chore! Make all IAM variable names consistent (#81)

unfunco · web-flow · commit 2916e5c85072 · 2025-08-16T09:55:03.000+01:00
diff --git a/README.md b/README.md
@@ -81,34 +81,38 @@ applied, the JWT will contain an updated `iss` claim.
 
 ## Inputs
 
-| Name                            | Description                                                                  | Type           | Default           | Required |
-| ------------------------------- | ---------------------------------------------------------------------------- | -------------- | ----------------- | :------: |
-| additional_audiences            | Additional OIDC audiences allowed to assume the role.                        | `list(string)` | `null`            |    no    |
-| additional_thumbprints          | Additional thumbprints for the OIDC provider.                                | `list(string)` | `[]`              |    no    |
-| attach_read_only_policy         | Enable/disable the attachment of the ReadOnly policy.                        | `bool`         | `false`           |    no    |
-| create                          | Enable/disable the creation of all resources.                                | `bool`         | `true`            |    no    |
-| create_iam_role                 | Enable/disable creation of the IAM role.                                     | `bool`         | `true`            |    no    |
-| create_oidc_provider            | Enable/disable the creation of the GitHub OIDC provider.                     | `bool`         | `true`            |    no    |
-| dangerously_attach_admin_policy | Enable/disable the attachment of the AdministratorAccess policy.             | `bool`         | `false`           |    no    |
-| enterprise_slug                 | Enterprise slug for GitHub Enterprise Cloud customers.                       | `string`       | `""`              |    no    |
-| force_detach_policies           | Force detachment of policies attached to the IAM role.                       | `bool`         | `false`           |    no    |
-| github_repositories             | GitHub organization/repository names authorized to assume the role.          | `list(string)` | n/a               |   yes    |
-| iam_role_inline_policies        | Inline policies map with policy name as key and json as value.               | `map(string)`  | `{}`              |    no    |
-| iam_role_name                   | The name of the IAM role to be created and made assumable by GitHub Actions. | `string`       | `"GitHubActions"` |    no    |
-| iam_role_path                   | The path under which to create IAM role.                                     | `string`       | `"/"`             |    no    |
-| iam_role_permissions_boundary   | The ARN of the permissions boundary to be used by the IAM role.              | `string`       | `""`              |    no    |
-| iam_role_policy_arns            | IAM policy ARNs to attach to the IAM role.                                   | `list(string)` | `[]`              |    no    |
-| max_session_duration            | The maximum session duration in seconds.                                     | `number`       | `3600`            |    no    |
-| tags                            | Tags to be applied to all applicable resources.                              | `map(string)`  | `{}`              |    no    |
+| Name                            | Description                                                                  | Type           | Default                                  | Required |
+| ------------------------------- | ---------------------------------------------------------------------------- | -------------- | ---------------------------------------- | :------: |
+| additional_audiences            | Additional OIDC audiences allowed to assume the role.                        | `list(string)` | `null`                                   |    no    |
+| additional_thumbprints          | Additional thumbprints for the OIDC provider.                                | `list(string)` | `[]`                                     |    no    |
+| attach_read_only_policy         | Enable/disable the attachment of the ReadOnly policy.                        | `bool`         | `false`                                  |    no    |
+| create                          | Enable/disable the creation of all resources.                                | `bool`         | `true`                                   |    no    |
+| create_iam_role                 | Enable/disable creation of the IAM role.                                     | `bool`         | `true`                                   |    no    |
+| create_oidc_provider            | Enable/disable the creation of the GitHub OIDC provider.                     | `bool`         | `true`                                   |    no    |
+| dangerously_attach_admin_policy | Enable/disable the attachment of the AdministratorAccess policy.             | `bool`         | `false`                                  |    no    |
+| enterprise_slug                 | Enterprise slug for GitHub Enterprise Cloud customers.                       | `string`       | `""`                                     |    no    |
+| github_repositories             | GitHub organization/repository names authorized to assume the role.          | `list(string)` | n/a                                      |   yes    |
+| iam_role_description            | Description of the IAM role to be created.                                   | `string`       | `"Assumed by the GitHub OIDC provider."` |    no    |
+| iam_role_force_detach_policies  | Force detachment of policies attached to the IAM role.                       | `bool`         | `false`                                  |    no    |
+| iam_role_inline_policies        | Inline policies map with policy name as key and json as value.               | `map(string)`  | `{}`                                     |    no    |
+| iam_role_max_session_duration   | The maximum session duration in seconds.                                     | `number`       | `3600`                                   |    no    |
+| iam_role_name                   | The name of the IAM role to be created and made assumable by GitHub Actions. | `string`       | `"GitHubActions"`                        |    no    |
+| iam_role_path                   | The path under which to create IAM role.                                     | `string`       | `"/"`                                    |    no    |
+| iam_role_permissions_boundary   | The ARN of the permissions boundary to be used by the IAM role.              | `string`       | `""`                                     |    no    |
+| iam_role_policy_arns            | IAM policy ARNs to attach to the IAM role.                                   | `list(string)` | `[]`                                     |    no    |
+| iam_role_tags                   | Additional tags to be applied to the IAM role.                               | `map(string)`  | `{}`                                     |    no    |
+| oidc_provider_tags              | Tags to be applied to the OIDC provider.                                     | `map(string)`  | `{}`                                     |    no    |
+| tags                            | Tags to be applied to all applicable resources.                              | `map(string)`  | `{}`                                     |    no    |
 
