Skip to content

Commit e1e3001

Browse files
VeetahaVeetaha
authored
Fix the replacement trigger for the connector deployment (#104)
Several updates in this PR: - I was testing the `global_managed_policies` parameter and thus I added an "advanced" example to the `elastio-connector` module deployment - Also fixed the `triggers_replace` for the connector module to trigger the regional deployment if the account-level CFN stack changed
1 parent 61ee4f7 commit e1e3001

File tree

7 files changed

+102
-3
lines changed

7 files changed

+102
-3
lines changed

connector/terraform/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ No resources.
115115
| <a name="input_elastio_pat"></a> [elastio_pat](#input_elastio_pat) | Personal Access Token generated by the Elastio Portal | `string` | n/a | yes |
116116
| <a name="input_elastio_tenant"></a> [elastio_tenant](#input_elastio_tenant) | Name of your Elastio tenant. For example `mycompany.app.elastio.com` | `string` | n/a | yes |
117117
| <a name="input_encrypt_with_cmk"></a> [encrypt_with_cmk](#input_encrypt_with_cmk) | Provision additional customer-managed KMS keys to encrypt<br/> Lambda environment variables, DynamoDB tables, S3. Note that<br/> by default data is encrypted with AWS-managed keys.<br/><br/> Enable this option only if your compliance requirements mandate the usage of CMKs.<br/><br/> If this option is disabled Elastio creates only 1 CMK per region where<br/> the Elastio Connector stack is deployed. If this option is enabled then<br/> Elastio creates 1 KMS key per AWS account and 2 KMS keys per every AWS<br/> region where Elastio is deployed in your AWS account.<br/><br/> If you have `elastio_nat_provision_stack` enabled as well, then 1 more KMS key<br/> will be created as part of that stack as well (for a total of 3 KMS keys per region). | `bool` | `null` | no |
118-
| <a name="input_global_managed_policies"></a> [global_managed_policies](#input_global_managed_policies) | List of IAM managed policies ARNs to attach to all Elastio IAM roles | `list(string)` | `null` | no |
118+
| <a name="input_global_managed_policies"></a> [global_managed_policies](#input_global_managed_policies) | List of IAM managed policies ARNs to attach to all Elastio IAM roles | `set(string)` | `null` | no |
119119
| <a name="input_global_permission_boundary"></a> [global_permission_boundary](#input_global_permission_boundary) | The ARN of the IAM managed policy to use as a permission boundary for all Elastio IAM roles | `string` | `null` | no |
120120
| <a name="input_iam_resource_names_prefix"></a> [iam_resource_names_prefix](#input_iam_resource_names_prefix) | Add a custom prefix to names of all IAM resources deployed by this stack.<br/> The sum of the length of the prefix and suffix must not exceed 14 characters. | `string` | `null` | no |
121121
| <a name="input_iam_resource_names_static"></a> [iam_resource_names_static](#input_iam_resource_names_static) | If enabled, the stack will use static resource names without random characters in them.<br/><br/> This parameter is set to `true` by default, and it shouldn't be changed. The older<br/> versions of Elastio stack used random names generated by Cloudformation for IAM<br/> resources, which is inconvenient to work with. New deployments that use the terraform<br/> automation should have this set to `true` for easier management of IAM resources. | `bool` | `true` | no |

connector/terraform/examples/advanced/.terraform.lock.hcl

Lines changed: 45 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

connector/terraform/examples/advanced/main.tf

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
module "elastio_connectors" {
2+
source = "../../"
3+
4+
elastio_tenant = var.elastio_tenant
5+
elastio_pat = var.elastio_pat
6+
7+
elastio_cloud_connectors = [
8+
{
9+
region = "us-east-1"
10+
},
11+
{
12+
region = "us-east-2",
13+
}
14+
]
15+
16+
global_managed_policies = var.global_managed_policies
17+
}

connector/terraform/examples/advanced/variables.tf

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
variable "elastio_pat" {
2+
description = "Personal Access Token generated by the Elastio Portal"
3+
sensitive = true
4+
type = string
5+
nullable = false
6+
}
7+
8+
variable "elastio_tenant" {
9+
description = "Name of your Elastio tenant. For example `mycompany.app.elastio.com`"
10+
type = string
11+
nullable = false
12+
}
13+
14+
variable "global_managed_policies" {
15+
description = "List of IAM managed policies ARNs to attach to all Elastio IAM roles"
16+
type = set(string)
17+
default = null
18+
}

connector/terraform/examples/advanced/versions.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
terraform {
2+
required_version = "~> 1.0"
3+
}

connector/terraform/modules/region/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ resource "terraform_data" "elastio_cloud_connector" {
1818
input = local.connector_config
1919
triggers_replace = {
2020
connector = local.connector_config,
21-
account_stack = var.connector_account_stack.name,
21+
account_stack = var.connector_account_stack,
2222
}
2323

2424
provisioner "local-exec" {

connector/terraform/variables.tf

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -122,14 +122,30 @@ variable "lambda_tracing" {
122122

123123
variable "global_managed_policies" {
124124
description = "List of IAM managed policies ARNs to attach to all Elastio IAM roles"
125-
type = list(string)
125+
type = set(string)
126126
default = null
127+
128+
validation {
129+
condition = alltrue([
130+
for policy in coalesce(var.global_managed_policies, []) :
131+
can(regex("^arn:[^:]*:iam::[0-9]+:policy/.+$", policy))
132+
])
133+
error_message = "global_managed_policies must be a list of ARNs"
134+
}
127135
}
128136

129137
variable "global_permission_boundary" {
130138
description = "The ARN of the IAM managed policy to use as a permission boundary for all Elastio IAM roles"
131139
type = string
132140
default = null
141+
142+
validation {
143+
condition = (
144+
var.global_permission_boundary == null ||
145+
can(regex("^arn:[^:]*:iam::[0-9]+:policy/.+$", var.global_permission_boundary))
146+
)
147+
error_message = "global_permission_boundary must be an ARN"
148+
}
133149
}
134150

135151
variable "iam_resource_names_prefix" {

0 commit comments

Comments
 (0)