terraform-redhat · vamsinm · Apr 25, 2023 · Apr 27, 2023 · Apr 27, 2023 · Apr 27, 2023
diff --git a/README.md b/README.md
@@ -36,7 +36,7 @@ This terraform module tries to replicate rosa CLI roles creation so that:
 |ocm_environment| string      |  the OCM environments. The value should be one of those: production, staging, integration, local                                                                                                                                                  | "production"       |
 |account_role_policies| object      | account role policies details for account roles creation                                       | [an example can be found below](https://github.com/terraform-redhat/terraform-aws-rosa-sts/tree/use_data_source_for_account_policies/account_roles_creation#account_role_policies-object)  |
 |operator_role_policies| object      | operator role policies details for operator role policies creation                             | [an example can be found below](https://github.com/terraform-redhat/terraform-aws-rosa-sts/tree/use_data_source_for_account_policies/account_roles_creation#operator_role_policies-object) |
-
+|tags | map of strings |List of aws resource tags to apply | [an example can be found in examples folder](https://github.com/StateFarmIns/terraform-aws-rosa-sts/blob/main/examples/operator_roles_and_oidc/variables.tf#L32-41)
 
 ## Get OCM Information for operator roles and OIDC provider
 

diff --git a/account_roles_creation/account_role/account_role_resource.tf b/account_roles_creation/account_role/account_role_resource.tf
@@ -14,22 +14,22 @@ resource "aws_iam_role" "account_role" {
     ]
   })
 
-  tags = {
+  tags = merge(var.tags, {
     rosa_openshift_version = var.rosa_openshift_version
-    rosa_role_prefix = "${var.account_role_prefix}"
-    rosa_role_type = "${var.account_role_properties.role_type}"
-  }
+    rosa_role_prefix       = "${var.account_role_prefix}"
+    rosa_role_type         = "${var.account_role_properties.role_type}"
+  })
 }
 
 # policy
 resource "aws_iam_policy" "account_role_policy" {
-  name        = "${var.account_role_prefix}-${var.account_role_properties.role_name}-Role-Policy"
+  name   = "${var.account_role_prefix}-${var.account_role_properties.role_name}-Role-Policy"
   policy = var.account_role_properties.policy_details
-  tags = {
+  tags = merge(var.tags, {
     rosa_openshift_version = var.rosa_openshift_version
-    rosa_role_prefix = "${var.account_role_prefix}"
-    rosa_role_type = "${var.account_role_properties.role_type}"
-  }
+    rosa_role_prefix       = "${var.account_role_prefix}"
+    rosa_role_type         = "${var.account_role_properties.role_type}"
+  })
 }
 
 

diff --git a/account_roles_creation/account_role/instance_account_role_resource.tf b/account_roles_creation/account_role/instance_account_role_resource.tf
@@ -15,22 +15,22 @@ resource "aws_iam_role" "instance_account_role" {
     ]
   })
 
-  tags = {
+  tags = merge(var.tags, {
     rosa_openshift_version = var.rosa_openshift_version
-    rosa_role_prefix = "${var.account_role_prefix}"
-    rosa_role_type = "instance_${var.instance_account_role_properties.role_type}"
-  }
+    rosa_role_prefix       = "${var.account_role_prefix}"
+    rosa_role_type         = "instance_${var.instance_account_role_properties.role_type}"
+  })
 }
 
 # policy
 resource "aws_iam_policy" "instance_account_role_policy" {
-  name        = "${var.account_role_prefix}-${var.instance_account_role_properties.role_name}-Role-Policy"
+  name   = "${var.account_role_prefix}-${var.instance_account_role_properties.role_name}-Role-Policy"
   policy = var.instance_account_role_properties.policy_details
-  tags = {
+  tags = merge(var.tags, {
     rosa_openshift_version = var.rosa_openshift_version
-    rosa_role_prefix = "${var.account_role_prefix}"
-    rosa_role_type = "instance_${var.instance_account_role_properties.role_type}"
-  }
+    rosa_role_prefix       = "${var.account_role_prefix}"
+    rosa_role_type         = "instance_${var.instance_account_role_properties.role_type}"
+  })
 }
 
