Skip to content

Commit f0aaed4

Browse files
unfuncounfunco
authored
chore!: Rename the attach_admin_policy variable (#72)
Renames the attach_admin_policy variable to dangerously_attach_admin_policy to make it more obvious that this should be used cautiously.
1 parent c997cb9 commit f0aaed4

File tree

3 files changed

+25
-25
lines changed

3 files changed

+25
-25
lines changed

README.md

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -83,24 +83,24 @@ applied, the JWT will contain an updated `iss` claim.
8383

8484
## Inputs
8585

86-
| Name | Description | Type | Default | Required |
87-
| ----------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: |
88-
| additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no |
89-
| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no |
90-
| attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no |
91-
| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no |
92-
| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no |
93-
| enabled | Flag to enable/disable the creation of resources. | `bool` | `true` | no |
94-
| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no |
95-
| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | `bool` | `false` | no |
96-
| github_repositories | List of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes |
97-
| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |
98-
| iam_role_name | Name of the IAM role to be created. This will be assumable by GitHub. | `string` | `"github"` | no |
99-
| iam_role_path | Path under which to create IAM role. | `string` | `"/"` | no |
100-
| iam_role_permissions_boundary | ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no |
101-
| iam_role_policy_arns | List of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no |
102-
| max_session_duration | Maximum session duration in seconds. | `number` | `3600` | no |
103-
| tags | Map of tags to be applied to all resources. | `map(string)` | `{}` | no |
86+
| Name | Description | Type | Default | Required |
87+
| ------------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: |
88+
| additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no |
89+
| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no |
90+
| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no |
91+
| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no |
92+
| dangerously_attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no |
93+
| enabled | Flag to enable/disable the creation of resources. | `bool` | `true` | no |
94+
| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no |
95+
| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | `bool` | `false` | no |
96+
| github_repositories | List of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes |
97+
| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |
98+
| iam_role_name | Name of the IAM role to be created. This will be assumable by GitHub. | `string` | `"github"` | no |
99+
| iam_role_path | Path under which to create IAM role. | `string` | `"/"` | no |
100+
| iam_role_permissions_boundary | ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no |
101+
| iam_role_policy_arns | List of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no |
102+
| max_session_duration | Maximum session duration in seconds. | `number` | `3600` | no |
103+
| tags | Map of tags to be applied to all resources. | `map(string)` | `{}` | no |
104104

105105
## Outputs
106106

main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ resource "aws_iam_role_policy" "inline_policies" {
4444
}
4545

4646
resource "aws_iam_role_policy_attachment" "admin" {
47-
count = var.enabled && var.attach_admin_policy ? 1 : 0
47+
count = var.enabled && var.dangerously_attach_admin_policy ? 1 : 0
4848

4949
policy_arn = "arn:${local.partition}:iam::aws:policy/AdministratorAccess"
5050
role = aws_iam_role.github[0].id

variables.tf

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -29,12 +29,6 @@ variable "additional_thumbprints" {
2929
}
3030
}
3131

32-
variable "attach_admin_policy" {
33-
default = false
34-
description = "Flag to enable/disable the attachment of the AdministratorAccess policy."
35-
type = bool
36-
}
37-
3832
variable "attach_read_only_policy" {
3933
default = false
4034
description = "Flag to enable/disable the attachment of the ReadOnly policy."
@@ -47,6 +41,12 @@ variable "create_oidc_provider" {
4741
type = bool
4842
}
4943

44+
variable "dangerously_attach_admin_policy" {
45+
default = false
46+
description = "Flag to enable/disable the attachment of the AdministratorAccess policy."
47+
type = bool
48+
}
49+
5050
variable "enabled" {
5151
default = true
5252
description = "Flag to enable/disable the creation of resources."

0 commit comments

Comments
 (0)