diff --git a/examples/s3/README.md b/examples/s3/README.md
new file mode 100644
index 0000000..10af062
--- /dev/null
+++ b/examples/s3/README.md
@@ -0,0 +1,73 @@
+# AWS S3
+
+This example configures an S3 bucket resource definition, with two different access policies:
+
+* `basic-admin` (full access)
+* `basic-read-only` (read-only access)
+
+Those resources can be used in your score file like:
+
+```yaml
+resources:
+ ...
+ s3:
+ type: s3
+ class: basic-admin
+```
+
+The workload service account will automatically be assigned the necessary AWS IAM Role with the selected IAM Policy.
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| humanitec | ~> 0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| humanitec | ~> 0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| iam\_policy\_s3\_admin | ../../humanitec-resource-defs/iam-policy/s3 | n/a |
+| iam\_policy\_s3\_read\_only | ../../humanitec-resource-defs/iam-policy/s3 | n/a |
+| iam\_role\_service\_account | ../../humanitec-resource-defs/iam-role/service-account | n/a |
+| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a |
+| s3\_basic | ../../humanitec-resource-defs/s3/basic | n/a |
+| s3\_basic\_admin | ../../humanitec-resource-defs/s3/passthrough | n/a |
+| s3\_basic\_read\_only | ../../humanitec-resource-defs/s3/passthrough | n/a |
+| workload | ../../humanitec-resource-defs/workload/service-account | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
+| [humanitec_resource_definition_criteria.iam_policy_s3_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.iam_policy_s3_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.iam_role_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.s3_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.s3_basic_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.s3_basic_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| access\_key | AWS Access Key | `string` | n/a | yes |
+| oidc\_provider | IAM OIDC Provider in the format "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" | `string` | n/a | yes |
+| oidc\_provider\_arn | IAM OIDC Provider ARN in the format "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" | `string` | n/a | yes |
+| region | AWS Region | `string` | n/a | yes |
+| secret\_key | AWS Secret Key | `string` | n/a | yes |
+| name | Name of the example application | `string` | `"s3-test"` | no |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | `"refs/heads/main"` | no |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
+
diff --git a/examples/s3/main.tf b/examples/s3/main.tf
new file mode 100644
index 0000000..ac323f1
--- /dev/null
+++ b/examples/s3/main.tf
@@ -0,0 +1,174 @@
+locals {
+ res_def_prefix = "${var.name}-"
+}
+
+resource "humanitec_application" "example" {
+ id = var.name
+ name = var.name
+}
+
+# S3 bucket
+
+locals {
+ # Classes used to build the resource definition graph
+ s3_basic_class = "basic"
+ s3_admin_policy_class = "s3-basic-admin"
+ s3_read_only_policy_class = "s3-basic-read-only"
+
+ # Classes that developers can select from
+ s3_basic_admin_class = "basic-admin"
+ s3_basic_read_only_class = "basic-read-only"
+}
+
+# Define s3 bucket basic "flavour" as base
+
+module "s3_basic" {
+ source = "../../humanitec-resource-defs/s3/basic"
+
+ resource_packs_aws_url = var.resource_packs_aws_url
+ resource_packs_aws_rev = var.resource_packs_aws_rev
+
+ access_key = var.access_key
+ secret_key = var.secret_key
+ region = var.region
+
+ prefix = local.res_def_prefix
+}
+
+resource "humanitec_resource_definition_criteria" "s3_basic" {
+ resource_definition_id = module.s3_basic.id
+ app_id = humanitec_application.example.id
+ class = local.s3_basic_class
+}
+
+# Add different access policy to s3 basic bucket
+
+# Admin
+
+## Policy
+module "iam_policy_s3_admin" {
+ source = "../../humanitec-resource-defs/iam-policy/s3"
+
+ resource_packs_aws_url = var.resource_packs_aws_url
+ resource_packs_aws_rev = var.resource_packs_aws_rev
+
+ access_key = var.access_key
+ secret_key = var.secret_key
+ region = var.region
+
+ policy = "admin"
+
+ prefix = local.res_def_prefix
+
+ s3_resource_class = local.s3_basic_class
+}
+
+resource "humanitec_resource_definition_criteria" "iam_policy_s3_admin" {
+ resource_definition_id = module.iam_policy_s3_admin.id
+ app_id = humanitec_application.example.id
+ class = local.s3_admin_policy_class
+}
+
+## Exposed passthrough resource definition
+module "s3_basic_admin" {
+ source = "../../humanitec-resource-defs/s3/passthrough"
+
+ prefix = local.res_def_prefix
+
+ s3_resource_class = local.s3_basic_class
+ policy_resource_class = local.s3_admin_policy_class
+}
+
+resource "humanitec_resource_definition_criteria" "s3_basic_admin" {
+ resource_definition_id = module.s3_basic_admin.id
+ app_id = humanitec_application.example.id
+ class = local.s3_basic_admin_class
+}
+
+
+# Read-only
+
+## Policy
+module "iam_policy_s3_read_only" {
+ source = "../../humanitec-resource-defs/iam-policy/s3"
+
+ resource_packs_aws_url = var.resource_packs_aws_url
+ resource_packs_aws_rev = var.resource_packs_aws_rev
+
+ access_key = var.access_key
+ secret_key = var.secret_key
+ region = var.region
+
+ policy = "read-only"
+
+ prefix = local.res_def_prefix
+
+ s3_resource_class = local.s3_basic_class
+}
+
+resource "humanitec_resource_definition_criteria" "iam_policy_s3_read_only" {
+ resource_definition_id = module.iam_policy_s3_read_only.id
+ app_id = humanitec_application.example.id
+ class = local.s3_read_only_policy_class
+}
+
+## Exposed passthrough resource definition
+module "s3_basic_read_only" {
+ source = "../../humanitec-resource-defs/s3/passthrough"
+
+ prefix = local.res_def_prefix
+
+ s3_resource_class = local.s3_basic_class
+ policy_resource_class = local.s3_read_only_policy_class
+}
+
+resource "humanitec_resource_definition_criteria" "s3_basic_read_only" {
+ resource_definition_id = module.s3_basic_read_only.id
+ app_id = humanitec_application.example.id
