removed cross account requirements

Makefile

@@ -2,34 +2,73 @@
 -include .env
 export
 
+deploy:
+	./scripts/deploy.sh
+
+uninstall:
+	./scripts/uninstall_all_deployments.sh
+
 fmt:
-	terraform fmt --recursive
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform fmt --recursive
 
 init:
-	terraform init -upgrade -reconfigure \
-	--backend-config="key=terraform.production.state"
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform init -reconfigure \
+	--backend-config="key=terraform.$$ENV.state"
+
+init-upgrade:
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform init -upgrade \
+	--backend-config="key=terraform.$$ENV.state"
+
+# How to use
+# IMPORT_ARGUMENT=module.foo.bar some_resource make import
+import:
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform import $$IMPORT_ARGUMENT
+
+workspace-list:
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace list
+
+workspace-select:
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace select $$ENV || \
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace new $$ENV
 
 validate:
-	terraform validate
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform validate
+
+plan-out:
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform plan -no-color > $$ENV.tfplan
 
 plan:
-	terraform plan
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform plan
+
+refresh:
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform refresh
+
+output:
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform output -json
 
 apply:
-	terraform apply
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform apply
+	./scripts/publish_terraform_outputs.sh
 
-deploy:
-	./scripts/deploy.sh
+state-list:
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform state list
 
-uninstall:
-	./scripts/uninstall_all_deployments.sh
+show:
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform show -no-color
 
 destroy:
-	terraform destroy
+	aws-vault exec $$AWS_VAULT_PROFILE -- terraform destroy
+
+clean:
+	rm -rf .terraform/ terraform.tfstate*
+
+tfenv:
+	tfenv use $(cat versions.tf 2> /dev/null | grep required_version | cut -d "\"" -f 2 | cut -d " " -f 2) && tfenv pin
 
 generate_diagrams:
 	docker run -it --rm -v "${PWD}":/app/ -w /app/documentation/diagrams/ mjdk/diagrams scripts/architecture_diagram.py
 	docker run -it --rm -v "${PWD}":/app/ -w /app/documentation/diagrams/ mjdk/diagrams scripts/detailed_eks_diagram.py
 
-.PHONY: init validate plan apply deploy uninstall destroy
-
+.PHONY:
+	fmt init workspace-list workspace-select validate plan-out plan \
+	refresh output apply state-list show destroy clean tfenv

main.tf

@@ -15,24 +15,6 @@ provider "aws" {
   }
 }
 
-provider "aws" {
-  region = var.aws_region
-  alias  = "development"
-
-  assume_role {
-    role_arn = var.assume_role_development
-  }
-}
-
-provider "aws" {
-  region = var.aws_region
-  alias  = "pre_production"
-
-  assume_role {
-    role_arn = var.assume_role_pre_production
-  }
-}
-
 data "aws_availability_zones" "available_zones" {
   count = var.enabled ? 1 : 0
   state = "available"
@@ -90,8 +72,8 @@ module "eks" {
   tags = module.eks_label.tags
 
   providers = {
-    aws                = aws.main
-    aws.development    = aws.development
-    aws.pre_production = aws.pre_production
+    aws = aws.main
+    #    aws.development    = aws.development
+    #    aws.pre_production = aws.pre_production
   }
 }

modules/eks/iam.tf

@@ -433,140 +433,140 @@ data "aws_iam_policy_document" "cloudwatch_exporter_assume_role_policy_other_aws
 
