Updates for Terraform 0.13 - Remove module-wide create/enable variable

.bumpversion.cfg

@@ -1,7 +1,6 @@
 [bumpversion]
-current_version = 1.0.3
+current_version = 2.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False
 tag_name = {new_version}
-

.gitignore

@@ -17,3 +17,6 @@ tardigrade-ci/
 
 # eclint
 .git/
+
+# terratest
+tests/go.*

README.md

@@ -1,40 +1,31 @@
 # terraform-aws-tardigrade-config-aggregator
 
-Terraform module to either create an AWS Config configuration aggregator, authorize a configuration aggregator in
-another account to collect your data, or both. By default, the module is set to create an AWS Config configuration
-aggregator. If you would like to authorize another account to collect your data then you will need to toggle the
-`create_config_authorization` flag.
-
+Terraform module to either create an AWS Config aggregator, authorize a configuration aggregator to
+collect your data, or both.
 
 <!-- BEGIN TFDOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12 |
+| terraform | >= 0.13 |
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| aws | n/a |
+No provider.
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| aggregator\_name | Name to use for the aggregator; required when `create_config_authorization` is `true` | `string` | `""` | no |
-| aggregator\_source\_account\_ids | List of source account IDs for the config aggregator; required when `create_config_aggregator` is `true` | `list(string)` | `[]` | no |
-| authorized\_aggregator\_account\_id | Account ID where the authorized aggregator exists; required when `create_config_authorization` is `true` | `string` | `""` | no |
-| authorized\_aggregator\_region | Region where the authorized aggregator exists; required when `create_config_authorization` is `true` | `string` | `""` | no |
-| create\_config\_aggregator | Toggle that controls creation/management of a config aggregator | `bool` | `true` | no |
-| create\_config\_authorization | Toggle that controls creation/management of a config authorization | `bool` | `false` | no |
+| aggregator | Object specifying the configuration of a Config Aggregator | <pre>object({<br>    name = string<br>    tags = map(string)<br>    account_aggregation_source = object({<br>      account_ids = list(string)<br>      all_regions = bool<br>      regions     = list(string)<br>    })<br>    organization_aggregation_source = object({<br>      all_regions = bool<br>      regions     = list(string)<br>      role_arn    = string<br>    })<br>  })</pre> | `null` | no |
+| authorization | Object specifying the configuration of a Config Aggregator Authorization | <pre>object({<br>    account_id = string<br>    region     = string<br>    tags       = map(string)<br>  })</pre> | `null` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| config\_aggregator\_arn | The Amazon Resource Name (ARN) of the config aggregator |
-| config\_authorization\_arn | The Amazon Resource Name (ARN) of the config authorization |
+| aggregator | Object containing the Config Aggregator attributes |
+| authorization | Object containing the Config Aggregator Authorization attributes |
 
 <!-- END TFDOCS -->

main.tf

@@ -1,21 +1,18 @@
-provider "aws" {
-}
-
-resource "aws_config_configuration_aggregator" "this" {
-  count = var.create_config_aggregator ? 1 : 0
+module aggregator {
+  source = "./modules/aggregator"
+  count  = var.aggregator != null ? 1 : 0
 
-  name = var.aggregator_name
-
-  account_aggregation_source {
-    account_ids = var.aggregator_source_account_ids
-    all_regions = "true"
-  }
+  name                            = var.aggregator.name
+  account_aggregation_source      = var.aggregator.account_aggregation_source
+  organization_aggregation_source = var.aggregator.organization_aggregation_source
+  tags                            = var.aggregator.tags
 }
 
-resource "aws_config_aggregate_authorization" "this" {
-  count = var.create_config_authorization ? 1 : 0
+module authorization {
+  source = "./modules/authorization"
+  count  = var.authorization != null ? 1 : 0
 
