Groundwork new workflows (#232)

Author: max-lobur

README.md

@@ -409,7 +409,6 @@ Available targets:
 | <a name="input_spot_max_price"></a> [spot\_max\_price](#input\_spot\_max\_price) | The maximum price per unit hour, in US$, that you're willing to pay for a Spot Instance. This option is relevant only when enable\_spot\_instances is true. Valid values are between 0.001 and 20.0 | `number` | `-1` | no |
 | <a name="input_ssh_listener_enabled"></a> [ssh\_listener\_enabled](#input\_ssh\_listener\_enabled) | Enable SSH port | `bool` | `false` | no |
 | <a name="input_ssh_listener_port"></a> [ssh\_listener\_port](#input\_ssh\_listener\_port) | SSH port | `number` | `22` | no |
-| <a name="input_ssh_source_restriction"></a> [ssh\_source\_restriction](#input\_ssh\_source\_restriction) | Used to lock down SSH access to the EC2 instances | `string` | `"0.0.0.0/0"` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |

docs/terraform.md

@@ -164,7 +164,6 @@
 | <a name="input_spot_max_price"></a> [spot\_max\_price](#input\_spot\_max\_price) | The maximum price per unit hour, in US$, that you're willing to pay for a Spot Instance. This option is relevant only when enable\_spot\_instances is true. Valid values are between 0.001 and 20.0 | `number` | `-1` | no |
 | <a name="input_ssh_listener_enabled"></a> [ssh\_listener\_enabled](#input\_ssh\_listener\_enabled) | Enable SSH port | `bool` | `false` | no |
 | <a name="input_ssh_listener_port"></a> [ssh\_listener\_port](#input\_ssh\_listener\_port) | SSH port | `number` | `22` | no |
-| <a name="input_ssh_source_restriction"></a> [ssh\_source\_restriction](#input\_ssh\_source\_restriction) | Used to lock down SSH access to the EC2 instances | `string` | `"0.0.0.0/0"` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |

examples/shared-alb/variables.tf

@@ -29,12 +29,6 @@ variable "loadbalancer_is_shared" {
   description = "Flag to create a shared application loadbalancer. Only when loadbalancer_type = \"application\" https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-alb-shared.html"
 }
 
-variable "shared_loadbalancer_arn" {
-  type        = string
-  default     = ""
-  description = "ARN of the shared application load balancer. Only when loadbalancer_type = \"application\"."
-}
-
 variable "dns_zone_id" {
   type        = string
   description = "Route53 parent zone ID. The module will create sub-domain DNS record in the parent zone for the EB environment"

main.tf

@@ -1,6 +1,6 @@
 locals {
   enabled   = module.this.enabled
-  partition = join("", data.aws_partition.current.*.partition)
+  partition = join("", data.aws_partition.current[*].partition)
 }
 
 data "aws_partition" "current" {
@@ -31,21 +31,21 @@ resource "aws_iam_role" "service" {
   count = local.enabled ? 1 : 0
 
   name               = "${module.this.id}-eb-service"
-  assume_role_policy = join("", data.aws_iam_policy_document.service.*.json)
+  assume_role_policy = join("", data.aws_iam_policy_document.service[*].json)
   tags               = module.this.tags
 }
 
 resource "aws_iam_role_policy_attachment" "enhanced_health" {
   count = local.enabled && var.enhanced_reporting_enabled ? 1 : 0
 
-  role       = join("", aws_iam_role.service.*.name)
+  role       = join("", aws_iam_role.service[*].name)
   policy_arn = "arn:${local.partition}:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
 }
 
 resource "aws_iam_role_policy_attachment" "service" {
   count = local.enabled ? 1 : 0
 
-  role       = join("", aws_iam_role.service.*.name)
+  role       = join("", aws_iam_role.service[*].name)
   policy_arn = var.prefer_legacy_service_policy ? "arn:${local.partition}:iam::aws:policy/service-role/AWSElasticBeanstalkService" : "arn:${local.partition}:iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy"
 }
 