+ class = local.s3_basic_read_only_class
+}
+
+
+# Required resources for workload identity
+
+module "k8s_service_account" {
+ source = "../../humanitec-resource-defs/k8s/service-account"
+
+ prefix = local.res_def_prefix
+}
+
+resource "humanitec_resource_definition_criteria" "k8s_service_account" {
+ resource_definition_id = module.k8s_service_account.id
+ app_id = humanitec_application.example.id
+}
+
+module "iam_role_service_account" {
+ source = "../../humanitec-resource-defs/iam-role/service-account"
+
+ resource_packs_aws_url = var.resource_packs_aws_url
+ resource_packs_aws_rev = var.resource_packs_aws_rev
+
+ access_key = var.access_key
+ secret_key = var.secret_key
+ region = var.region
+
+ oidc_provider = var.oidc_provider
+ oidc_provider_arn = var.oidc_provider_arn
+ prefix = local.res_def_prefix
+}
+
+resource "humanitec_resource_definition_criteria" "iam_role_service_account" {
+ resource_definition_id = module.iam_role_service_account.id
+ app_id = humanitec_application.example.id
+}
+
+module "workload" {
+ source = "../../humanitec-resource-defs/workload/service-account"
+
+ prefix = local.res_def_prefix
+}
+
+resource "humanitec_resource_definition_criteria" "workload" {
+ resource_definition_id = module.workload.id
+ app_id = humanitec_application.example.id
+}
diff --git a/examples/s3/providers.tf b/examples/s3/providers.tf
new file mode 100644
index 0000000..2f2107a
--- /dev/null
+++ b/examples/s3/providers.tf
@@ -0,0 +1,13 @@
+terraform {
+ required_providers {
+ humanitec = {
+ source = "humanitec/humanitec"
+ version = "~> 0"
+ }
+ }
+
+ required_version = ">= 1.3.0"
+}
+
+
+provider "humanitec" {}
diff --git a/examples/s3/terraform.tfvars.example b/examples/s3/terraform.tfvars.example
new file mode 100644
index 0000000..a13a9b6
--- /dev/null
+++ b/examples/s3/terraform.tfvars.example
@@ -0,0 +1,24 @@
+
+# AWS Access Key
+access_key = ""
+
+# Name of the example application
+name = "s3-test"
+
+# IAM OIDC Provider in the format "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
+oidc_provider = ""
+
+# IAM OIDC Provider ARN in the format "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
+oidc_provider_arn = ""
+
+# AWS Region
+region = ""
+
+# AWS Resource Pack git branch
+resource_packs_aws_rev = "refs/heads/main"
+
+# AWS Resource Pack git url
+resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+
+# AWS Secret Key
+secret_key = ""
\ No newline at end of file
diff --git a/examples/s3/variables.tf b/examples/s3/variables.tf
new file mode 100644
index 0000000..c388e6a
--- /dev/null
+++ b/examples/s3/variables.tf
@@ -0,0 +1,42 @@
+variable "access_key" {
+ description = "AWS Access Key"
+ type = string
+}
+
+variable "secret_key" {
+ description = "AWS Secret Key"
+ type = string
+}
+
+variable "region" {
+ description = "AWS Region"
+ type = string
+}
+
+variable "oidc_provider" {
+ description = "IAM OIDC Provider in the format \"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE\""
+ type = string
+}
+
+variable "oidc_provider_arn" {
+ description = "IAM OIDC Provider ARN in the format \"arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE\""
+ type = string
+}
+
+variable "resource_packs_aws_url" {
+ description = "AWS Resource Pack git url"
+ type = string
+ default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+}
+
+variable "resource_packs_aws_rev" {
+ description = "AWS Resource Pack git branch"
+ type = string
+ default = "refs/heads/main"
+}
+
+variable "name" {
+ description = "Name of the example application"
+ type = string
+ default = "s3-test"
+}
diff --git a/examples/sqs/README.md b/examples/sqs/README.md
index 6c866a5..9e88ed7 100644
--- a/examples/sqs/README.md
+++ b/examples/sqs/README.md
@@ -16,11 +16,9 @@
| Name | Source | Version |
|------|--------|---------|
-| iam\_policy\_s3\_admin | ../../humanitec-resource-defs/iam-policy/s3-admin | n/a |
| iam\_policy\_sqs\_admin | ../../humanitec-resource-defs/iam-policy/sqs-admin | n/a |
| iam\_role\_service\_account | ../../humanitec-resource-defs/iam-role/service-account | n/a |
| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a |
-| s3\_basic | ../../humanitec-resource-defs/s3/basic | n/a |
| sqs\_basic | ../../humanitec-resource-defs/sqs/basic | n/a |
| workload | ../../humanitec-resource-defs/workload/service-account | n/a |
@@ -29,11 +27,9 @@
| Name | Type |
|------|------|
| [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
-| [humanitec_resource_definition_criteria.iam_policy_s3_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
| [humanitec_resource_definition_criteria.iam_policy_sqs_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
| [humanitec_resource_definition_criteria.iam_role_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.s3_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
| [humanitec_resource_definition_criteria.sqs_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
| [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
@@ -47,5 +43,6 @@
| secret\_key | n/a | `string` | n/a | yes |
| name | n/a | `string` | `"item-list"` | no |
| region | n/a | `string` | `"eu-central-1"` | no |
-| resource\_packs\_aws\_rev | n/a | `string` | `"refs/heads/main"` | no |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | `"refs/heads/main"` | no |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
\ No newline at end of file
diff --git a/examples/sqs/main.tf b/examples/sqs/main.tf
index 15f07c5..1334d16 100644
--- a/examples/sqs/main.tf
+++ b/examples/sqs/main.tf
@@ -10,9 +10,16 @@ variable "region" {
default = "eu-central-1"
}
+variable "resource_packs_aws_url" {
+ description = "AWS Resource Pack git url"
+ type = string
+ default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+}
+
variable "resource_packs_aws_rev" {
- type = string
- default = "refs/heads/main"
+ description = "AWS Resource Pack git branch"
+ type = string
+ default = "refs/heads/main"
}
variable "oidc_provider" {