 # IAM role for Cloudwatch Exporter in development aws account
 
-resource "aws_iam_role" "cloudwatch_exporter_development" {
-  count              = terraform.workspace == "development" ? 0 : 1
-  assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json
-  name               = "${var.prefix}-CloudwatchExporter"
-
-  tags = var.tags
-
-  provider = aws.development
-}
-
-resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_development" {
-  count       = terraform.workspace == "development" ? 0 : 1
-  name        = "${var.prefix}-CloudwatchExporterIAMPolicy"
-  path        = "/"
-  description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}"
-
-  policy = data.template_file.cloudwatch_exporter_iam_policy.rendered
-
-  tags = var.tags
-
-  provider = aws.development
-}
-
-resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_development" {
-  count      = terraform.workspace == "development" ? 0 : 1
-  policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_development[0].arn
-  role       = aws_iam_role.cloudwatch_exporter_development[0].name
-
-  provider = aws.development
-}
-
-resource "aws_iam_policy" "development_cloudwatch_exporter_role_allow_assume_policy" {
-  count       = terraform.workspace == "development" ? 0 : 1
-  name        = "development_cloudwatch_exporter_role_allow_assume_policy"
-  path        = "/"
-  description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in development AWS account"
-
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-      {
-          "Sid": "Statement",
-          "Effect": "Allow",
-          "Action": "sts:AssumeRole",
-          "Resource": [
-            "${aws_iam_role.cloudwatch_exporter_development[0].arn}"
-          ]
-      }
-  ]
-}
-POLICY
-
-  depends_on = [
-    aws_iam_role.cloudwatch_exporter_development
-  ]
-}
-
-resource "aws_iam_role_policy_attachment" "development_cloudwatch_exporter_allow_assume_IAMPolicy" {
-  count      = terraform.workspace == "development" ? 0 : 1
-  policy_arn = aws_iam_policy.development_cloudwatch_exporter_role_allow_assume_policy[0].arn
-  role       = aws_iam_role.cloudwatch_exporter.name
-
-  depends_on = [
-    aws_iam_policy.development_cloudwatch_exporter_role_allow_assume_policy
-  ]
-}
+#resource "aws_iam_role" "cloudwatch_exporter_development" {
+#  count              = terraform.workspace == "development" ? 0 : 1
+#  assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json
+#  name               = "${var.prefix}-CloudwatchExporter"
+#
+#  tags = var.tags
+#
+#  provider = aws.development
+#}
+
+#resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_development" {
+#  count       = terraform.workspace == "development" ? 0 : 1
+#  name        = "${var.prefix}-CloudwatchExporterIAMPolicy"
+#  path        = "/"
+#  description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}"
+#
+#  policy = data.template_file.cloudwatch_exporter_iam_policy.rendered
+#
+#  tags = var.tags
+#
+#  provider = aws.development
+#}
+
+#resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_development" {
+#  count      = terraform.workspace == "development" ? 0 : 1
+#  policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_development[0].arn
+#  role       = aws_iam_role.cloudwatch_exporter_development[0].name
+#
+#  provider = aws.development
+#}
+
+#resource "aws_iam_policy" "development_cloudwatch_exporter_role_allow_assume_policy" {
+#  count       = terraform.workspace == "development" ? 0 : 1
+#  name        = "development_cloudwatch_exporter_role_allow_assume_policy"
+#  path        = "/"
+#  description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in development AWS account"
+#
+#  policy = <<POLICY
+#{
+#  "Version": "2012-10-17",
+#  "Statement": [
+#      {
+#          "Sid": "Statement",
+#          "Effect": "Allow",
+#          "Action": "sts:AssumeRole",
+#          "Resource": [
+#            "${aws_iam_role.cloudwatch_exporter_development[0].arn}"
+#          ]
+#      }
+#  ]
+#}
+#POLICY
+#
+#  depends_on = [
+#    aws_iam_role.cloudwatch_exporter_development
+#  ]
+#}
+
+#resource "aws_iam_role_policy_attachment" "development_cloudwatch_exporter_allow_assume_IAMPolicy" {
+#  count      = terraform.workspace == "development" ? 0 : 1
+#  policy_arn = aws_iam_policy.development_cloudwatch_exporter_role_allow_assume_policy[0].arn
+#  role       = aws_iam_role.cloudwatch_exporter.name
+#
+#  depends_on = [
+#    aws_iam_policy.development_cloudwatch_exporter_role_allow_assume_policy
+#  ]
+#}
 