 ## Outputs
 
-| Name              | Description                   |
-| ----------------- | ----------------------------- |
-| iam_role_arn      | The ARN of the IAM role.      |
-| iam_role_name     | The name of the IAM role.     |
-| oidc_provider_arn | The ARN of the OIDC provider. |
-| oidc_provider_url | The URL of the OIDC provider. |
+| Name                        | Description                                                             |
+| --------------------------- | ----------------------------------------------------------------------- |
+| assume_role_policy_document | The assume role policy document that can be attached to your IAM roles. |
+| iam_role_arn                | The ARN of the IAM role.                                                |
+| iam_role_name               | The name of the IAM role.                                               |
+| oidc_provider_arn           | The ARN of the OIDC provider.                                           |
+| oidc_provider_url           | The URL of the OIDC provider.                                           |
 
 <!-- END_TF_DOCS -->
 
diff --git a/data.tf b/data.tf
@@ -1,10 +1,12 @@
 // SPDX-FileCopyrightText: 2024 Daniel Morris <daniel@honestempire.com>
 // SPDX-License-Identifier: MIT
 
-data "aws_partition" "this" {}
+data "aws_partition" "this" {
+  count = var.create ? 1 : 0
+}
 
 data "aws_iam_policy_document" "assume_role" {
-  count = local.create_oidc_provider ? 1 : 0
+  count = var.create ? 1 : 0
 
   version = "2012-10-17"
 
@@ -24,9 +26,9 @@ data "aws_iam_policy_document" "assume_role" {
     condition {
       test = "StringEquals"
       values = var.additional_audiences != null ? concat(
-        [local.audience],
+        format("sts.%v", data.aws_partition.this[0].dns_suffix),
         var.additional_audiences,
-      ) : [local.audience]
+      ) : format("sts.%v", data.aws_partition.this[0].dns_suffix)
       variable = "token.actions.githubusercontent.com:aud"
     }
 
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -14,13 +14,13 @@ module "aws_oidc_github" {
   create_oidc_provider            = var.create_oidc_provider
   dangerously_attach_admin_policy = var.dangerously_attach_admin_policy
   enterprise_slug                 = var.enterprise_slug
-  force_detach_policies           = var.force_detach_policies
+  iam_role_force_detach_policies  = var.force_detach_policies
   iam_role_name                   = var.iam_role_name
   iam_role_path                   = var.iam_role_path
   iam_role_permissions_boundary   = var.iam_role_permissions_boundary
   iam_role_policy_arns            = var.iam_role_policy_arns
   github_repositories             = var.github_repositories
-  max_session_duration            = var.max_session_duration
+  iam_role_max_session_duration   = var.max_session_duration
   tags                            = var.tags
 
   iam_role_inline_policies = {
diff --git a/main.tf b/main.tf
@@ -8,15 +8,10 @@ locals {
   attach_read_only_policy         = local.create_iam_role && var.attach_read_only_policy
   dangerously_attach_admin_policy = local.create_iam_role && var.dangerously_attach_admin_policy
 
-  audience = format("sts.%v", local.dns_suffix)
-
   github_organizations = toset([
     for repo in var.github_repositories : split("/", repo)[0]
   ])
 
-  dns_suffix = data.aws_partition.this.dns_suffix
-  partition  = data.aws_partition.this.partition
-
   oidc_provider_arn = (
     var.create_oidc_provider ?
     aws_iam_openid_connect_provider.github[0].arn :
@@ -28,13 +23,13 @@ resource "aws_iam_role" "github" {
   count = local.create_iam_role ? 1 : 0
 
   assume_role_policy    = data.aws_iam_policy_document.assume_role[0].json
-  description           = "Assumed by the GitHub OIDC provider."
-  force_detach_policies = var.force_detach_policies
-  max_session_duration  = var.max_session_duration
+  description           = var.iam_role_description
+  force_detach_policies = var.iam_role_force_detach_policies
+  max_session_duration  = var.iam_role_max_session_duration
   name                  = var.iam_role_name
   path                  = var.iam_role_path
   permissions_boundary  = var.iam_role_permissions_boundary
-  tags                  = var.tags
+  tags                  = merge(var.tags, var.iam_role_tags)
 }
 
 resource "aws_iam_role_policy" "inline_policies" {
@@ -48,14 +43,14 @@ resource "aws_iam_role_policy" "inline_policies" {
 resource "aws_iam_role_policy_attachment" "admin" {
   count = local.create_iam_role && var.dangerously_attach_admin_policy ? 1 : 0
 
