user | Whether to create the IAM user | string | `true` | no |
+| force_destroy | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | string | `false` | no |
+| name | Desired name for the IAM user | string | - | yes |
+| password_length | The length of the generated password | string | `20` | no |
+| password_reset_required | Whether the user should be forced to reset the generated password on first login. | string | `true` | no |
+| path | Desired path for the IAM user | string | `/` | no |
+| pgp_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| keybase_password_decrypt_command |  |
+| keybase_password_pgp_message |  |
+| keybase_secret_key_decrypt_command |  |
+| keybase_secret_key_pgp_message |  |
+| pgp_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
+| this_iam_access_key_encrypted_secret | The encrypted secret, base64 encoded |
+| this_iam_access_key_id | The access key ID |
+| this_iam_access_key_key_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
+| this_iam_access_key_ses_smtp_password | The secret access key converted into an SES SMTP password |
+| this_iam_access_key_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
+| this_iam_user_arn | The ARN assigned by AWS for this user |
+| this_iam_user_login_profile_encrypted_password | The encrypted password, base64 encoded |
+| this_iam_user_login_profile_key_fingerprint | The fingerprint of the PGP key used to encrypt the password |
+| this_iam_user_name | The user's name |
+| this_iam_user_unique_id | The unique ID assigned by AWS |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->