 

diff --git a/account_roles_creation/account_role/variables.tf b/account_roles_creation/account_role/variables.tf
@@ -1,30 +1,36 @@
-variable account_role_prefix {
-    type = string
+variable "account_role_prefix" {
+  type = string
 }
 
-variable account_role_properties {
-    description = "Account IAM role properties"
-    type = object({
-            role_name = string
-            role_type = string
-            principal = string
-            policy_details = string
-        })
+variable "account_role_properties" {
+  description = "Account IAM role properties"
+  type = object({
+    role_name      = string
+    role_type      = string
+    principal      = string
+    policy_details = string
+  })
 }
 
-variable instance_account_role_properties {
-    description = "Account IAM role properties"
-    type = object({
-            role_name = string
-            role_type = string
-            policy_details = string
-        })
+variable "instance_account_role_properties" {
+  description = "Account IAM role properties"
+  type = object({
+    role_name      = string
+    role_type      = string
+    policy_details = string
+  })
 }
 
-variable rosa_openshift_version {
-    type = string
-    default = "4.12"
+variable "rosa_openshift_version" {
+  type    = string
+  default = "4.12"
+}
+variable "account_id" {
+  type = string
+}
+
+variable "tags" {
+  description = "List of aws resource tags to apply."
+  type        = map(string)
+  default     = null
 }
-variable account_id {
-    type = string
-}
diff --git a/account_roles_creation/main.tf b/account_roles_creation/main.tf
@@ -7,96 +7,98 @@ terraform {
   }
 }
 
-module rosa_account_roles {
-    source = "./account_role"
-    count = 2
+module "rosa_account_roles" {
+  source = "./account_role"
+  count  = 2
 
-    account_role_prefix = var.account_role_prefix
-    rosa_openshift_version = var.rosa_openshift_version
-    account_role_properties = local.account_roles_properties[count.index]
-    instance_account_role_properties = local.instance_account_roles_properties[count.index]
-    account_id = lookup({"production"="710019948333", "staging"="644306948063", "integration"="896164604406", "local"="765374464689"}, var.ocm_environment, "710019948333")
+  account_role_prefix              = var.account_role_prefix
+  rosa_openshift_version           = var.rosa_openshift_version
+  account_role_properties          = local.account_roles_properties[count.index]
+  instance_account_role_properties = local.instance_account_roles_properties[count.index]
+  account_id                       = lookup({ "production" = "710019948333", "staging" = "644306948063", "integration" = "896164604406", "local" = "765374464689" }, var.ocm_environment, "710019948333")
+  tags                             = var.tags
 }
 
-module rosa_operator_role_policies {
-    source = "./operator_role_policy"
-    count = 6
+module "rosa_operator_role_policies" {
+  source = "./operator_role_policy"
+  count  = 6
 
-    account_role_prefix = var.account_role_prefix
-    rosa_openshift_version = var.rosa_openshift_version
-    operator_role_policy_properties = local.operator_roles_policy_properties[count.index]
+  account_role_prefix             = var.account_role_prefix
+  rosa_openshift_version          = var.rosa_openshift_version
+  operator_role_policy_properties = local.operator_roles_policy_properties[count.index]
+  tags                            = var.tags
 }
 
 locals {
-    account_roles_properties = [{
-        # installer
-        role_name = "Installer"
-        role_type = "installer"
-        principal = "RH-Managed-OpenShift-Installer"
-        policy_details = var.account_role_policies["sts_installer_permission_policy"]
+  account_roles_properties = [{
+    # installer
+    role_name      = "Installer"
+    role_type      = "installer"
+    principal      = "RH-Managed-OpenShift-Installer"
+    policy_details = var.account_role_policies["sts_installer_permission_policy"]
     },
     {
-       # support
-       role_name = "Support"
-       role_type = "support"
-       principal = "RH-Technical-Support-Access"
+      # support
+      role_name      = "Support"
+      role_type      = "support"
+      principal      = "RH-Technical-Support-Access"
       policy_details = var.account_role_policies["sts_support_permission_policy"]
-    }]
+  }]
 