@@ -89,44 +89,44 @@ data "aws_iam_policy_document" "ec2" {
 resource "aws_iam_role_policy_attachment" "elastic_beanstalk_multi_container_docker" {
   count = local.enabled ? 1 : 0
 
-  role       = join("", aws_iam_role.ec2.*.name)
+  role       = join("", aws_iam_role.ec2[*].name)
   policy_arn = "arn:${local.partition}:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
 }
 
 resource "aws_iam_role" "ec2" {
   count = local.enabled ? 1 : 0
 
   name               = "${module.this.id}-eb-ec2"
-  assume_role_policy = join("", data.aws_iam_policy_document.ec2.*.json)
+  assume_role_policy = join("", data.aws_iam_policy_document.ec2[*].json)
   tags               = module.this.tags
 }
 
 resource "aws_iam_role_policy" "default" {
   count = local.enabled ? 1 : 0
 
   name   = "${module.this.id}-eb-default"
-  role   = join("", aws_iam_role.ec2.*.id)
-  policy = join("", data.aws_iam_policy_document.extended.*.json)
+  role   = join("", aws_iam_role.ec2[*].id)
+  policy = join("", data.aws_iam_policy_document.extended[*].json)
 }
 
 resource "aws_iam_role_policy_attachment" "web_tier" {
   count = local.enabled ? 1 : 0
 
-  role       = join("", aws_iam_role.ec2.*.name)
+  role       = join("", aws_iam_role.ec2[*].name)
   policy_arn = "arn:${local.partition}:iam::aws:policy/AWSElasticBeanstalkWebTier"
 }
 
 resource "aws_iam_role_policy_attachment" "worker_tier" {
   count = local.enabled ? 1 : 0
 
-  role       = join("", aws_iam_role.ec2.*.name)
+  role       = join("", aws_iam_role.ec2[*].name)
   policy_arn = "arn:${local.partition}:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
 }
 
 resource "aws_iam_role_policy_attachment" "ssm_ec2" {
   count = local.enabled ? 1 : 0
 
-  role       = join("", aws_iam_role.ec2.*.name)
+  role       = join("", aws_iam_role.ec2[*].name)
   policy_arn = var.prefer_legacy_ssm_policy ? "arn:${local.partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM" : "arn:${local.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
 
   lifecycle {
@@ -137,7 +137,7 @@ resource "aws_iam_role_policy_attachment" "ssm_ec2" {
 resource "aws_iam_role_policy_attachment" "ssm_automation" {
   count = local.enabled ? 1 : 0
 
-  role       = join("", aws_iam_role.ec2.*.name)
+  role       = join("", aws_iam_role.ec2[*].name)
   policy_arn = "arn:${local.partition}:iam::aws:policy/service-role/AmazonSSMAutomationRole"
 
   lifecycle {
@@ -150,15 +150,15 @@ resource "aws_iam_role_policy_attachment" "ssm_automation" {
 resource "aws_iam_role_policy_attachment" "ecr_readonly" {
   count = local.enabled ? 1 : 0
 
-  role       = join("", aws_iam_role.ec2.*.name)
+  role       = join("", aws_iam_role.ec2[*].name)
   policy_arn = "arn:${local.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 }
 
 resource "aws_ssm_activation" "ec2" {
   count = local.enabled ? 1 : 0
 
   name               = module.this.id
-  iam_role           = join("", aws_iam_role.ec2.*.id)
+  iam_role           = join("", aws_iam_role.ec2[*].id)
   registration_limit = var.autoscale_max
   tags               = module.this.tags
   depends_on         = [aws_elastic_beanstalk_environment.default]
@@ -289,8 +289,8 @@ data "aws_iam_policy_document" "default" {
     ]
 
     resources = [
-      join("", aws_iam_role.ec2.*.arn),
-      join("", aws_iam_role.service.*.arn)
+      join("", aws_iam_role.ec2[*].arn),
+      join("", aws_iam_role.service[*].arn)
     ]
 
     effect = "Allow"
@@ -346,15 +346,15 @@ data "aws_iam_policy_document" "default" {
 data "aws_iam_policy_document" "extended" {
   count = local.enabled ? 1 : 0
 
