IMPORTANT: To successfully complete this example, you must first deploy the module by following module workspace example.
Follow the steps below to attach the run task created from the module into a new HCP Terraform workspace. The new workspace will attempt to create multiple invalid IAM resources. The Run tasks integration with IAM Access Analyzer will validate it as part of post-plan stage.
-
Use the provided demo workspace configuration.
cd examples/demo_workspace
-
Change the org name in with your own HCP Terraform org name. Optionally, change the workspace name.
terraform { cloud { # TODO: Change this to your HCP Terraform org name. organization = "wellsiau-org" # OPTIONAL: Change the workspace name workspaces { name = "AWS-Runtask-IAM-Access-Analyzer-Demo" } } ... }
-
Populate the required variables, change the placeholder value below.
echo 'tfc_org="<enter your org name here>"' >> tf.auto.tfvars echo 'aws_region="<enter the AWS region here>"' >> tf.auto.tfvars echo 'runtask_id="<enter the Run Task ID output from previous module deployment>"' >> tf.auto.tfvars echo 'demo_workspace_name="<enter the same workspace name as in your terraform - cloud block>"' >> tf.auto.tfvars
-
Initialize HCP Terraform.
terraform init
-
We recommend configuring dynamic credentials to provision to AWS from your HCP Terraform workspace or organization. Follow these instructions to learn more.
-
In order to create and configure the run tasks, you also need to have HCP Terraform token stored as Variable/Variable Sets in the workspace. Add
TFE_HOSTNAME
andTFE_TOKEN
environment variable to the same variable set or directly on the workspace. -
Enable the flag to attach the run task to the demo workspace.
echo 'flag_attach_runtask="true"' >> tf.auto.tfvars terraform apply
-
Navigate back to HCP Terraform, locate the new demo workspace and confirm that the Run Task is attached to the demo workspace.
The following steps deploy simple IAM policy with invalid permissions. This should trigger the Run Task to send failure and stop the apply.
-
Enable the flag to deploy invalid IAM policy to the demo workspace.
echo 'flag_deploy_invalid_resource="true"' >> tf.auto.tfvars
-
Run Terraform apply again
terraform apply
-
Terraform apply will fail due to several errors, use the CloudWatch link to review the errors.
Name | Version |
---|---|
terraform | >= 1.0.7 |
aws | >=5.72.0 |
tfe | >=0.38.0 |
Name | Version |
---|---|
aws | >=5.72.0 |
tfe | >=0.38.0 |
No modules.
Name | Type |
---|---|
aws_cloudwatch_log_group.sample_log | resource |
aws_iam_policy.policy_with_computed_values | resource |
aws_iam_policy.policy_with_data_source | resource |
aws_iam_policy.policy_with_eof | resource |
aws_iam_role.invalid_assume_role | resource |
aws_iam_role_policy.invalid_iam_role_policy | resource |
aws_kms_key.invalid_kms_key_policy | resource |
aws_organizations_policy.invalid_scp_policy | resource |
tfe_workspace_run_task.aws-iam-analyzer-attach | resource |
aws_caller_identity.current_account | data source |
aws_iam_policy_document.invalid_kms_key_policy | data source |
aws_iam_policy_document.policy_with_data_source | data source |
aws_partition.current_partition | data source |
aws_region.current_region | data source |
tfe_organization.org | data source |
tfe_workspace.workspace | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_region | The region from which this module will be executed. | string |
n/a | yes |
demo_workspace_name | The workspace name | string |
n/a | yes |
runtask_id | The run task id of the IAM Access Analyzer run task | string |
n/a | yes |
tfc_org | Terraform Organization name | string |
n/a | yes |
flag_attach_runtask | Switch this flag to true to attach the run task to the workspace | bool |
false |
no |
flag_deploy_invalid_resource | Switch this flag to true to deploy sample invalid IAM policy and validate it with Run Task | bool |
false |
no |
runtask_enforcement_level | The description give to the attached run task (optional) | string |
"mandatory" |
no |
runtask_stage | The description give to the attached run task (optional) | string |
"post_plan" |
no |
No outputs.