-    instance_account_roles_properties = [{
-       # worker
-       role_name = "Worker"
-       role_type = "worker"
-       policy_details = var.account_role_policies["sts_instance_worker_permission_policy"]
+  instance_account_roles_properties = [{
+    # worker
+    role_name      = "Worker"
+    role_type      = "worker"
+    policy_details = var.account_role_policies["sts_instance_worker_permission_policy"]
     },
     {
-       # control plan
-       role_name = "ControlPlane"
-       role_type = "controlplane"
-       policy_details = var.account_role_policies["sts_instance_controlplane_permission_policy"]
-    }]
+      # control plan
+      role_name      = "ControlPlane"
+      role_type      = "controlplane"
+      policy_details = var.account_role_policies["sts_instance_controlplane_permission_policy"]
+  }]
 
-    # TODO: if there is a new policy for a new OCP versions, need to add it here also
-    operator_roles_policy_properties = [{
-        # openshift-machine-api
-        policy_name = substr("${var.account_role_prefix}-openshift-cloud-network-config-controller-cloud-credentials", 0, 64)
-        policy_details = var.operator_role_policies["openshift_cloud_network_config_controller_cloud_credentials_policy"]
-        namespace = "openshift-cloud-network-config-controller"
-        operator_name = "cloud-credentials"
+  # TODO: if there is a new policy for a new OCP versions, need to add it here also
+  operator_roles_policy_properties = [{
+    # openshift-machine-api
+    policy_name    = substr("${var.account_role_prefix}-openshift-cloud-network-config-controller-cloud-credentials", 0, 64)
+    policy_details = var.operator_role_policies["openshift_cloud_network_config_controller_cloud_credentials_policy"]
+    namespace      = "openshift-cloud-network-config-controller"
+    operator_name  = "cloud-credentials"
     },
     {
-        # openshift-cloud-credential-operator
-        policy_name = substr("${var.account_role_prefix}-openshift-machine-api-aws-cloud-credentials", 0, 64)
-        policy_details = var.operator_role_policies["openshift_machine_api_aws_cloud_credentials_policy"]
-        namespace = "openshift-machine-api"
-        operator_name = "aws-cloud-credentials"
+      # openshift-cloud-credential-operator
+      policy_name    = substr("${var.account_role_prefix}-openshift-machine-api-aws-cloud-credentials", 0, 64)
+      policy_details = var.operator_role_policies["openshift_machine_api_aws_cloud_credentials_policy"]
+      namespace      = "openshift-machine-api"
+      operator_name  = "aws-cloud-credentials"
     },
     {
-        # openshift-cloud-network-config-controller
-        policy_name = substr("${var.account_role_prefix}-openshift-cloud-credential-operator-cloud-credential-operator-iam-ro-creds", 0, 64)
-        policy_details = var.operator_role_policies["openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy"]
-        namespace = "openshift-cloud-credential-operator"
-        operator_name = "cloud-credential-operator-iam-ro-creds"
+      # openshift-cloud-network-config-controller
+      policy_name    = substr("${var.account_role_prefix}-openshift-cloud-credential-operator-cloud-credential-operator-iam-ro-creds", 0, 64)
+      policy_details = var.operator_role_policies["openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy"]
+      namespace      = "openshift-cloud-credential-operator"
+      operator_name  = "cloud-credential-operator-iam-ro-creds"
     },
     {
-        # openshift-image-registry
-        policy_name = substr("${var.account_role_prefix}-openshift-image-registry-installer-cloud-credentials", 0, 64)
-        policy_details = var.operator_role_policies["openshift_image_registry_installer_cloud_credentials_policy"]
-        namespace = "openshift-image-registry"
-        operator_name = "installer-cloud-credentials"
+      # openshift-image-registry
+      policy_name    = substr("${var.account_role_prefix}-openshift-image-registry-installer-cloud-credentials", 0, 64)
+      policy_details = var.operator_role_policies["openshift_image_registry_installer_cloud_credentials_policy"]
+      namespace      = "openshift-image-registry"
+      operator_name  = "installer-cloud-credentials"
     },
     {
-        # openshift-ingress-operator
-        policy_name = substr("${var.account_role_prefix}-openshift-ingress-operator-cloud-credentials", 0, 64)
-        policy_details = var.operator_role_policies["openshift_ingress_operator_cloud_credentials_policy"]
-        namespace = "openshift-ingress-operator"
-        operator_name = "cloud-credentials"
+      # openshift-ingress-operator
+      policy_name    = substr("${var.account_role_prefix}-openshift-ingress-operator-cloud-credentials", 0, 64)
+      policy_details = var.operator_role_policies["openshift_ingress_operator_cloud_credentials_policy"]
+      namespace      = "openshift-ingress-operator"
+      operator_name  = "cloud-credentials"
     },
     {
-        # openshift-cluster-csi-drivers
-        policy_name = substr("${var.account_role_prefix}-openshift-cluster-csi-drivers-ebs-cloud-credentials", 0, 64)
-        policy_details = var.operator_role_policies["openshift_cluster_csi_drivers_ebs_cloud_credentials_policy"]
-        namespace = "openshift-cluster-csi-drivers"
-        operator_name = "ebs-cloud-credentials"
-    }]
+      # openshift-cluster-csi-drivers
+      policy_name    = substr("${var.account_role_prefix}-openshift-cluster-csi-drivers-ebs-cloud-credentials", 0, 64)
+      policy_details = var.operator_role_policies["openshift_cluster_csi_drivers_ebs_cloud_credentials_policy"]
+      namespace      = "openshift-cluster-csi-drivers"
+      operator_name  = "ebs-cloud-credentials"
+  }]
 }
diff --git a/account_roles_creation/operator_role_policy/operator_policy.tf b/account_roles_creation/operator_role_policy/operator_policy.tf
@@ -1,11 +1,11 @@
 resource "aws_iam_policy" "operator-policy" {
-  name        = "${var.operator_role_policy_properties.policy_name}"
+  name   = var.operator_role_policy_properties.policy_name
   policy = var.operator_role_policy_properties.policy_details
 