-  source_json               = join("", data.aws_iam_policy_document.default.*.json)
+  source_json               = join("", data.aws_iam_policy_document.default[*].json)
   override_policy_documents = [var.extended_ec2_policy_document]
 }
 
 resource "aws_iam_instance_profile" "ec2" {
   count = local.enabled ? 1 : 0
 
   name = "${module.this.id}-eb-ec2"
-  role = join("", aws_iam_role.ec2.*.name)
+  role = join("", aws_iam_role.ec2[*].name)
   tags = module.this.tags
 }
 
@@ -469,7 +469,7 @@ locals {
     {
       namespace = "aws:elbv2:loadbalancer"
       name      = "AccessLogsS3Bucket"
-      value     = !var.loadbalancer_is_shared ? join("", sort(aws_s3_bucket.elb_logs.*.id)) : ""
+      value     = !var.loadbalancer_is_shared ? join("", sort(aws_s3_bucket.elb_logs[*].id)) : ""
     },
     {
       namespace = "aws:elbv2:loadbalancer"
@@ -650,7 +650,7 @@ resource "aws_elastic_beanstalk_environment" "default" {
   setting {
     namespace = "aws:autoscaling:launchconfiguration"
     name      = "IamInstanceProfile"
-    value     = join("", aws_iam_instance_profile.ec2.*.name)
+    value     = join("", aws_iam_instance_profile.ec2[*].name)
     resource  = ""
   }
 
@@ -671,7 +671,7 @@ resource "aws_elastic_beanstalk_environment" "default" {
   setting {
     namespace = "aws:elasticbeanstalk:environment"
     name      = "ServiceRole"
-    value     = join("", aws_iam_role.service.*.name)
+    value     = join("", aws_iam_role.service[*].name)
     resource  = ""
   }
 
@@ -1111,7 +1111,7 @@ data "aws_iam_policy_document" "elb_logs" {
 
     principals {
       type        = "AWS"
-      identifiers = [join("", data.aws_elb_service_account.main.*.arn)]
+      identifiers = [join("", data.aws_elb_service_account.main[*].arn)]
     }
 
     effect = "Allow"
@@ -1130,7 +1130,7 @@ resource "aws_s3_bucket" "elb_logs" {
   bucket        = "${module.this.id}-eb-loadbalancer-logs"
   acl           = "private"
   force_destroy = var.force_destroy
-  policy        = join("", data.aws_iam_policy_document.elb_logs.*.json)
+  policy        = join("", data.aws_iam_policy_document.elb_logs[*].json)
   tags          = module.this.tags
 
   dynamic "server_side_encryption_configuration" {
@@ -1166,20 +1166,20 @@ module "dns_hostname" {
 
   dns_name = var.dns_subdomain != "" ? var.dns_subdomain : module.this.name
   zone_id  = var.dns_zone_id
-  records  = [join("", aws_elastic_beanstalk_environment.default.*.cname)]
+  records  = [join("", aws_elastic_beanstalk_environment.default[*].cname)]
 
   context = module.this.context
 }
 
 data "aws_lb_listener" "http" {
   count             = local.enabled && var.loadbalancer_redirect_http_to_https ? 1 : 0
-  load_balancer_arn = var.loadbalancer_is_shared ? var.shared_loadbalancer_arn : one(aws_elastic_beanstalk_environment.default.0.load_balancers)
+  load_balancer_arn = var.loadbalancer_is_shared ? var.shared_loadbalancer_arn : one(aws_elastic_beanstalk_environment.default[0].load_balancers)
   port              = var.application_port
 }
 
 resource "aws_lb_listener_rule" "redirect_http_to_https" {
   count        = local.enabled && var.loadbalancer_redirect_http_to_https ? 1 : 0
-  listener_arn = one(data.aws_lb_listener.http.*.arn)
+  listener_arn = one(data.aws_lb_listener.http[*].arn)
   priority     = var.loadbalancer_redirect_http_to_https_priority
 
   condition {

outputs.tf

@@ -4,12 +4,12 @@ output "hostname" {
 }
 
 output "id" {
-  value       = join("", aws_elastic_beanstalk_environment.default.*.id)
+  value       = join("", aws_elastic_beanstalk_environment.default[*].id)
   description = "ID of the Elastic Beanstalk environment"
 }
 
 output "name" {
-  value       = join("", aws_elastic_beanstalk_environment.default.*.name)
+  value       = join("", aws_elastic_beanstalk_environment.default[*].name)
   description = "Name of the Elastic Beanstalk environment"
 }
 
