From 23689dcf281a48118ac2ac2acbd882090748b096 Mon Sep 17 00:00:00 2001 From: Mohammad Alhussan Date: Wed, 2 Jul 2025 11:51:03 +0200 Subject: [PATCH] chore: add meshstack_access_role_name parameter This was only possible when using submodules directly, we now also provide it to top-level module consumers --- README.md | 1 + main.tf | 1 + variables.tf | 6 ++++++ 3 files changed, 8 insertions(+) diff --git a/README.md b/README.md index 0d6f20d..cda8e85 100644 --- a/README.md +++ b/README.md @@ -207,6 +207,7 @@ Before opening a Pull Request, please do the following: | [landing\_zone\_ou\_arns](#input\_landing\_zone\_ou\_arns) | Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage. | `list(string)` | 
[
  "arn:aws:organizations::*:ou/o-*/ou-*"
]
| no | | [management\_account\_service\_role\_name](#input\_management\_account\_service\_role\_name) | Name of the custom role in the management account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-2-management | `string` | `"MeshfedServiceRole"` | no | | [meshcloud\_account\_service\_user\_name](#input\_meshcloud\_account\_service\_user\_name) | Name of the meshfed-service user. This user is responsible for replication. | `string` | `"meshfed-service-user"` | no | +| [meshstack\_access\_role\_name](#input\_meshstack\_access\_role\_name) | Name of the account access role used by meshfed-service. This should be the same as 'Account Access Role' in AWS Platform Config in meshStack | `string` | `"MeshstackAccountAccessRole"` | no | | [replicator\_privileged\_external\_id](#input\_replicator\_privileged\_external\_id) | Set this variable to a random UUID version 4. The external id is a secondary key to make an AssumeRole API call. | `string` | n/a | yes | | [support\_root\_account\_via\_aws\_sso](#input\_support\_root\_account\_via\_aws\_sso) | Set to true to allow meshStack to manage the Organization's AWS Root account's access via AWS SSO. | `bool` | `false` | no | | [workload\_identity\_federation](#input\_workload\_identity\_federation) | Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys. | 
object({
    issuer             = string,
    audience           = string,
    thumbprint         = string,
    replicator_subject = string,
    kraken_subject     = string
  })
| `null` | no | diff --git a/main.tf b/main.tf index ead89bc..28708e6 100644 --- a/main.tf +++ b/main.tf @@ -76,6 +76,7 @@ module "management_account_replicator_access" { control_tower_portfolio_id = var.control_tower_portfolio_id meshcloud_account_service_user_name = var.meshcloud_account_service_user_name management_account_service_role_name = var.management_account_service_role_name + meshstack_access_role_name = var.meshstack_access_role_name landing_zone_ou_arns = var.landing_zone_ou_arns can_close_accounts_in_resource_org_paths = var.can_close_accounts_in_resource_org_paths diff --git a/variables.tf b/variables.tf index e9a8d01..18a801d 100644 --- a/variables.tf +++ b/variables.tf @@ -69,6 +69,12 @@ variable "automation_account_service_role_name" { description = "Name of the custom role in the automation account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-3-automation" } +variable "meshstack_access_role_name" { + type = string + default = "MeshstackAccountAccessRole" + description = "Name of the account access role used by meshfed-service. This should be the same as 'Account Access Role' in AWS Platform Config in meshStack" +} + variable "cost_explorer_management_account_service_role_name" { type = string default = "MeshCostExplorerServiceRole"