@@ -48,49 +55,6 @@ resource "humanitec_resource_definition_criteria" "k8s_service_account" {
app_id = humanitec_application.example.id
}
-# S3 bucket
-
-locals {
- s3_class = "default"
- s3_admin_policy_class = "s3-admin"
-}
-
-module "s3_basic" {
- source = "../../humanitec-resource-defs/s3/basic"
-
- access_key = var.access_key
- secret_key = var.secret_key
- resource_packs_aws_rev = var.resource_packs_aws_rev
- region = var.region
- policy_classes = [local.s3_admin_policy_class]
-
- prefix = local.res_def_prefix
-}
-
-resource "humanitec_resource_definition_criteria" "s3_basic" {
- resource_definition_id = module.s3_basic.id
- app_id = humanitec_application.example.id
- class = local.s3_class
-}
-
-module "iam_policy_s3_admin" {
- source = "../../humanitec-resource-defs/iam-policy/s3-admin"
-
- access_key = var.access_key
- secret_key = var.secret_key
- resource_packs_aws_rev = var.resource_packs_aws_rev
- region = var.region
-
- prefix = local.res_def_prefix
- s3_resource_definition_class = local.s3_class
-}
-
-resource "humanitec_resource_definition_criteria" "iam_policy_s3_admin" {
- resource_definition_id = module.iam_policy_s3_admin.id
- app_id = humanitec_application.example.id
- class = local.s3_admin_policy_class
-}
-
# SQS queue
locals {
@@ -137,15 +101,16 @@ resource "humanitec_resource_definition_criteria" "iam_policy_sqs_admin" {
module "iam_role_service_account" {
source = "../../humanitec-resource-defs/iam-role/service-account"
- access_key = var.access_key
- secret_key = var.secret_key
+ resource_packs_aws_url = var.resource_packs_aws_url
resource_packs_aws_rev = var.resource_packs_aws_rev
- region = var.region
+
+ access_key = var.access_key
+ secret_key = var.secret_key
+ region = var.region
oidc_provider = var.oidc_provider
oidc_provider_arn = var.oidc_provider_arn
prefix = local.res_def_prefix
- policy_classes = []
}
resource "humanitec_resource_definition_criteria" "iam_role_service_account" {
diff --git a/examples/sqs/terraform.tfvars.example b/examples/sqs/terraform.tfvars.example
index 05ea2d4..19346db 100644
--- a/examples/sqs/terraform.tfvars.example
+++ b/examples/sqs/terraform.tfvars.example
@@ -1,7 +1,13 @@
-access_key = ""
-name = "item-list"
-oidc_provider = ""
-oidc_provider_arn = ""
-region = "eu-central-1"
+access_key = ""
+name = "item-list"
+oidc_provider = ""
+oidc_provider_arn = ""
+region = "eu-central-1"
+
+# AWS Resource Pack git branch
resource_packs_aws_rev = "refs/heads/main"
-secret_key = ""
\ No newline at end of file
+
+# AWS Resource Pack git url
+resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+
+secret_key = ""
\ No newline at end of file
diff --git a/humanitec-resource-defs/iam-policy/ecr-create-repository/README.md b/humanitec-resource-defs/iam-policy/ecr-create-repository/README.md
index 8c014e6..25112e6 100644
--- a/humanitec-resource-defs/iam-policy/ecr-create-repository/README.md
+++ b/humanitec-resource-defs/iam-policy/ecr-create-repository/README.md
@@ -25,8 +25,9 @@
| access\_key | n/a | `string` | n/a | yes |
| prefix | n/a | `string` | n/a | yes |
| region | n/a | `string` | n/a | yes |
-| resource\_packs\_aws\_rev | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes |
| secret\_key | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
## Outputs
diff --git a/humanitec-resource-defs/iam-policy/ecr-create-repository/main.tf b/humanitec-resource-defs/iam-policy/ecr-create-repository/main.tf
index 9bfc4f3..5ab4cdb 100644
--- a/humanitec-resource-defs/iam-policy/ecr-create-repository/main.tf
+++ b/humanitec-resource-defs/iam-policy/ecr-create-repository/main.tf
@@ -16,7 +16,7 @@ resource "humanitec_resource_definition" "main" {
source = {
path = "modules/iam-policy/ecr-create-repository"
rev = var.resource_packs_aws_rev
- url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+ url = var.resource_packs_aws_url
}
variables = {
diff --git a/humanitec-resource-defs/iam-policy/ecr-create-repository/terraform.tfvars.example b/humanitec-resource-defs/iam-policy/ecr-create-repository/terraform.tfvars.example
index 5206eeb..b52a6af 100644
--- a/humanitec-resource-defs/iam-policy/ecr-create-repository/terraform.tfvars.example
+++ b/humanitec-resource-defs/iam-policy/ecr-create-repository/terraform.tfvars.example
@@ -1,5 +1,11 @@
-access_key = ""
-prefix = ""
-region = ""
+access_key = ""
+prefix = ""
+region = ""
+
+# AWS Resource Pack git branch
resource_packs_aws_rev = ""
-secret_key = ""
\ No newline at end of file
+
+# AWS Resource Pack git url
+resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+
+secret_key = ""
\ No newline at end of file
diff --git a/humanitec-resource-defs/iam-policy/ecr-create-repository/variables.tf b/humanitec-resource-defs/iam-policy/ecr-create-repository/variables.tf
index 2399540..f5b3698 100644
--- a/humanitec-resource-defs/iam-policy/ecr-create-repository/variables.tf
+++ b/humanitec-resource-defs/iam-policy/ecr-create-repository/variables.tf
@@ -2,8 +2,15 @@ variable "prefix" {
type = string
}
+variable "resource_packs_aws_url" {
+ description = "AWS Resource Pack git url"
+ type = string
+ default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+}
+
variable "resource_packs_aws_rev" {
- type = string
+ description = "AWS Resource Pack git branch"
+ type = string
}
variable "access_key" {
diff --git a/humanitec-resource-defs/iam-policy/s3-admin/main.tf b/humanitec-resource-defs/iam-policy/s3-admin/main.tf
deleted file mode 100644
index 7fae256..0000000
--- a/humanitec-resource-defs/iam-policy/s3-admin/main.tf
+++ /dev/null
@@ -1,33 +0,0 @@
-resource "humanitec_resource_definition" "main" {
- driver_type = "humanitec/terraform"
- id = "${var.prefix}iam-policy-s3-admin"
- name = "${var.prefix}iam-policy-s3-admin"
- type = "aws-policy"
-
- driver_inputs = {
- secrets_string = jsonencode({
- variables = {
- access_key = var.access_key
- secret_key = var.secret_key
- }
- })
-
- values_string = jsonencode({
- source = {