@@ -34,61 +34,61 @@ output "elb_zone_id" {
 }
 
 output "ec2_instance_profile_role_name" {
-  value       = join("", aws_iam_role.ec2.*.name)
+  value       = join("", aws_iam_role.ec2[*].name)
   description = "Instance IAM role name"
 }
 
 output "tier" {
-  value       = join("", aws_elastic_beanstalk_environment.default.*.tier)
+  value       = join("", aws_elastic_beanstalk_environment.default[*].tier)
   description = "The environment tier"
 }
 
 output "application" {
-  value       = join("", aws_elastic_beanstalk_environment.default.*.application)
+  value       = join("", aws_elastic_beanstalk_environment.default[*].application)
   description = "The Elastic Beanstalk Application for this environment"
 }
 
 output "setting" {
-  value       = try(aws_elastic_beanstalk_environment.default.0.setting, [])
+  value       = try(aws_elastic_beanstalk_environment.default[0].setting, [])
   description = "Settings specifically set for this environment"
 }
 
 output "all_settings" {
-  value       = try(aws_elastic_beanstalk_environment.default.0.all_settings, [])
+  value       = try(aws_elastic_beanstalk_environment.default[0].all_settings, [])
   description = "List of all option settings configured in the environment. These are a combination of default settings and their overrides from setting in the configuration"
 }
 
 output "endpoint" {
-  value       = join("", aws_elastic_beanstalk_environment.default.*.cname)
+  value       = join("", aws_elastic_beanstalk_environment.default[*].cname)
   description = "Fully qualified DNS name for the environment"
 }
 
 output "autoscaling_groups" {
-  value       = try(aws_elastic_beanstalk_environment.default.0.autoscaling_groups, [])
+  value       = try(aws_elastic_beanstalk_environment.default[0].autoscaling_groups, [])
   description = "The autoscaling groups used by this environment"
 }
 
 output "instances" {
-  value       = try(aws_elastic_beanstalk_environment.default.*.instances, [])
+  value       = try(aws_elastic_beanstalk_environment.default[*].instances, [])
   description = "Instances used by this environment"
 }
 
 output "launch_configurations" {
-  value       = try(aws_elastic_beanstalk_environment.default.*.launch_configurations, [])
+  value       = try(aws_elastic_beanstalk_environment.default[*].launch_configurations, [])
   description = "Launch configurations in use by this environment"
 }
 
 output "load_balancers" {
-  value       = try(aws_elastic_beanstalk_environment.default.0.load_balancers, [])
+  value       = try(aws_elastic_beanstalk_environment.default[0].load_balancers, [])
   description = "Elastic Load Balancers in use by this environment"
 }
 
 output "queues" {
-  value       = try(aws_elastic_beanstalk_environment.default.*.queues, [])
+  value       = try(aws_elastic_beanstalk_environment.default[*].queues, [])
   description = "SQS queues in use by this environment"
 }
 
 output "triggers" {
-  value       = try(aws_elastic_beanstalk_environment.default.*.triggers, [])
+  value       = try(aws_elastic_beanstalk_environment.default[*].triggers, [])
   description = "Autoscaling triggers in use by this environment"
 }

variables.tf

@@ -371,12 +371,6 @@ variable "elb_scheme" {
   description = "Specify `internal` if you want to create an internal load balancer in your Amazon VPC so that your Elastic Beanstalk application cannot be accessed from outside your Amazon VPC"
 }
 
-variable "ssh_source_restriction" {
-  type        = string
-  default     = "0.0.0.0/0"
-  description = "Used to lock down SSH access to the EC2 instances"
-}
-
 variable "ssh_listener_enabled" {
   type        = bool
   default     = false