feat: Allow to set force_detach_policies on roles (#68)

fc566358 · Tim Gatzemeier · GitHub · d9ed328d · fc566358 · fc566358
Commit fc566358 authored Jun 10, 2020 by Tim Gatzemeier Committed by GitHub Jun 10, 2020
13 changed files
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
 repos:
  - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.27.0
+    rev: v1.31.0
    hooks:
      - id: terraform_fmt
      - id: terraform_docs
  - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v2.5.0
+    rev: v3.1.0
    hooks:
      - id: check-merge-conflict
--- a/modules/iam-assumable-role-with-oidc/README.md
+++ b/modules/iam-assumable-role-with-oidc/README.md
@@ -26,6 +26,7 @@ This module supports IAM Roles for kubernetes service accounts as described in t
 |------|-------------|------|---------|:--------:|
 | aws\_account\_id | The AWS account ID where the OIDC provider lives, leave empty to use the account fo the AWS provider | `string` | `""` | no |
 | create\_role | Whether to create a role | `bool` | `false` | no |
+| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | oidc\_fully\_qualified\_subjects | The fully qualified OIDC subjects to be added to the role policy | `list(string)` | `[]` | no |
 | oidc\_subjects\_with\_wildcards | The OIDC subject using wildcards to be added to the role policy | `list(string)` | `[]` | no |

--- a/modules/iam-assumable-role-with-oidc/main.tf
+++ b/modules/iam-assumable-role-with-oidc/main.tf
@@ -47,7 +47,8 @@ resource "aws_iam_role" "this" {
  path                 = var.role_path
  max_session_duration = var.max_session_duration

-  permissions_boundary = var.role_permissions_boundary_arn
+  force_detach_policies = var.force_detach_policies
+  permissions_boundary  = var.role_permissions_boundary_arn

  assume_role_policy = join("", data.aws_iam_policy_document.assume_role_with_oidc.*.json)


--- a/modules/iam-assumable-role-with-oidc/variables.tf
+++ b/modules/iam-assumable-role-with-oidc/variables.tf
@@ -63,3 +63,9 @@ variable "oidc_subjects_with_wildcards" {
  default     = []
 }

+variable "force_detach_policies" {
+  description = "Whether policies should be detached from this role when destroying"
+  type        = bool
+  default     = false
+}
+
--- a/modules/iam-assumable-role/README.md
+++ b/modules/iam-assumable-role/README.md
@@ -29,6 +29,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | create\_instance\_profile | Whether to create an instance profile | `bool` | `false` | no |
 | create\_role | Whether to create a role | `bool` | `false` | no |
 | custom\_role\_policy\_arns | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
+| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
 | poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | `string` | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |

--- a/modules/iam-assumable-role/main.tf
+++ b/modules/iam-assumable-role/main.tf
@@ -54,7 +54,8 @@ resource "aws_iam_role" "this" {
  max_session_duration = var.max_session_duration
  description          = var.role_description

-  permissions_boundary = var.role_permissions_boundary_arn
+  force_detach_policies = var.force_detach_policies
+  permissions_boundary  = var.role_permissions_boundary_arn

  assume_role_policy = var.role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json


--- a/modules/iam-assumable-role/variables.tf
+++ b/modules/iam-assumable-role/variables.tf
@@ -113,6 +113,12 @@ variable "attach_readonly_policy" {
  default     = false
 }

+variable "force_detach_policies" {
+  description = "Whether policies should be detached from this role when destroying"
+  type        = bool
+  default     = false
+}
+
 variable "role_description" {
  description = "IAM Role description"
  type        = string

--- a/modules/iam-assumable-roles-with-saml/README.md
+++ b/modules/iam-assumable-roles-with-saml/README.md
@@ -33,6 +33,7 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assume
 | create\_admin\_role | Whether to create admin role | `bool` | `false` | no |
 | create\_poweruser\_role | Whether to create poweruser role | `bool` | `false` | no |
 | create\_readonly\_role | Whether to create readonly role | `bool` | `false` | no |
+| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | poweruser\_role\_name | IAM role with poweruser access | `string` | `"poweruser"` | no |
 | poweruser\_role\_path | Path of poweruser IAM role | `string` | `"/"` | no |