- path = "modules/iam-policy/s3-admin"
- rev = var.resource_packs_aws_rev
- url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
- }
-
- variables = {
- region = var.region,
- prefix = "${var.prefix}$${context.res.id}"
- s3_bucket_arn = "$${resources['s3.${var.s3_resource_definition_class}'].outputs.arn}"
-
- res_id = "$${context.res.id}"
- app_id = "$${context.app.id}"
- env_id = "$${context.env.id}"
- }
- })
- }
-}
diff --git a/humanitec-resource-defs/iam-policy/s3-admin/terraform.tfvars.example b/humanitec-resource-defs/iam-policy/s3-admin/terraform.tfvars.example
deleted file mode 100644
index 60ed9a8..0000000
--- a/humanitec-resource-defs/iam-policy/s3-admin/terraform.tfvars.example
+++ /dev/null
@@ -1,6 +0,0 @@
-access_key = ""
-prefix = ""
-region = ""
-resource_packs_aws_rev = ""
-s3_resource_definition_class = ""
-secret_key = ""
\ No newline at end of file
diff --git a/humanitec-resource-defs/iam-policy/s3/README.md b/humanitec-resource-defs/iam-policy/s3/README.md
new file mode 100644
index 0000000..9bb719e
--- /dev/null
+++ b/humanitec-resource-defs/iam-policy/s3/README.md
@@ -0,0 +1,39 @@
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| humanitec | ~> 0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| humanitec | ~> 0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [humanitec_resource_definition.main](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| access\_key | n/a | `string` | n/a | yes |
+| policy | Name of the exposed policy | `string` | n/a | yes |
+| prefix | n/a | `string` | n/a | yes |
+| region | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes |
+| s3\_resource\_class | n/a | `string` | n/a | yes |
+| secret\_key | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| id | n/a |
+
\ No newline at end of file
diff --git a/humanitec-resource-defs/iam-policy/s3/main.tf b/humanitec-resource-defs/iam-policy/s3/main.tf
new file mode 100644
index 0000000..beec8f2
--- /dev/null
+++ b/humanitec-resource-defs/iam-policy/s3/main.tf
@@ -0,0 +1,37 @@
+resource "humanitec_resource_definition" "main" {
+ driver_type = "humanitec/terraform"
+ id = "${var.prefix}iam-policy-s3-${var.policy}"
+ name = "${var.prefix}iam-policy-s3-${var.policy}"
+ type = "aws-policy"
+
+ driver_inputs = {
+ secrets_string = jsonencode({
+ variables = {
+ access_key = var.access_key
+ secret_key = var.secret_key
+ }
+ })
+
+ values_string = jsonencode({
+ source = {
+ path = "modules/iam-policy/s3-${var.policy}"
+ rev = var.resource_packs_aws_rev
+ url = var.resource_packs_aws_url
+ }
+
+ variables = {
+ region = var.region,
+ prefix = "${var.prefix}$${context.res.id}"
+
+ res_id = "$${context.res.id}"
+ app_id = "$${context.app.id}"
+ env_id = "$${context.env.id}"
+ s3_bucket_arn = "$${resources['s3.${var.s3_resource_class}'].outputs.arn}"
+ }
+ })
+ }
+}
+
+variable "s3_resource_class" {
+ type = string
+}
diff --git a/humanitec-resource-defs/iam-policy/s3-admin/outputs.tf b/humanitec-resource-defs/iam-policy/s3/outputs.tf
similarity index 100%
rename from humanitec-resource-defs/iam-policy/s3-admin/outputs.tf
rename to humanitec-resource-defs/iam-policy/s3/outputs.tf
diff --git a/humanitec-resource-defs/iam-policy/s3-admin/providers.tf b/humanitec-resource-defs/iam-policy/s3/providers.tf
similarity index 100%
rename from humanitec-resource-defs/iam-policy/s3-admin/providers.tf
rename to humanitec-resource-defs/iam-policy/s3/providers.tf
diff --git a/humanitec-resource-defs/iam-policy/s3/terraform.tfvars.example b/humanitec-resource-defs/iam-policy/s3/terraform.tfvars.example
new file mode 100644
index 0000000..2d1910e
--- /dev/null
+++ b/humanitec-resource-defs/iam-policy/s3/terraform.tfvars.example
@@ -0,0 +1,16 @@
+access_key = ""
+
+# Name of the exposed policy
+policy = ""
+
+prefix = ""
+region = ""
+
+# AWS Resource Pack git branch
+resource_packs_aws_rev = ""
+
+# AWS Resource Pack git url
+resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+
+s3_resource_class = ""
+secret_key = ""
\ No newline at end of file
diff --git a/humanitec-resource-defs/iam-policy/s3/variables.tf b/humanitec-resource-defs/iam-policy/s3/variables.tf
new file mode 100644
index 0000000..7999dc8
--- /dev/null
+++ b/humanitec-resource-defs/iam-policy/s3/variables.tf
@@ -0,0 +1,31 @@
+variable "prefix" {
+ type = string
+}
+
+variable "resource_packs_aws_url" {
+ description = "AWS Resource Pack git url"
+ type = string
+ default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+}
+
+variable "resource_packs_aws_rev" {
+ description = "AWS Resource Pack git branch"
+ type = string
+}
+
+variable "access_key" {
+ type = string
+}
+
+variable "secret_key" {
+ type = string
+}
+
+variable "region" {
+ type = string
+}
+
+variable "policy" {
+ description = "Name of the exposed policy"
+ type = string
+}
diff --git a/humanitec-resource-defs/iam-policy/sqs-admin/README.md b/humanitec-resource-defs/iam-policy/sqs-admin/README.md
index 084c9a4..bffbb27 100644
--- a/humanitec-resource-defs/iam-policy/sqs-admin/README.md
+++ b/humanitec-resource-defs/iam-policy/sqs-admin/README.md
@@ -25,9 +25,10 @@
| access\_key | n/a | `string` | n/a | yes |
| prefix | n/a | `string` | n/a | yes |
| region | n/a | `string` | n/a | yes |
-| resource\_packs\_aws\_rev | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes |
| secret\_key | n/a | `string` | n/a | yes |
| sqs\_resource\_definition\_class | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
## Outputs
diff --git a/humanitec-resource-defs/iam-policy/sqs-admin/main.tf b/humanitec-resource-defs/iam-policy/sqs-admin/main.tf
index cd5a519..cc4635b 100644
--- a/humanitec-resource-defs/iam-policy/sqs-admin/main.tf
+++ b/humanitec-resource-defs/iam-policy/sqs-admin/main.tf
@@ -16,7 +16,7 @@ resource "humanitec_resource_definition" "main" {
source = {
path = "modules/iam-policy/sqs-admin"
rev = var.resource_packs_aws_rev
- url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+ url = var.resource_packs_aws_url
