feat: review improvements

lablabs · Dec 20, 2024 · 5a3dd5a · 5a3dd5a
1 parent 4fd3e08
commit 5a3dd5a
Show file tree

Hide file tree

Showing 16 changed files with 29 additions and 220 deletions.
diff --git a/.tool-versions b/.tool-versions
@@ -4,4 +4,4 @@ tflint 0.50.3
 checkov 3.2.37
 awscli 2.15.29
 pre-commit 3.6.2
-python 3.9.16
+python 3.13.1
diff --git a/README.md b/README.md
@@ -58,7 +58,7 @@ See [basic example](examples/basic) for further information.
 |------|------|
 | [utils_deep_merge_yaml.values](https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml) | data source |
 > [!IMPORTANT]
-> Variables defined in [variables-addon.tf](variables-addon.tf) defaults to `null` to have them overridable by the addon configuration defined though the [`local.addon.*`](main.tf) local variable with some default values defined in [addon.tf](addon.tf).
+> Variables defined in [variables-addon[-irsa|oidc].tf](variables-addon.tf) defaults to `null` to have them overridable by the addon configuration defined though the [`local.addon[_irsa|oidc].*`](main.tf) local variable with the default values defined in [addon[-irsa|oidc].tf](addon.tf).
 ## Inputs
 