--- a/modules/iam-assumable-roles-with-saml/main.tf
+++ b/modules/iam-assumable-roles-with-saml/main.tf
@@ -25,7 +25,8 @@ resource "aws_iam_role" "admin" {
  path                 = var.admin_role_path
  max_session_duration = var.max_session_duration

-  permissions_boundary = var.admin_role_permissions_boundary_arn
+  force_detach_policies = var.force_detach_policies
+  permissions_boundary  = var.admin_role_permissions_boundary_arn

  assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json

@@ -47,7 +48,8 @@ resource "aws_iam_role" "poweruser" {
  path                 = var.poweruser_role_path
  max_session_duration = var.max_session_duration

-  permissions_boundary = var.poweruser_role_permissions_boundary_arn
+  force_detach_policies = var.force_detach_policies
+  permissions_boundary  = var.poweruser_role_permissions_boundary_arn

  assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json

@@ -69,7 +71,8 @@ resource "aws_iam_role" "readonly" {
  path                 = var.readonly_role_path
  max_session_duration = var.max_session_duration

-  permissions_boundary = var.readonly_role_permissions_boundary_arn
+  force_detach_policies = var.force_detach_policies
+  permissions_boundary  = var.readonly_role_permissions_boundary_arn

  assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json


--- a/modules/iam-assumable-roles-with-saml/variables.tf
+++ b/modules/iam-assumable-roles-with-saml/variables.tf
@@ -130,3 +130,9 @@ variable "max_session_duration" {
  type        = number
  default     = 3600
 }
+
+variable "force_detach_policies" {
+  description = "Whether policies should be detached from this role when destroying"
+  type        = bool
+  default     = false
+}
--- a/modules/iam-assumable-roles/README.md
+++ b/modules/iam-assumable-roles/README.md
@@ -31,6 +31,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | create\_admin\_role | Whether to create admin role | `bool` | `false` | no |
 | create\_poweruser\_role | Whether to create poweruser role | `bool` | `false` | no |
 | create\_readonly\_role | Whether to create readonly role | `bool` | `false` | no |
+| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
 | poweruser\_role\_name | IAM role with poweruser access | `string` | `"poweruser"` | no |

--- a/modules/iam-assumable-roles/main.tf
+++ b/modules/iam-assumable-roles/main.tf
@@ -54,7 +54,8 @@ resource "aws_iam_role" "admin" {
  path                 = var.admin_role_path
  max_session_duration = var.max_session_duration

-  permissions_boundary = var.admin_role_permissions_boundary_arn
+  force_detach_policies = var.force_detach_policies
+  permissions_boundary  = var.admin_role_permissions_boundary_arn

  assume_role_policy = var.admin_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json

@@ -76,7 +77,8 @@ resource "aws_iam_role" "poweruser" {
  path                 = var.poweruser_role_path
  max_session_duration = var.max_session_duration

-  permissions_boundary = var.poweruser_role_permissions_boundary_arn
+  force_detach_policies = var.force_detach_policies
+  permissions_boundary  = var.poweruser_role_permissions_boundary_arn

  assume_role_policy = var.poweruser_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json

@@ -98,7 +100,8 @@ resource "aws_iam_role" "readonly" {
  path                 = var.readonly_role_path
  max_session_duration = var.max_session_duration

-  permissions_boundary = var.readonly_role_permissions_boundary_arn
+  force_detach_policies = var.force_detach_policies
+  permissions_boundary  = var.readonly_role_permissions_boundary_arn

  assume_role_policy = var.readonly_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json


--- a/modules/iam-assumable-roles/variables.tf
+++ b/modules/iam-assumable-roles/variables.tf
@@ -151,3 +151,9 @@ variable "max_session_duration" {
  default     = 3600
 }

+variable "force_detach_policies" {
+  description = "Whether policies should be detached from this role when destroying"
+  type        = bool
+  default     = false
+}
+