 # IAM role for Cloudwatch Exporter in pre-production AWS account
 
-resource "aws_iam_role" "cloudwatch_exporter_pre_production" {
-  count              = terraform.workspace == "pre-production" ? 0 : 1
-  assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json
-  name               = "${var.prefix}-CloudwatchExporter"
-
-  tags = var.tags
-
-  provider = aws.pre_production
-}
-
-resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_pre_production" {
-  count       = terraform.workspace == "pre-production" ? 0 : 1
-  name        = "${var.prefix}-CloudwatchExporterIAMPolicy"
-  path        = "/"
-  description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}"
-
-  policy = data.template_file.cloudwatch_exporter_iam_policy.rendered
-
-  tags = var.tags
-
-  provider = aws.pre_production
-}
-
-resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_pre_production" {
-  count      = terraform.workspace == "pre-production" ? 0 : 1
-  policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_pre_production[0].arn
-  role       = aws_iam_role.cloudwatch_exporter_pre_production[0].name
-
-  provider = aws.pre_production
-}
-
-resource "aws_iam_policy" "pre_production_cloudwatch_exporter_role_allow_assume_policy" {
-  count       = terraform.workspace == "pre-production" ? 0 : 1
-  name        = "pre_production_cloudwatch_exporter_role_allow_assume_policy"
-  path        = "/"
-  description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in pre-production AWS account"
-
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-      {
-          "Sid": "Statement",
-          "Effect": "Allow",
-          "Action": "sts:AssumeRole",
-          "Resource": [
-            "${aws_iam_role.cloudwatch_exporter_pre_production[0].arn}"
-          ]
-      }
-  ]
-}
-POLICY
-
-  depends_on = [
-    aws_iam_role.cloudwatch_exporter_pre_production
-  ]
-}
-
-resource "aws_iam_role_policy_attachment" "pre_production_cloudwatch_exporter_allow_assume_IAMPolicy" {
-  count      = terraform.workspace == "pre-production" ? 0 : 1
-  policy_arn = aws_iam_policy.pre_production_cloudwatch_exporter_role_allow_assume_policy[0].arn
-  role       = aws_iam_role.cloudwatch_exporter.name
-
-  depends_on = [
-    aws_iam_policy.pre_production_cloudwatch_exporter_role_allow_assume_policy
-  ]
-}
+#resource "aws_iam_role" "cloudwatch_exporter_pre_production" {
+#  count              = terraform.workspace == "pre-production" ? 0 : 1
+#  assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json
+#  name               = "${var.prefix}-CloudwatchExporter"
+#
+#  tags = var.tags
+#
+#  provider = aws.pre_production
+#}
+
+#resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_pre_production" {
+#  count       = terraform.workspace == "pre-production" ? 0 : 1
+#  name        = "${var.prefix}-CloudwatchExporterIAMPolicy"
+#  path        = "/"
+#  description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}"
+#
+#  policy = data.template_file.cloudwatch_exporter_iam_policy.rendered
+#
+#  tags = var.tags
+#
+#  provider = aws.pre_production
+#}
+
+#resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_pre_production" {
+#  count      = terraform.workspace == "pre-production" ? 0 : 1
+#  policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_pre_production[0].arn
+#  role       = aws_iam_role.cloudwatch_exporter_pre_production[0].name
+#
+#  provider = aws.pre_production
+#}
+
+#resource "aws_iam_policy" "pre_production_cloudwatch_exporter_role_allow_assume_policy" {
+#  count       = terraform.workspace == "pre-production" ? 0 : 1
+#  name        = "pre_production_cloudwatch_exporter_role_allow_assume_policy"
+#  path        = "/"
+#  description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in pre-production AWS account"
+#
+#  policy = <<POLICY
+#{
+#  "Version": "2012-10-17",
+#  "Statement": [
+#      {
+#          "Sid": "Statement",
+#          "Effect": "Allow",
+#          "Action": "sts:AssumeRole",
+#          "Resource": [
+#            "${aws_iam_role.cloudwatch_exporter_pre_production[0].arn}"
+#          ]
+#      }
+#  ]
+#}
+#POLICY
+#
+#  depends_on = [
+#    aws_iam_role.cloudwatch_exporter_pre_production
+#  ]
+#}
+
+#resource "aws_iam_role_policy_attachment" "pre_production_cloudwatch_exporter_allow_assume_IAMPolicy" {
+#  count      = terraform.workspace == "pre-production" ? 0 : 1
+#  policy_arn = aws_iam_policy.pre_production_cloudwatch_exporter_role_allow_assume_policy[0].arn
+#  role       = aws_iam_role.cloudwatch_exporter.name
+#
+#  depends_on = [
+#    aws_iam_policy.pre_production_cloudwatch_exporter_role_allow_assume_policy
+#  ]
+#}