-  policy_arn = "arn:${local.partition}:iam::aws:policy/AdministratorAccess"
+  policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/AdministratorAccess"
   role       = aws_iam_role.github[0].id
 }
 
 resource "aws_iam_role_policy_attachment" "read_only" {
   count = local.create_iam_role && var.attach_read_only_policy ? 1 : 0
 
-  policy_arn = "arn:${local.partition}:iam::aws:policy/ReadOnlyAccess"
+  policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/ReadOnlyAccess"
   role       = aws_iam_role.github[0].id
 }
 
@@ -65,7 +60,7 @@ resource "aws_iam_role_policy_attachment" "custom" {
   role = aws_iam_role.github[0].id
   policy_arn = format(
     "arn:%v:iam::aws:policy/AdministratorAccess",
-    local.partition,
+    data.aws_partition.this[0].partition,
   )
 }
 
@@ -74,10 +69,10 @@ resource "aws_iam_openid_connect_provider" "github" {
 
   client_id_list = concat(
     [for org in local.github_organizations : format("https://github.com/%v", org)],
-    [local.audience],
+    format("sts.%v", data.aws_partition.this[0].dns_suffix),
   )
 
-  tags = var.tags
+  tags = merge(var.tags, var.oidc_provider_tags)
 
   thumbprint_list = toset(
     concat(
diff --git a/outputs.tf b/outputs.tf
@@ -1,22 +1,27 @@
 // SPDX-FileCopyrightText: 2024 Daniel Morris <daniel@honestempire.com>
 // SPDX-License-Identifier: MIT
 
+output "assume_role_policy_document" {
+  description = "The assume role policy document that can be attached to your IAM roles."
+  value       = local.create_oidc_provider ? data.aws_iam_policy_document.assume_role[0] : ""
+}
+
 output "iam_role_arn" {
   description = "The ARN of the IAM role."
-  value       = var.create && var.create_iam_role ? aws_iam_role.github[0].arn : ""
+  value       = local.create_iam_role ? aws_iam_role.github[0].arn : ""
 }
 
 output "iam_role_name" {
   description = "The name of the IAM role."
-  value       = var.create && var.create_iam_role ? aws_iam_role.github[0].name : ""
+  value       = local.create_iam_role ? aws_iam_role.github[0].name : ""
 }
 
 output "oidc_provider_arn" {
   description = "The ARN of the OIDC provider."
-  value       = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn
+  value       = local.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn
 }
 
 output "oidc_provider_url" {
   description = "The URL of the OIDC provider."
-  value       = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].url : data.aws_iam_openid_connect_provider.github[0].url
+  value       = local.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].url : data.aws_iam_openid_connect_provider.github[0].url
 }
diff --git a/variables.tf b/variables.tf
@@ -54,12 +54,6 @@ variable "enterprise_slug" {
   type        = string
 }
 
-variable "force_detach_policies" {
-  default     = false
-  description = "Force detachment of policies attached to the IAM role."
-  type        = bool
-}
-
 variable "github_repositories" {
   description = "GitHub organization/repository names authorized to assume the role."
   type        = list(string)
@@ -75,6 +69,29 @@ variable "github_repositories" {
   }
 }
 
+variable "iam_role_description" {
+  default     = "Assumed by the GitHub OIDC provider."
+  description = "Description of the IAM role to be created."
+  type        = string
+}
+
+variable "iam_role_force_detach_policies" {
+  default     = false
+  description = "Force detachment of policies attached to the IAM role."
+  type        = bool
+}
+
+variable "iam_role_max_session_duration" {
+  default     = 3600
+  description = "The maximum session duration in seconds."
+  type        = number
+
+  validation {
+    condition     = var.iam_role_max_session_duration >= 3600 && var.iam_role_max_session_duration <= 43200
+    error_message = "The maximum session duration must be between 3600 and 43200 seconds."
+  }
+}
+
 variable "iam_role_name" {
   default     = "GitHubActions"
   description = "The name of the IAM role to be created and made assumable by GitHub Actions."
@@ -105,15 +122,16 @@ variable "iam_role_inline_policies" {
   type        = map(string)
 }
 
-variable "max_session_duration" {
-  default     = 3600
-  description = "The maximum session duration in seconds."
-  type        = number
+variable "iam_role_tags" {
+  default     = {}
+  description = "Additional tags to be applied to the IAM role."
+  type        = map(string)
+}
 
-  validation {
-    condition     = var.max_session_duration >= 3600 && var.max_session_duration <= 43200
-    error_message = "The maximum session duration must be between 3600 and 43200 seconds."
-  }
+variable "oidc_provider_tags" {
+  default     = {}
+  description = "Tags to be applied to the OIDC provider."
+  type        = map(string)
 }
 
 variable "tags" {