}
variables = {
diff --git a/humanitec-resource-defs/iam-policy/sqs-admin/terraform.tfvars.example b/humanitec-resource-defs/iam-policy/sqs-admin/terraform.tfvars.example
index fe1b427..09c2ef6 100644
--- a/humanitec-resource-defs/iam-policy/sqs-admin/terraform.tfvars.example
+++ b/humanitec-resource-defs/iam-policy/sqs-admin/terraform.tfvars.example
@@ -1,6 +1,12 @@
-access_key = ""
-prefix = ""
-region = ""
-resource_packs_aws_rev = ""
+access_key = ""
+prefix = ""
+region = ""
+
+# AWS Resource Pack git branch
+resource_packs_aws_rev = ""
+
+# AWS Resource Pack git url
+resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+
secret_key = ""
sqs_resource_definition_class = ""
\ No newline at end of file
diff --git a/humanitec-resource-defs/iam-policy/sqs-admin/variables.tf b/humanitec-resource-defs/iam-policy/sqs-admin/variables.tf
index b55a237..7c05e9c 100644
--- a/humanitec-resource-defs/iam-policy/sqs-admin/variables.tf
+++ b/humanitec-resource-defs/iam-policy/sqs-admin/variables.tf
@@ -2,8 +2,15 @@ variable "prefix" {
type = string
}
+variable "resource_packs_aws_url" {
+ description = "AWS Resource Pack git url"
+ type = string
+ default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+}
+
variable "resource_packs_aws_rev" {
- type = string
+ description = "AWS Resource Pack git branch"
+ type = string
}
variable "access_key" {
diff --git a/humanitec-resource-defs/iam-role/service-account/README.md b/humanitec-resource-defs/iam-role/service-account/README.md
index fb710ef..ce2d238 100644
--- a/humanitec-resource-defs/iam-role/service-account/README.md
+++ b/humanitec-resource-defs/iam-role/service-account/README.md
@@ -25,11 +25,11 @@
| access\_key | n/a | `string` | n/a | yes |
| oidc\_provider | n/a | `string` | n/a | yes |
| oidc\_provider\_arn | n/a | `string` | n/a | yes |
-| policy\_classes | n/a | `list(string)` | n/a | yes |
| prefix | n/a | `string` | n/a | yes |
| region | n/a | `string` | n/a | yes |
-| resource\_packs\_aws\_rev | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes |
| secret\_key | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
## Outputs
diff --git a/humanitec-resource-defs/iam-role/service-account/main.tf b/humanitec-resource-defs/iam-role/service-account/main.tf
index 92ecc81..8e01f62 100644
--- a/humanitec-resource-defs/iam-role/service-account/main.tf
+++ b/humanitec-resource-defs/iam-role/service-account/main.tf
@@ -4,13 +4,6 @@ resource "humanitec_resource_definition" "main" {
name = "${var.prefix}aws-workload-role"
type = "aws-role"
- provision = {
- for s in var.policy_classes : "aws-policy.${s}" => {
- match_dependents = true
- is_dependent = false
- }
- }
-
driver_inputs = {
secrets_string = jsonencode({
variables = {
@@ -23,7 +16,7 @@ resource "humanitec_resource_definition" "main" {
source = {
path = "modules/iam-role/service-account"
rev = var.resource_packs_aws_rev
- url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+ url = var.resource_packs_aws_url
}
variables = {
diff --git a/humanitec-resource-defs/iam-role/service-account/terraform.tfvars.example b/humanitec-resource-defs/iam-role/service-account/terraform.tfvars.example
index d3b19d6..47db3bc 100644
--- a/humanitec-resource-defs/iam-role/service-account/terraform.tfvars.example
+++ b/humanitec-resource-defs/iam-role/service-account/terraform.tfvars.example
@@ -1,8 +1,13 @@
-access_key = ""
-oidc_provider = ""
-oidc_provider_arn = ""
-policy_classes = ""
-prefix = ""
-region = ""
+access_key = ""
+oidc_provider = ""
+oidc_provider_arn = ""
+prefix = ""
+region = ""
+
+# AWS Resource Pack git branch
resource_packs_aws_rev = ""
-secret_key = ""
\ No newline at end of file
+
+# AWS Resource Pack git url
+resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+
+secret_key = ""
\ No newline at end of file
diff --git a/humanitec-resource-defs/iam-role/service-account/variables.tf b/humanitec-resource-defs/iam-role/service-account/variables.tf
index ec26ba0..22b84f1 100644
--- a/humanitec-resource-defs/iam-role/service-account/variables.tf
+++ b/humanitec-resource-defs/iam-role/service-account/variables.tf
@@ -2,10 +2,16 @@ variable "prefix" {
type = string
}
-variable "resource_packs_aws_rev" {
- type = string
+variable "resource_packs_aws_url" {
+ description = "AWS Resource Pack git url"
+ type = string
+ default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
}
+variable "resource_packs_aws_rev" {
+ description = "AWS Resource Pack git branch"
+ type = string
+}
variable "access_key" {
type = string
@@ -26,7 +32,3 @@ variable "oidc_provider" {
variable "oidc_provider_arn" {
type = string
}
-
-variable "policy_classes" {
- type = list(string)
-}
diff --git a/humanitec-resource-defs/k8s/service-account/main.tf b/humanitec-resource-defs/k8s/service-account/main.tf
index 98b0aa9..4552067 100644
--- a/humanitec-resource-defs/k8s/service-account/main.tf
+++ b/humanitec-resource-defs/k8s/service-account/main.tf
@@ -23,7 +23,9 @@ serviceaccount.yaml:
metadata:
name: $${resources.aws-role.outputs.k8s_service_account_name}
annotations:
+ {{- if "$${resources.aws-role.outputs.role_arn}}" }}
eks.amazonaws.com/role-arn: $${resources.aws-role.outputs.role_arn}
+ {{- end }}
context: {{trimPrefix "modules." "$${context.res.id}"}}
res: $${context.res.id}
app: $${context.app.id}
diff --git a/humanitec-resource-defs/rds/aurora/README.md b/humanitec-resource-defs/rds/aurora/README.md
index 0514d5d..90bf3cc 100644
--- a/humanitec-resource-defs/rds/aurora/README.md
+++ b/humanitec-resource-defs/rds/aurora/README.md
@@ -30,6 +30,7 @@
| name | n/a | `string` | n/a | yes |
| prefix | n/a | `string` | n/a | yes |
| region | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes |
| secret\_key | n/a | `string` | n/a | yes |
| subnets | n/a | `set(string)` | n/a | yes |
| vpc | n/a | `string` | n/a | yes |
@@ -47,8 +48,7 @@
| engine\_version | n/a | `string` | `"14.7"` | no |
| group\_family | n/a | `string` | `"aurora-postgresql14"` | no |
