Merge pull request #2 from cloudtruth/feature/standardize_naming

Standardized resource naming, updated descriptions and README

README.md

@@ -6,7 +6,7 @@ given resources within your aws account
 ## Usage
 
 ```hcl
-module "grant-cloudtruth-access" {
+module "grant_cloudtruth_access" {
   source = "github.com/cloudtruth/terraform-cloudtruth-access"
 
   role_name = "name-the-role-as-desired-matches-that-on-cloudtruth-integration-page"
@@ -15,6 +15,8 @@ module "grant-cloudtruth-access" {
 }
 ```
 
+**IMPORTANT:** We do not pin modules to versions in our examples because of the difficulty of keeping the versions in the documentation in sync with the latest released versions. We highly recommend that you pin the version to the exact version you are using so that your infrastructure remains stable.
+
 ## Requirements
 
 | Name | Version |
@@ -36,12 +38,12 @@ module "grant-cloudtruth-access" {
 | role\_name | The role within your AWS account that cloudtruth will assume to perform its actions | `any` | n/a | yes |
 | s3\_policy | A custom policy to use for s3 instead of the one this module would define | `string` | `""` | no |
 | s3\_resources | The s3 resources to explicitly grant access to, defaults to all, and listing<br>all buckets is always allowed (for bucket chooser in UI) even if access<br>isn't granted here | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
-| services\_enabled | The AWS services to grant cloudtruth access to, allowed values are s3, ssm, secrets | `list(string)` | n/a | yes |
-| services\_write\_enabled | The AWS services to grant cloudtruth write access to, allowed values are s3, ssm, secrets | `list(string)` | `[]` | no |
+| services\_enabled | The AWS services to grant cloudtruth access to, allowed values are s3, ssm, secretsmanager | `list(string)` | n/a | yes |
+| services\_write\_enabled | The AWS services to grant cloudtruth write access to, allowed values are s3, ssm, secretsmanager | `list(string)` | `[]` | no |
 | ssm\_policy | A custom policy to use for ssm instead of the one this module would define | `string` | `""` | no |
 | ssm\_resources | The ssm resources to explicitly grant access to, defaults to all, and listing<br>all is always allowed (for chooser in UI) even if access<br>isn't granted here | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
-| secrets\_policy | A custom policy to use for secrets manager instead of the one this module would define | `string` | `""` | no |
-| secrets\_resources | The secrets manager resources to explicitly grant access to, defaults to all, and listing<br>all is always allowed (for chooser in UI) even if access<br>isn't granted here | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
+| secretsmanager\_policy | A custom policy to use for secrets manager instead of the one this module would define | `string` | `""` | no |
+| secretsmanager\_resources | The secrets manager resources to explicitly grant access to, defaults to all, and listing<br>all is always allowed (for chooser in UI) even if access<br>isn't granted here | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 
 ## Outputs
 

main.tf

@@ -25,7 +25,7 @@ data "aws_iam_policy_document" "assume_role" {
   }
 }
 
-resource "aws_iam_role" "cloudtruth-access" {
+resource "aws_iam_role" "cloudtruth_access" {
   description = "The role that cloudtruth will assume in order to access your AWS account"
   name        = var.role_name
 
@@ -54,7 +54,7 @@ data "aws_iam_policy_document" "s3" {
 
 // This policy allows cloudtruth to write to your S3 buckets
 //
-data "aws_iam_policy_document" "s3-write" {
+data "aws_iam_policy_document" "s3_write" {
 
   statement {
     sid       = "BucketWrite"
@@ -94,7 +94,7 @@ data "aws_iam_policy_document" "ssm" {
 
 //  This policy allows cloudtruth to write to your AWS SSM Parameter Store
 //
-data "aws_iam_policy_document" "ssm-write" {
+data "aws_iam_policy_document" "ssm_write" {
 
   statement {
     sid = "TagAccess"
@@ -120,9 +120,9 @@ data "aws_iam_policy_document" "ssm-write" {
 
 }
 
-//  This policy allows cloudtruth to list and read your AWS Secret Store
+//  This policy allows cloudtruth to list and read your AWS Secrets Manager Store
 //
-data "aws_iam_policy_document" "secrets" {
+data "aws_iam_policy_document" "secretsmanager" {
 
   statement {
     sid = "ListSecrets"
@@ -140,14 +140,14 @@ data "aws_iam_policy_document" "secrets" {
       "secretsmanager:DescribeSecret"
     ]
     effect    = "Allow"
-    resources = var.secrets_resources
+    resources = var.secretsmanager_resources
   }
 