 | Name | Description | Type |
@@ -72,12 +72,12 @@ See [basic example](examples/basic) for further information.
 | <a name="input_argo_helm_wait_node_selector"></a> [argo\_helm\_wait\_node\_selector](#input\_argo\_helm\_wait\_node\_selector) | Node selector for ArgoCD Application Helm release wait job. Defaults to `{}`. | `map(string)` |
 | <a name="input_argo_helm_wait_timeout"></a> [argo\_helm\_wait\_timeout](#input\_argo\_helm\_wait\_timeout) | Timeout for ArgoCD Application Helm release wait job. Defaults to `10m`. | `string` |
 | <a name="input_argo_helm_wait_tolerations"></a> [argo\_helm\_wait\_tolerations](#input\_argo\_helm\_wait\_tolerations) | Tolerations for ArgoCD Application Helm release wait job. Defaults to `[]`. | `list(any)` |
-| <a name="input_argo_info"></a> [argo\_info](#input\_argo\_info) | ArgoCD Application manifest info parameter. Defaults to `[{'name': 'terraform', 'value': 'true'}]`. | `list(any)` |
-| <a name="input_argo_kubernetes_manifest_computed_fields"></a> [argo\_kubernetes\_manifest\_computed\_fields](#input\_argo\_kubernetes\_manifest\_computed\_fields) | List of paths of fields to be handled as "computed". The user-configured value for the field will be overridden by any different value returned by the API after apply. Defaults to `['metadata.labels', 'metadata.annotations', 'metadata.finalizers']`. | `list(string)` |
+| <a name="input_argo_info"></a> [argo\_info](#input\_argo\_info) | ArgoCD Application manifest info parameter. Defaults to `[{"name": "terraform", "value": "true"}]`. | `list(any)` |
+| <a name="input_argo_kubernetes_manifest_computed_fields"></a> [argo\_kubernetes\_manifest\_computed\_fields](#input\_argo\_kubernetes\_manifest\_computed\_fields) | List of paths of fields to be handled as "computed". The user-configured value for the field will be overridden by any different value returned by the API after apply. Defaults to `["metadata.labels", "metadata.annotations", "metadata.finalizers"]`. | `list(string)` |
 | <a name="input_argo_kubernetes_manifest_field_manager_force_conflicts"></a> [argo\_kubernetes\_manifest\_field\_manager\_force\_conflicts](#input\_argo\_kubernetes\_manifest\_field\_manager\_force\_conflicts) | Forcibly override any field manager conflicts when applying the kubernetes manifest resource. Defaults to `false`. | `bool` |
 | <a name="input_argo_kubernetes_manifest_field_manager_name"></a> [argo\_kubernetes\_manifest\_field\_manager\_name](#input\_argo\_kubernetes\_manifest\_field\_manager\_name) | The name of the field manager to use when applying the Kubernetes manifest resource. Defaults to `Terraform`. | `string` |
 | <a name="input_argo_kubernetes_manifest_wait_fields"></a> [argo\_kubernetes\_manifest\_wait\_fields](#input\_argo\_kubernetes\_manifest\_wait\_fields) | A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use * for any value. Defaults to `{}`. | `map(string)` |
-| <a name="input_argo_metadata"></a> [argo\_metadata](#input\_argo\_metadata) | ArgoCD Application metadata configuration. Override or create additional metadata parameters. Defaults to `{'finalizers': ['resources-finalizer.argocd.argoproj.io']}`. | `any` |
+| <a name="input_argo_metadata"></a> [argo\_metadata](#input\_argo\_metadata) | ArgoCD Application metadata configuration. Override or create additional metadata parameters. Defaults to `{"finalizers": ["resources-finalizer.argocd.argoproj.io"]}`. | `any` |
 | <a name="input_argo_namespace"></a> [argo\_namespace](#input\_argo\_namespace) | Namespace to deploy ArgoCD Application CRD to. Defaults to `argo`. | `string` |
 | <a name="input_argo_project"></a> [argo\_project](#input\_argo\_project) | ArgoCD Application project. Defaults to `default`. | `string` |
 | <a name="input_argo_spec"></a> [argo\_spec](#input\_argo\_spec) | ArgoCD Application spec configuration. Override or create additional spec parameters. Defaults to `{}`. | `any` |
@@ -124,7 +124,7 @@ See [basic example](examples/basic) for further information.
 | <a name="input_irsa_assume_role_enabled"></a> [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`. | `bool` |
 | <a name="input_irsa_assume_role_policy_condition_test"></a> [irsa\_assume\_role\_policy\_condition\_test](#input\_irsa\_assume\_role\_policy\_condition\_test) | Specifies the condition test to use for the assume role trust policy. Defaults to `StringEquals`. | `string` |
 | <a name="input_irsa_assume_role_policy_condition_values"></a> [irsa\_assume\_role\_policy\_condition\_values](#input\_irsa\_assume\_role\_policy\_condition\_values) | Specifies the values for the assume role trust policy condition. Each entry in this list must follow the required format `system:serviceaccount:$service_account_namespace:$service_account_name`. If this variable is left as the default, `local.irsa_assume_role_policy_condition_values_default` is used instead, which is a list containing a single value. Note that if this list is defined, the `service_account_name` and `service_account_namespace` variables are ignored. Defaults to `[]`. | `list(string)` |
-| <a name="input_irsa_permissions_boundary"></a> [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role. | `string` |
+| <a name="input_irsa_permissions_boundary"></a> [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`. | `string` |
 | <a name="input_irsa_policy"></a> [irsa\_policy](#input\_irsa\_policy) | Policy to be attached to the IRSA role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `""`. | `string` |
 | <a name="input_irsa_policy_enabled"></a> [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`. | `bool` |
 | <a name="input_irsa_role_create"></a> [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate Service Account. Defaults to `true`. | `bool` |
@@ -142,7 +142,7 @@ See [basic example](examples/basic) for further information.
 | <a name="input_oidc_openid_client_ids"></a> [oidc\_openid\_client\_ids](#input\_oidc\_openid\_client\_ids) | List of OpenID Connect client IDs that are allowed to assume the OIDC provider. Defaults to `[]`. | `list(string)` |
 | <a name="input_oidc_openid_provider_url"></a> [oidc\_openid\_provider\_url](#input\_oidc\_openid\_provider\_url) | OIDC provider URL. Defaults to `""`. | `string` |
 | <a name="input_oidc_openid_thumbprints"></a> [oidc\_openid\_thumbprints](#input\_oidc\_openid\_thumbprints) | List of thumbprints of the OIDC provider's server certificate. Defaults to `[]`. | `list(string)` |
-| <a name="input_oidc_permissions_boundary"></a> [oidc\_permissions\_boundary](#input\_oidc\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the OIDC role. | `string` |
+| <a name="input_oidc_permissions_boundary"></a> [oidc\_permissions\_boundary](#input\_oidc\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the OIDC role. Defaults to `null`. | `string` |
 | <a name="input_oidc_policy"></a> [oidc\_policy](#input\_oidc\_policy) | Policy to be attached to the OIDC role. Applied only if `oidc_policy_enabled` is `true`. Defaults to `""`. | `string` |
 | <a name="input_oidc_policy_enabled"></a> [oidc\_policy\_enabled](#input\_oidc\_policy\_enabled) | Whether to create IAM policy specified by `oidc_policy`. Mutually exclusive with `oidc_assume_role_enabled`. Defaults to `false`. | `bool` |
 | <a name="input_oidc_provider_create"></a> [oidc\_provider\_create](#input\_oidc\_provider\_create) | Whether to create OIDC provider. Set to `false` if you want to disable default OIDC provider when `var.oidc_custom_provider_arn` is set. Defaults to `true`. | `bool` |