| instances | n/a | `map(any)` | {
"1": {
"db_parameter_group_name": "default.aurora-postgresql14",
"instance_class": "db.r5.2xlarge",
"publicly_accessible": true
},
"2": {
"identifier": "static-member-1",
"instance_class": "db.r5.2xlarge"
}
} | no |
-| resource\_packs\_aws\_rev | n/a | `string` | `"ref/heads/main"` | no |
-| resource\_packs\_aws\_url | n/a | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
| security\_group\_rules | n/a | `any` | `{}` | no |
| skip\_final\_snapshot | n/a | `bool` | `true` | no |
| storage\_encrypted | n/a | `bool` | `true` | no |
diff --git a/humanitec-resource-defs/rds/aurora/terraform.tfvars.example b/humanitec-resource-defs/rds/aurora/terraform.tfvars.example
index ef00e98..2a23fe1 100644
--- a/humanitec-resource-defs/rds/aurora/terraform.tfvars.example
+++ b/humanitec-resource-defs/rds/aurora/terraform.tfvars.example
@@ -25,18 +25,23 @@ instances = {
"instance_class": "db.r5.2xlarge"
}
}
-master_password = ""
-master_username = ""
-name = ""
-prefix = ""
-region = ""
-resource_packs_aws_rev = "ref/heads/main"
+master_password = ""
+master_username = ""
+name = ""
+prefix = ""
+region = ""
+
+# AWS Resource Pack git branch
+resource_packs_aws_rev = ""
+
+# AWS Resource Pack git url
resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
-secret_key = ""
-security_group_rules = {}
-skip_final_snapshot = true
-storage_encrypted = true
-storage_type = "aurora"
-subnets = ""
-type = "postgres"
-vpc = ""
\ No newline at end of file
+
+secret_key = ""
+security_group_rules = {}
+skip_final_snapshot = true
+storage_encrypted = true
+storage_type = "aurora"
+subnets = ""
+type = "postgres"
+vpc = ""
\ No newline at end of file
diff --git a/humanitec-resource-defs/rds/aurora/variables.tf b/humanitec-resource-defs/rds/aurora/variables.tf
index c6a1800..22d5faa 100644
--- a/humanitec-resource-defs/rds/aurora/variables.tf
+++ b/humanitec-resource-defs/rds/aurora/variables.tf
@@ -2,14 +2,15 @@ variable "prefix" {
type = string
}
-variable "resource_packs_aws_rev" {
- type = string
- default = "ref/heads/main"
+variable "resource_packs_aws_url" {
+ description = "AWS Resource Pack git url"
+ type = string
+ default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
}
-variable "resource_packs_aws_url" {
- type = string
- default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+variable "resource_packs_aws_rev" {
+ description = "AWS Resource Pack git branch"
+ type = string
}
variable "access_key" {
diff --git a/humanitec-resource-defs/rds/basic/README.md b/humanitec-resource-defs/rds/basic/README.md
index 70e8f1b..1679912 100644
--- a/humanitec-resource-defs/rds/basic/README.md
+++ b/humanitec-resource-defs/rds/basic/README.md
@@ -29,6 +29,7 @@
| password | n/a | `string` | n/a | yes |
| prefix | n/a | `string` | n/a | yes |
| region | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes |
| secret\_key | n/a | `string` | n/a | yes |
| subnet\_ids | n/a | `set(string)` | n/a | yes |
| username | n/a | `string` | n/a | yes |
@@ -57,8 +58,7 @@
| performance\_insights\_enabled | n/a | `bool` | `true` | no |
| performance\_insights\_retention\_period | n/a | `number` | `7` | no |
| port | n/a | `number` | `5432` | no |
-| resource\_packs\_aws\_rev | n/a | `string` | `"ref/heads/main"` | no |
-| resource\_packs\_aws\_url | n/a | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
| skip\_final\_snapshot | n/a | `bool` | `true` | no |
| type | n/a | `string` | `"postgres"` | no |
diff --git a/humanitec-resource-defs/rds/basic/terraform.tfvars.example b/humanitec-resource-defs/rds/basic/terraform.tfvars.example
index fbc8f40..b5db5c4 100644
--- a/humanitec-resource-defs/rds/basic/terraform.tfvars.example
+++ b/humanitec-resource-defs/rds/basic/terraform.tfvars.example
@@ -29,11 +29,16 @@ performance_insights_retention_period = 7
port = 5432
prefix = ""
region = ""
-resource_packs_aws_rev = "ref/heads/main"
-resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
-secret_key = ""
-skip_final_snapshot = true
-subnet_ids = ""
-type = "postgres"
-username = ""
-vpc_security_group_ids = ""
\ No newline at end of file
+
+# AWS Resource Pack git branch
+resource_packs_aws_rev = ""
+
+# AWS Resource Pack git url
+resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+
+secret_key = ""
+skip_final_snapshot = true
+subnet_ids = ""
+type = "postgres"
+username = ""
+vpc_security_group_ids = ""
\ No newline at end of file
diff --git a/humanitec-resource-defs/rds/basic/variables.tf b/humanitec-resource-defs/rds/basic/variables.tf
index a2a5ba2..1b728d9 100644
--- a/humanitec-resource-defs/rds/basic/variables.tf
+++ b/humanitec-resource-defs/rds/basic/variables.tf
@@ -2,14 +2,15 @@ variable "prefix" {
type = string
}
-variable "resource_packs_aws_rev" {
- type = string
- default = "ref/heads/main"
+variable "resource_packs_aws_url" {
+ description = "AWS Resource Pack git url"
+ type = string
+ default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
}
-variable "resource_packs_aws_url" {
- type = string
- default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+variable "resource_packs_aws_rev" {
+ description = "AWS Resource Pack git branch"
+ type = string
}
variable "region" {
@@ -182,4 +183,4 @@ variable "monitoring_role_description" {
variable "parameters" {
type = set(any)
default = []
-}
\ No newline at end of file
+}
diff --git a/humanitec-resource-defs/redis/basic/README.md b/humanitec-resource-defs/redis/basic/README.md
index 4c831cb..aa6dbe2 100644
--- a/humanitec-resource-defs/redis/basic/README.md
+++ b/humanitec-resource-defs/redis/basic/README.md
@@ -25,13 +25,13 @@
| access\_key | AWS Access Key | `string` | n/a | yes |
| prefix | Prefix for all resources | `string` | n/a | yes |
| region | AWS Region | `string` | n/a | yes |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes |
| secret\_key | AWS Secret Key | `string` | n/a | yes |