 }
 
-//  This policy allows cloudtruth to write to your AWS Secret Store
+//  This policy allows cloudtruth to write to your AWS Secret Manager Store
 //
-data "aws_iam_policy_document" "secrets-write" {
+data "aws_iam_policy_document" "secretsmanager_write" {
 
   statement {
     sid = "SecretWrite"
@@ -158,36 +158,36 @@ data "aws_iam_policy_document" "secrets-write" {
       "secretsmanager:UpdateSecret"
     ]
     effect    = "Allow"
-    resources = var.secrets_resources
+    resources = var.secretsmanager_resources
   }
 
 }
 
 locals {
   policy_lookup = {
-    s3  = var.s3_policy != "" ? var.s3_policy : data.aws_iam_policy_document.s3.json
-    ssm = var.ssm_policy != "" ? var.ssm_policy : data.aws_iam_policy_document.ssm.json
-    secrets = var.secrets_policy != "" ? var.secrets_policy : data.aws_iam_policy_document.secrets.json
+    s3             = var.s3_policy != "" ? var.s3_policy : data.aws_iam_policy_document.s3.json
+    ssm            = var.ssm_policy != "" ? var.ssm_policy : data.aws_iam_policy_document.ssm.json
+    secretsmanager = var.secretsmanager_policy != "" ? var.secretsmanager_policy : data.aws_iam_policy_document.secretsmanager.json
   }
   write_policy_lookup = {
-    s3  = data.aws_iam_policy_document.s3-write.json
-    ssm = data.aws_iam_policy_document.ssm-write.json
-    secrets = data.aws_iam_policy_document.secrets-write.json
+    s3             = data.aws_iam_policy_document.s3_write.json
+    ssm            = data.aws_iam_policy_document.ssm_write.json
+    secretsmanager = data.aws_iam_policy_document.secretsmanager_write.json
   }
 }
 
-resource "aws_iam_role_policy" "cloudtruth-policies" {
+resource "aws_iam_role_policy" "cloudtruth_policies" {
   for_each = toset(var.services_enabled)
 
   name   = "allow-cloudtruth-access-to-${each.key}"
-  role   = aws_iam_role.cloudtruth-access.id
+  role   = aws_iam_role.cloudtruth_access.id
   policy = local.policy_lookup[each.key]
 }
 
-resource "aws_iam_role_policy" "cloudtruth-write-policies" {
+resource "aws_iam_role_policy" "cloudtruth_write_policies" {
   for_each = toset(var.services_write_enabled)
 
   name   = "allow-cloudtruth-write-to-${each.key}"
-  role   = aws_iam_role.cloudtruth-access.id
+  role   = aws_iam_role.cloudtruth_access.id
   policy = local.write_policy_lookup[each.key]
 }

outputs.tf

@@ -0,0 +1 @@
+

variables.tf

@@ -14,17 +14,17 @@ variable "account_ids" {
 
 variable "services_enabled" {
   description = <<-EOD
-    The AWS services to grant cloudtruth access to, allowed values are s3, ssm, secrets
+    The AWS services to grant cloudtruth access to, allowed values are s3, ssm, secretsmanager
   EOD
   type        = list(string)
 }
 
 variable "services_write_enabled" {
   description = <<-EOD
-    The AWS services to grant cloudtruth write access to, allowed values are s3, ssm, secrets
+    The AWS services to grant cloudtruth write access to, allowed values are s3, ssm, secretsmanager
   EOD
   type        = list(string)
-  default = []
+  default     = []
 }
 
 variable "s3_resources" {
@@ -59,7 +59,7 @@ variable "ssm_policy" {
   default     = ""
 }
 
-variable "secrets_resources" {
+variable "secretsmanager_resources" {
   description = <<-EOD
     The secrets manager resources to explicitly grant access to, defaults to all, and listing
     is always allowed (for chooser in UI) even if access isn't granted here
@@ -68,7 +68,7 @@ variable "secrets_resources" {
   default     = ["*"]
 }
 
-variable "secrets_policy" {
+variable "secretsmanager_policy" {
   description = <<-EOD
     A custom poilicy to use for secrets manager instead of the one this module would define
   EOD