diff --git a/addon-oidc.tf b/addon-oidc.tf
@@ -23,7 +23,7 @@ module "addon-oidc" {
   oidc_openid_thumbprints                    = var.oidc_openid_thumbprints != null ? var.oidc_openid_thumbprints : try(each.value.oidc_openid_thumbprints, [])
   oidc_assume_role_policy_condition_variable = var.oidc_assume_role_policy_condition_variable != null ? var.oidc_assume_role_policy_condition_variable : try(each.value.oidc_assume_role_policy_condition_variable, "")
   oidc_assume_role_policy_condition_values   = var.oidc_assume_role_policy_condition_values != null ? var.oidc_assume_role_policy_condition_values : try(each.value.oidc_assume_role_policy_condition_values, [])
-  oidc_assume_role_policy_condition_test     = var.oidc_assume_role_policy_condition_test != null ? var.oidc_assume_role_policy_condition_test : try(each.value.oidc_assume_role_policy_condition_test, "StringLike")
+  oidc_assume_role_policy_condition_test     = var.oidc_assume_role_policy_condition_test != null ? var.oidc_assume_role_policy_condition_test : try(each.value.oidc_assume_role_policy_condition_test, "StringEquals")
   oidc_custom_provider_arn                   = var.oidc_custom_provider_arn != null ? var.oidc_custom_provider_arn : try(each.value.oidc_custom_provider_arn, "")
 
   oidc_tags = var.oidc_tags != null ? var.oidc_tags : try(each.value.oidc_tags, tomap({}))

diff --git a/modules/addon-irsa/context.tf b/modules/addon-irsa/context.tf
diff --git a/modules/addon-irsa/iam.tf b/modules/addon-irsa/iam.tf
@@ -1,7 +1,6 @@
 locals {
   irsa_role_create         = var.enabled && var.rbac_create && var.service_account_create && var.irsa_role_create
-  irsa_role_name_prefix    = coalesce(var.irsa_role_name_prefix, "${module.label.id}-irsa")
-  irsa_role_name           = trim("${local.irsa_role_name_prefix}-${var.irsa_role_name}", "-")
+  irsa_role_name           = trim("${var.irsa_role_name_prefix}-${var.irsa_role_name}", "-")
   irsa_policy_enabled      = var.irsa_policy_enabled && length(var.irsa_policy) > 0
   irsa_assume_role_enabled = var.irsa_assume_role_enabled && length(var.irsa_assume_role_arns) > 0
   irsa_assume_role_policy_condition_values_default = length(var.service_account_namespace) > 0 && length(var.service_account_name) > 0 ? [

diff --git a/modules/addon-irsa/label.tf b/modules/addon-irsa/label.tf
diff --git a/modules/addon-irsa/variables.tf b/modules/addon-irsa/variables.tf
@@ -47,13 +47,13 @@ variable "irsa_role_create" {
 variable "irsa_role_name_prefix" {
   type        = string
   default     = ""
-  description = "IRSA role name prefix. Defaults to addon IRSA component name (if provided) with `irsa` suffix."
+  description = "IRSA role name prefix."
 }
 
 variable "irsa_role_name" {
   type        = string
   default     = ""
-  description = "IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to the addon Helm chart name."
+  description = "IRSA role name. The value is prefixed by `irsa_role_name_prefix`."
 }
 
 variable "irsa_policy_enabled" {
@@ -65,7 +65,7 @@ variable "irsa_policy_enabled" {
 variable "irsa_policy" {
   type        = string
   default     = ""
-  description = "Policy to be attached to the IRSA role. Applied only if `irsa_policy_enabled` is `true`."
+  description = "AWS IAM policy JSON document to be attached to the IRSA role. Applied only if `irsa_policy_enabled` is `true`."
 }
 
 variable "irsa_assume_role_enabled" {

diff --git a/modules/addon-oidc/context.tf b/modules/addon-oidc/context.tf
diff --git a/modules/addon-oidc/iam.tf b/modules/addon-oidc/iam.tf
@@ -1,8 +1,7 @@
 locals {
   oidc_provider_create     = var.enabled && var.oidc_provider_create
   oidc_role_create         = var.enabled && var.oidc_role_create
-  oidc_role_name_prefix    = coalesce(var.oidc_role_name_prefix, "${module.label.id}-oidc")
-  oidc_role_name           = trim("${local.oidc_role_name_prefix}-${var.oidc_role_name}", "-")
+  oidc_role_name           = trim("${var.oidc_role_name_prefix}-${var.oidc_role_name}", "-")
   oidc_policy_enabled      = var.oidc_policy_enabled && length(var.oidc_policy) > 0
   oidc_assume_role_enabled = var.oidc_assume_role_enabled && length(var.oidc_assume_role_arns) > 0
 }

diff --git a/modules/addon-oidc/label.tf b/modules/addon-oidc/label.tf