Merge pull request #13 from joe-niland/feat/data-resources-dependent-on-session-logging-enabled

Gowiem · web-flow · commit 7d5f78c16c86 · 2022-09-13T20:00:55.000-04:00
diff --git a/main.tf b/main.tf
@@ -56,19 +56,21 @@ data "aws_iam_policy_document" "default" {
 }
 
 data "aws_s3_bucket" "logs_bucket" {
+  count  = var.session_logging_enabled ? 1 : 0
   bucket = try(coalesce(var.session_logging_bucket_name, module.logs_bucket.bucket_id), "")
 }
 
 # https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html#create-iam-instance-profile-ssn-logging
 data "aws_iam_policy_document" "session_logging" {
+  count = var.session_logging_enabled ? 1 : 0
 
   statement {
     sid    = "SSMAgentSessionAllowS3Logging"
     effect = "Allow"
     actions = [
       "s3:PutObject"
     ]
-    resources = ["${data.aws_s3_bucket.logs_bucket.arn}/*"]
+    resources = ["${join("", data.aws_s3_bucket.logs_bucket.*.arn)}/*"]
   }
 
   statement {
@@ -119,7 +121,7 @@ resource "aws_iam_role_policy" "session_logging" {
 
   name   = "${module.role_label.id}-session-logging"
   role   = aws_iam_role.default.name
-  policy = data.aws_iam_policy_document.session_logging.json
+  policy = join("", data.aws_iam_policy_document.session_logging.*.json)
 }
 
 resource "aws_iam_instance_profile" "default" {
diff --git a/outputs.tf b/outputs.tf
@@ -24,11 +24,11 @@ output "role_id" {
 }
 
 output "session_logging_bucket_id" {
-  value       = var.session_logging_enabled && var.session_logging_bucket_name == "" ? data.aws_s3_bucket.logs_bucket.id : ""
+  value       = var.session_logging_enabled && var.session_logging_bucket_name == "" ? join("", data.aws_s3_bucket.logs_bucket.*.id) : ""
   description = "The ID of the SSM Agent Session Logging S3 Bucket."
 }
 
 output "session_logging_bucket_arn" {
-  value       = var.session_logging_enabled && var.session_logging_bucket_name == "" ? data.aws_s3_bucket.logs_bucket.arn : ""
+  value       = var.session_logging_enabled && var.session_logging_bucket_name == "" ? join("", data.aws_s3_bucket.logs_bucket.*.arn) : ""
   description = "The ARN of the SSM Agent Session Logging S3 Bucket."
 }

Original file line number	Diff line number	Diff line change
`@@ -56,19 +56,21 @@ data "aws_iam_policy_document" "default" {`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`data "aws_s3_bucket" "logs_bucket" {`
	`59`	`+ count = var.session_logging_enabled ? 1 : 0`
`59`	`60`	`bucket = try(coalesce(var.session_logging_bucket_name, module.logs_bucket.bucket_id), "")`
`60`	`61`	`}`
`61`	`62`
`62`	`63`	`# https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html#create-iam-instance-profile-ssn-logging`
`63`	`64`	`data "aws_iam_policy_document" "session_logging" {`
	`65`	`+ count = var.session_logging_enabled ? 1 : 0`
`64`	`66`
`65`	`67`	`statement {`
`66`	`68`	`sid = "SSMAgentSessionAllowS3Logging"`
`67`	`69`	`effect = "Allow"`
`68`	`70`	`actions = [`
`69`	`71`	`"s3:PutObject"`
`70`	`72`	`]`
`71`		`- resources = ["${data.aws_s3_bucket.logs_bucket.arn}/*"]`
	`73`	`+ resources = ["${join("", data.aws_s3_bucket.logs_bucket..arn)}/"]`
`72`	`74`	`}`
`73`	`75`
`74`	`76`	`statement {`
`@@ -119,7 +121,7 @@ resource "aws_iam_role_policy" "session_logging" {`
`119`	`121`
`120`	`122`	`name = "${module.role_label.id}-session-logging"`
`121`	`123`	`role = aws_iam_role.default.name`
`122`		`- policy = data.aws_iam_policy_document.session_logging.json`
	`124`	`+ policy = join("", data.aws_iam_policy_document.session_logging.*.json)`
`123`	`125`	`}`
`124`	`126`
`125`	`127`	`resource "aws_iam_instance_profile" "default" {`
Original file line number	Diff line number	Diff line change
`@@ -24,11 +24,11 @@ output "role_id" {`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`output "session_logging_bucket_id" {`
`27`		`- value = var.session_logging_enabled && var.session_logging_bucket_name == "" ? data.aws_s3_bucket.logs_bucket.id : ""`
	`27`	`+ value = var.session_logging_enabled && var.session_logging_bucket_name == "" ? join("", data.aws_s3_bucket.logs_bucket.*.id) : ""`
`28`	`28`	`description = "The ID of the SSM Agent Session Logging S3 Bucket."`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`output "session_logging_bucket_arn" {`
`32`		`- value = var.session_logging_enabled && var.session_logging_bucket_name == "" ? data.aws_s3_bucket.logs_bucket.arn : ""`
	`32`	`+ value = var.session_logging_enabled && var.session_logging_bucket_name == "" ? join("", data.aws_s3_bucket.logs_bucket.*.arn) : ""`
`33`	`33`	`description = "The ARN of the SSM Agent Session Logging S3 Bucket."`
`34`	`34`	`}`