| security\_group\_ids | List of AWS security group IDs to use for the AWS ElastiCache cluster | `set(string)` | n/a | yes |
| subnet\_group\_name | Name of the AWS ElastiCache subnet group to use | `string` | n/a | yes |
| node\_type | AWS ElastiCache node type | `string` | `"cache.t4g.micro"` | no |
| num\_cache\_clusters | Number of AWS ElastiCache clusters | `number` | `1` | no |
| parameter\_group\_name | AWS ElastiCache parameter group name | `string` | `"default.redis7.cluster.on"` | no |
-| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | `"refs/heads/main"` | no |
| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
## Outputs
diff --git a/humanitec-resource-defs/redis/basic/terraform.tfvars.example b/humanitec-resource-defs/redis/basic/terraform.tfvars.example
index 6c210f8..e849f4d 100644
--- a/humanitec-resource-defs/redis/basic/terraform.tfvars.example
+++ b/humanitec-resource-defs/redis/basic/terraform.tfvars.example
@@ -18,7 +18,7 @@ prefix = ""
region = ""
# AWS Resource Pack git branch
-resource_packs_aws_rev = "refs/heads/main"
+resource_packs_aws_rev = ""
# AWS Resource Pack git url
resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
diff --git a/humanitec-resource-defs/redis/basic/variables.tf b/humanitec-resource-defs/redis/basic/variables.tf
index 8b59aae..55f20d8 100644
--- a/humanitec-resource-defs/redis/basic/variables.tf
+++ b/humanitec-resource-defs/redis/basic/variables.tf
@@ -12,7 +12,6 @@ variable "resource_packs_aws_url" {
variable "resource_packs_aws_rev" {
description = "AWS Resource Pack git branch"
type = string
- default = "refs/heads/main"
}
variable "access_key" {
diff --git a/humanitec-resource-defs/s3/basic/README.md b/humanitec-resource-defs/s3/basic/README.md
index f182ef4..25112e6 100644
--- a/humanitec-resource-defs/s3/basic/README.md
+++ b/humanitec-resource-defs/s3/basic/README.md
@@ -23,11 +23,11 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| access\_key | n/a | `string` | n/a | yes |
-| policy\_classes | n/a | `list(string)` | n/a | yes |
| prefix | n/a | `string` | n/a | yes |
| region | n/a | `string` | n/a | yes |
-| resource\_packs\_aws\_rev | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes |
| secret\_key | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
## Outputs
diff --git a/humanitec-resource-defs/s3/basic/main.tf b/humanitec-resource-defs/s3/basic/main.tf
index dcb697f..8dab176 100644
--- a/humanitec-resource-defs/s3/basic/main.tf
+++ b/humanitec-resource-defs/s3/basic/main.tf
@@ -4,13 +4,6 @@ resource "humanitec_resource_definition" "main" {
name = "${var.prefix}s3-basic"
type = "s3"
- provision = {
- for s in var.policy_classes : "aws-policy.${s}" => {
- match_dependents = true
- is_dependent = false
- }
- }
-
driver_inputs = {
secrets_string = jsonencode({
variables = {
@@ -23,7 +16,7 @@ resource "humanitec_resource_definition" "main" {
source = {
path = "modules/s3/basic"
rev = var.resource_packs_aws_rev
- url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+ url = var.resource_packs_aws_url
}
variables = {
diff --git a/humanitec-resource-defs/s3/basic/terraform.tfvars.example b/humanitec-resource-defs/s3/basic/terraform.tfvars.example
index 29b3cfe..b52a6af 100644
--- a/humanitec-resource-defs/s3/basic/terraform.tfvars.example
+++ b/humanitec-resource-defs/s3/basic/terraform.tfvars.example
@@ -1,6 +1,11 @@
-access_key = ""
-policy_classes = ""
-prefix = ""
-region = ""
+access_key = ""
+prefix = ""
+region = ""
+
+# AWS Resource Pack git branch
resource_packs_aws_rev = ""
-secret_key = ""
\ No newline at end of file
+
+# AWS Resource Pack git url
+resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+
+secret_key = ""
\ No newline at end of file
diff --git a/humanitec-resource-defs/s3/basic/variables.tf b/humanitec-resource-defs/s3/basic/variables.tf
index 117ecc4..f5b3698 100644
--- a/humanitec-resource-defs/s3/basic/variables.tf
+++ b/humanitec-resource-defs/s3/basic/variables.tf
@@ -2,8 +2,15 @@ variable "prefix" {
type = string
}
+variable "resource_packs_aws_url" {
+ description = "AWS Resource Pack git url"
+ type = string
+ default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+}
+
variable "resource_packs_aws_rev" {
- type = string
+ description = "AWS Resource Pack git branch"
+ type = string
}
variable "access_key" {
@@ -17,7 +24,3 @@ variable "secret_key" {
variable "region" {
type = string
}
-
-variable "policy_classes" {
- type = list(string)
-}
diff --git a/humanitec-resource-defs/iam-policy/s3-admin/README.md b/humanitec-resource-defs/s3/passthrough/README.md
similarity index 71%
rename from humanitec-resource-defs/iam-policy/s3-admin/README.md
rename to humanitec-resource-defs/s3/passthrough/README.md
index 838fbe2..21a4f67 100644
--- a/humanitec-resource-defs/iam-policy/s3-admin/README.md
+++ b/humanitec-resource-defs/s3/passthrough/README.md
@@ -22,12 +22,9 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| access\_key | n/a | `string` | n/a | yes |
+| policy\_resource\_class | n/a | `string` | n/a | yes |
| prefix | n/a | `string` | n/a | yes |
-| region | n/a | `string` | n/a | yes |
-| resource\_packs\_aws\_rev | n/a | `string` | n/a | yes |
-| s3\_resource\_definition\_class | n/a | `string` | n/a | yes |
-| secret\_key | n/a | `string` | n/a | yes |
+| s3\_resource\_class | n/a | `string` | n/a | yes |
## Outputs
diff --git a/humanitec-resource-defs/s3/passthrough/main.tf b/humanitec-resource-defs/s3/passthrough/main.tf
new file mode 100644
index 0000000..26624a1
--- /dev/null
+++ b/humanitec-resource-defs/s3/passthrough/main.tf
@@ -0,0 +1,25 @@
+resource "humanitec_resource_definition" "main" {
+ driver_type = "humanitec/template"
+ id = "${var.prefix}s3-${var.s3_resource_class}-${var.policy_resource_class}"
+ name = "${var.prefix}s3-${var.s3_resource_class}-${var.policy_resource_class}"
+ type = "s3"
+
+ driver_inputs = {
+ values_string = jsonencode({
+ templates = {
+ outputs = <
