Update iam modules to allow overiding policy name and a list of roles (#35)

* Allow overriding policy name and add more role to the delegate allowed

* Update examples

* Use the pre-release instead

Author: Bit-Doctor

examples/custom_vpc/main.tf

@@ -14,28 +14,28 @@ provider "aws" {
 }
 
 module "agentless_scanner_role" {
-  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/agentless-scanner-role?ref=0.2.0"
+  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/agentless-scanner-role?ref=0.6.0"
 
   account_roles = [module.delegate_role.role.arn]
 }
 
 module "delegate_role" {
-  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/scanning-delegate-role?ref=0.2.0"
+  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/scanning-delegate-role?ref=0.6.0"
 
-  scanner_role_arn = module.agentless_scanner_role.role.arn
+  scanner_roles = [module.agentless_scanner_role.role.arn]
 }
 
 module "user_data" {
-  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/user_data?ref=0.2.0"
+  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/user_data?ref=0.6.0"
 
   hostname = "agentless-scanning-us-east-1"
   api_key  = var.api_key
 }
 
 module "instance" {
-  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/instance?ref=0.2.0"
+  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/instance?ref=0.6.0"
 
   user_data            = module.user_data.install_sh
   iam_instance_profile = module.agentless_scanner_role.profile.name
   subnet_id            = var.subnet_id
-}
+}

examples/multi_region/main.tf

@@ -20,19 +20,19 @@ provider "aws" {
 }
 
 module "agentless_scanner_role" {
-  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/agentless-scanner-role?ref=0.2.0"
+  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/agentless-scanner-role?ref=0.6.0"
 
   account_roles = [module.delegate_role.role.arn]
 }
 
 module "delegate_role" {
-  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/scanning-delegate-role?ref=0.2.0"
+  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/scanning-delegate-role?ref=0.6.0"
 
-  scanner_role_arn = module.agentless_scanner_role.role.arn
+  scanner_roles = [module.agentless_scanner_role.role.arn]
 }
 
 module "agentless_scanner" {
-  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner?ref=0.2.0"
+  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner?ref=0.6.0"
   providers = {
     aws = aws.us
   }
@@ -42,11 +42,11 @@ module "agentless_scanner" {
 }
 
 module "agentless_scanner" {
-  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner?ref=0.2.0"
+  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner?ref=0.6.0"
   providers = {
     aws = aws.eu
   }
 
   api_key               = var.api_key
   instance_profile_name = module.agentless_scanner_role.instance_profile.name
-}
+}

examples/single_region/main.tf

@@ -14,19 +14,19 @@ provider "aws" {
 }
 
 module "scanner_role" {
-  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/agentless-scanner-role?ref=0.2.0"
+  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/agentless-scanner-role?ref=0.6.0"
 
   account_roles = [module.delegate_role.role.arn]
 }
 
 module "delegate_role" {
-  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/scanning-delegate-role?ref=0.2.0"
+  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner//modules/scanning-delegate-role?ref=0.6.0"
 
-  scanner_role_arn = module.scanner_role.role.arn
+  scanner_role = [module.scanner_role.role.arn]
 }
 
 module "agentless_scanner" {
-  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner?ref=0.2.0"
+  source = "git::https://github.com/DataDog/terraform-datadog-agentless-scanner?ref=0.6.0"
 
   api_key               = var.api_key
   instance_profile_name = module.scanner_role.instance_profile.name

modules/agentless-scanner-role/README.md

@@ -36,6 +36,8 @@ No modules.
 | <a name="input_account_roles"></a> [account\_roles](#input\_account\_roles) | List of cross accounts roles ARN that the Datadog agentless scanner can assume | `list(string)` | `[]` | no |
 | <a name="input_api_key_secret_arn"></a> [api\_key\_secret\_arn](#input\_api\_key\_secret\_arn) | ARN of the secret holding the Datadog API key | `string` | `null` | no |
 | <a name="input_enable_ssm"></a> [enable\_ssm](#input\_enable\_ssm) | Whether to enable AWS SSM to facilitate executing troubleshooting commands on the instance | `bool` | `false` | no |
+| <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | Name to use on IAM policy created | `string` | `"DatadogAgentlessScannerAgentPolicy"` | no |
+| <a name="input_iam_policy_path"></a> [iam\_policy\_path](#input\_iam\_policy\_path) | IAM policy path | `string` | `null` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `"DatadogAgentlessScannerAgentRole"` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `null` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of the KMS key encrypting the secret | `string` | `null` | no |

modules/agentless-scanner-role/main.tf

@@ -68,7 +68,8 @@ data "aws_iam_policy_document" "scanner_policy_document" {
 }
 
 resource "aws_iam_policy" "scanner_policy" {
-  name   = "DatadogAgentlessScannerAgentPolicy"
+  name   = var.iam_policy_name
+  path   = var.iam_policy_path
   policy = data.aws_iam_policy_document.scanner_policy_document.json
 }
 

modules/agentless-scanner-role/variables.tf

@@ -4,12 +4,24 @@ variable "iam_role_name" {
   default     = "DatadogAgentlessScannerAgentRole"
 }
 
+variable "iam_policy_name" {
+  description = "Name to use on IAM policy created"
+  type        = string
+  default     = "DatadogAgentlessScannerAgentPolicy"
+}
+
 variable "iam_role_path" {
   description = "IAM role path"
   type        = string
   default     = null
 }
 
+variable "iam_policy_path" {
+  description = "IAM policy path"
+  type        = string
+  default     = null
+}
+
 variable "account_roles" {
   description = "List of cross accounts roles ARN that the Datadog agentless scanner can assume"
   type        = list(string)

modules/scanning-delegate-role/README.md

@@ -35,7 +35,7 @@ No modules.
 | <a name="input_iam_policy_path"></a> [iam\_policy\_path](#input\_iam\_policy\_path) | IAM policy path | `string` | `null` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `"DatadogAgentlessScannerDelegateRole"` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `null` | no |
-| <a name="input_scanner_role_arn"></a> [scanner\_role\_arn](#input\_scanner\_role\_arn) | ARN of the role allowed to assume this role | `string` | n/a | yes |
+| <a name="input_scanner_roles"></a> [scanner\_roles](#input\_scanner\_roles) | List of roles ARN allowed to assume this role | `list(string)` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of additional tags to add to the IAM role/profile created | `map(string)` | `{}` | no |
 
 ## Outputs

modules/scanning-delegate-role/main.tf

@@ -228,7 +228,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
 
     principals {
       type        = "AWS"
-      identifiers = [var.scanner_role_arn]
+      identifiers = var.scanner_roles
     }
   }
 }

modules/scanning-delegate-role/variables.tf

@@ -22,13 +22,13 @@ variable "iam_policy_path" {
   default     = null
 }
 
-variable "scanner_role_arn" {
-  description = "ARN of the role allowed to assume this role"
-  type        = string
+variable "scanner_roles" {
+  description = "List of roles ARN allowed to assume this role"
+  type        = list(string)
 }
 
 variable "tags" {
   description = "A map of additional tags to add to the IAM role/profile created"
   type        = map(string)
   default     = {}
-}
+}