-  tags = {
-    rosa_openshift_version="${var.rosa_openshift_version}"
-    rosa_role_prefix="${var.account_role_prefix}"
-    operator_namespace="${var.operator_role_policy_properties.namespace}"
-    operator_name="${var.operator_role_policy_properties.operator_name}"
-  }
+  tags = merge(var.tags, {
+    rosa_openshift_version = "${var.rosa_openshift_version}"
+    rosa_role_prefix       = "${var.account_role_prefix}"
+    operator_namespace     = "${var.operator_role_policy_properties.namespace}"
+    operator_name          = "${var.operator_role_policy_properties.operator_name}"
+  })
 }
diff --git a/account_roles_creation/operator_role_policy/variables.tf b/account_roles_creation/operator_role_policy/variables.tf
@@ -1,18 +1,24 @@
-variable account_role_prefix {
-    type = string
+variable "account_role_prefix" {
+  type = string
 }
 
-variable operator_role_policy_properties {
-    description = "Account IAM role properties"
-    type = object({
-            policy_name = string
-            policy_details = string
-            namespace = string
-            operator_name = string
-        })
+variable "operator_role_policy_properties" {
+  description = "Account IAM role properties"
+  type = object({
+    policy_name    = string
+    policy_details = string
+    namespace      = string
+    operator_name  = string
+  })
 }
 
-variable rosa_openshift_version {
-    type = string
-    default = "4.12"
+variable "rosa_openshift_version" {
+  type    = string
+  default = "4.12"
+}
+
+variable "tags" {
+  description = "List of aws resource tags to apply."
+  type        = map(string)
+  default     = null
 }