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| aws | ~> 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | ~> 5.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_document.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| access\_key | n/a | `string` | n/a | yes |
+| app\_id | n/a | `string` | n/a | yes |
+| env\_id | n/a | `string` | n/a | yes |
+| prefix | n/a | `string` | n/a | yes |
+| region | n/a | `string` | n/a | yes |
+| res\_id | n/a | `string` | n/a | yes |
+| s3\_bucket\_arn | n/a | `string` | n/a | yes |
+| secret\_key | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| arn | n/a |
+
\ No newline at end of file
diff --git a/modules/iam-policy/s3-read-only/main.tf b/modules/iam-policy/s3-read-only/main.tf
new file mode 100644
index 0000000..feb7e9d
--- /dev/null
+++ b/modules/iam-policy/s3-read-only/main.tf
@@ -0,0 +1,28 @@
+data "aws_iam_policy_document" "main" {
+ statement {
+ actions = [
+ "s3:ListBucket",
+ ]
+
+ resources = [
+ var.s3_bucket_arn,
+ ]
+ }
+
+ statement {
+ actions = [
+ "s3:Get*",
+ ]
+
+ resources = [
+ "${var.s3_bucket_arn}/*"
+ ]
+ }
+}
+
+
+resource "aws_iam_policy" "main" {
+ name = "${var.prefix}s3-read-only"
+ description = "Allows read-only access to S3 buckets"
+ policy = data.aws_iam_policy_document.main.json
+}
diff --git a/modules/iam-policy/s3-read-only/outputs.tf b/modules/iam-policy/s3-read-only/outputs.tf
new file mode 100644
index 0000000..bbea1ea
--- /dev/null
+++ b/modules/iam-policy/s3-read-only/outputs.tf
@@ -0,0 +1,3 @@
+output "arn" {
+ value = aws_iam_policy.main.arn
+}
diff --git a/modules/iam-policy/s3-read-only/providers.tf b/modules/iam-policy/s3-read-only/providers.tf
new file mode 100644
index 0000000..54e12d3
--- /dev/null
+++ b/modules/iam-policy/s3-read-only/providers.tf
@@ -0,0 +1,27 @@
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
+
+ required_version = ">= 1.3.0"
+}
+
+provider "aws" {
+ # Injected via the humanitec-terraform-driver
+ access_key = var.access_key
+ secret_key = var.secret_key
+ region = var.region
+
+ # TODO
+ default_tags {
+ tags = {
+ "managed-by" = "humanitec"
+ "hum-app-id" = var.app_id
+ "hum-env-id" = var.env_id
+ "hum-res-id" = var.res_id
+ }
+ }
+}
diff --git a/modules/iam-policy/s3-read-only/terraform.tfvars.example b/modules/iam-policy/s3-read-only/terraform.tfvars.example
new file mode 100644
index 0000000..78c933b
--- /dev/null
+++ b/modules/iam-policy/s3-read-only/terraform.tfvars.example
@@ -0,0 +1,8 @@
+access_key = ""
+app_id = ""
+env_id = ""
+prefix = ""
+region = ""
+res_id = ""
+s3_bucket_arn = ""
+secret_key = ""
\ No newline at end of file
diff --git a/humanitec-resource-defs/iam-policy/s3-admin/variables.tf b/modules/iam-policy/s3-read-only/variables.tf
similarity index 61%
rename from humanitec-resource-defs/iam-policy/s3-admin/variables.tf
rename to modules/iam-policy/s3-read-only/variables.tf
index 1c68d38..e79fc84 100644
--- a/humanitec-resource-defs/iam-policy/s3-admin/variables.tf
+++ b/modules/iam-policy/s3-read-only/variables.tf
@@ -2,7 +2,7 @@ variable "prefix" {
type = string
}
-variable "resource_packs_aws_rev" {
+variable "region" {
type = string
}
@@ -14,10 +14,18 @@ variable "secret_key" {
type = string
}
-variable "region" {
+variable "s3_bucket_arn" {
+ type = string
+}
+
+variable "app_id" {
+ type = string
+}
+
+variable "env_id" {
type = string
}
-variable "s3_resource_definition_class" {
+variable "res_id" {
type = string
}
diff --git a/modules/iam-role/service-account/README.md b/modules/iam-role/service-account/README.md
index be308ff..7b05ccf 100644
--- a/modules/iam-role/service-account/README.md
+++ b/modules/iam-role/service-account/README.md
@@ -18,6 +18,7 @@
|------|------|
| [aws_iam_role.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
diff --git a/modules/iam-role/service-account/main.tf b/modules/iam-role/service-account/main.tf
index 1c734a8..0facb36 100644
--- a/modules/iam-role/service-account/main.tf
+++ b/modules/iam-role/service-account/main.tf
@@ -2,32 +2,46 @@ locals {
k8s_service_account_name = "${var.app_id}-${var.env_id}-${trimprefix(var.res_id, "modules.")}"
}
-resource "aws_iam_role" "main" {
- name_prefix = var.prefix
- // below uses StringLike to allow wildcards for multiple service accounts within the same namespace for workloads
- assume_role_policy = jsonencode({
- "Version" : "2012-10-17",
- "Statement" : [
- {
- "Effect" : "Allow",
- "Principal" : {
- "Federated" : var.oidc_provider_arn,
- },
- "Action" : "sts:AssumeRoleWithWebIdentity",
- "Condition" : {
- "StringLike" : {
- "${var.oidc_provider}:sub" : "system:serviceaccount:${var.namespace}:${local.k8s_service_account_name}",
- "${var.oidc_provider}:aud" : "sts.amazonaws.com"
- }
- }
- }
- ]
+data "aws_iam_policy_document" "assume_role_policy" {
+ version = "2012-10-17"
+
+ statement {
+ actions = ["sts:AssumeRoleWithWebIdentity"]
+
+ principals {
+ type = "Federated"
+ identifiers = [var.oidc_provider_arn]
}
- )
+
+ condition {
+ test = "StringEquals"
+ variable = "${var.oidc_provider}:sub"
+
+ values = [
+ "system:serviceaccount:${var.namespace}:${local.k8s_service_account_name}",
+ ]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "${var.oidc_provider}:aud"
+
+ values = [
+ "sts.amazonaws.com",
+ ]
+ }
+ }
+}
+
+resource "aws_iam_role" "main" {
+ count = length(var.policy_arns) > 0 ? 1 : 0
+
+ name_prefix = var.prefix
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
}
resource "aws_iam_role_policy_attachment" "policies" {
for_each = var.policy_arns
- role = aws_iam_role.main.name
+ role = aws_iam_role.main[0].name
policy_arn = each.value
}
diff --git a/modules/iam-role/service-account/outputs.tf b/modules/iam-role/service-account/outputs.tf
index 7e0810c..9515f56 100644
--- a/modules/iam-role/service-account/outputs.tf
+++ b/modules/iam-role/service-account/outputs.tf
@@ -1,5 +1,5 @@
output "role_arn" {
- value = aws_iam_role.main.arn
+ value = length(var.policy_arns) > 0 ? aws_iam_role.main[0].arn : ""
}
output "k8s_service_account_name" {