-  account_id = var.authorized_aggregator_account_id
-  region     = var.authorized_aggregator_region
+  account_id = var.authorization.account_id
+  region     = var.authorization.region
+  tags       = var.authorization.tags
 }
-

modules/aggregator/README.md

@@ -0,0 +1,32 @@
+# terraform-aws-tardigrade-config-aggregator/aggregator
+
+Terraform module to create an AWS Config Aggregator.
+
+
+<!-- BEGIN TFDOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| name | Name to use for the Config Aggregator | `string` | n/a | yes |
+| account\_aggregation\_source | Object of account sources to aggregate | <pre>object({<br>    account_ids = list(string)<br>    all_regions = bool<br>    regions     = list(string)<br>  })</pre> | `null` | no |
+| organization\_aggregation\_source | Object with the AWS Organization configuration for the Config Aggregator | <pre>object({<br>    all_regions = bool<br>    regions     = list(string)<br>    role_arn    = string<br>  })</pre> | `null` | no |
+| tags | Map of tags to apply to the Config Aggregator | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| aggregator | Object with the Config Aggregator attributes |
+
+<!-- END TFDOCS -->

modules/aggregator/main.tf

@@ -0,0 +1,22 @@
+resource aws_config_configuration_aggregator this {
+  name = var.name
+  tags = merge({ Name = var.name }, var.tags)
+
+  dynamic account_aggregation_source {
+    for_each = var.account_aggregation_source != null ? [var.account_aggregation_source] : []
+    content {
+      account_ids = account_aggregation_source.value.account_ids
+      all_regions = account_aggregation_source.value.all_regions
+      regions     = account_aggregation_source.value.regions
+    }
+  }
+
+  dynamic organization_aggregation_source {
+    for_each = var.organization_aggregation_source != null ? [var.organization_aggregation_source] : []
+    content {
+      all_regions = organization_aggregation_source.value.all_regions
+      regions     = organization_aggregation_source.value.regions
+      role_arn    = organization_aggregation_source.value.role_arn
+    }
+  }
+}

modules/aggregator/outputs.tf

@@ -0,0 +1,16 @@
+output aggregator {
+  description = "Object with the Config Aggregator attributes"
+  # account source region is null on initial apply when all_regions is true.
+  # this can cause a diff on second apply when the entire resource is output
+  # in the caller config, as the api updates `null` => `[]`. workaround is to
+  # explicitly set regions to an empty list.
+  value = merge(
+    aws_config_configuration_aggregator.this,
+    var.account_aggregation_source != null && var.account_aggregation_source.regions == null ? {
+      account_aggregation_source = [merge(
+        aws_config_configuration_aggregator.this.account_aggregation_source[0],
+        { regions = [] },
+      )]
+    } : {},
+  )
+}

modules/aggregator/variables.tf

@@ -0,0 +1,30 @@
+variable name {
+  description = "Name to use for the Config Aggregator"
+  type        = string
+}
+
+variable account_aggregation_source {
+  description = "Object of account sources to aggregate"
+  type = object({
+    account_ids = list(string)
+    all_regions = bool
+    regions     = list(string)
+  })
+  default = null
+}
+
+variable organization_aggregation_source {
+  description = "Object with the AWS Organization configuration for the Config Aggregator"
+  type = object({
+    all_regions = bool
+    regions     = list(string)
+    role_arn    = string
+  })
+  default = null
+}
+
+variable tags {
+  description = "Map of tags to apply to the Config Aggregator"
+  type        = map(string)
+  default     = {}
+}

modules/authorization/README.md

@@ -0,0 +1,31 @@
+# terraform-aws-tardigrade-config-aggregator/authorization
+
+Terraform module to create an AWS Config Aggregator Authorization.
+
+
+<!-- BEGIN TFDOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| account\_id | Account ID where the authorized aggregator exists | `string` | n/a | yes |
+| region | Region where the aggregator exists | `string` | n/a | yes |
+| tags | Map of tags to apply to the Config Aggregator Authorization | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| authorization | Object with the Config Aggregate Authorization attributes |
+
+<!-- END TFDOCS -->

modules/authorization/main.tf

@@ -0,0 +1,5 @@
+resource aws_config_aggregate_authorization this {
+  account_id = var.account_id
+  region     = var.region
+  tags       = merge({ Name = "${var.account_id}:${var.region}" }, var.tags)
+}

modules/authorization/outputs.tf

@@ -0,0 +1,4 @@
+output authorization {
+  description = "Object with the Config Aggregate Authorization attributes"
+  value       = aws_config_aggregate_authorization.this
+}

modules/authorization/variables.tf

@@ -0,0 +1,15 @@
+variable account_id {
+  description = "Account ID where the authorized aggregator exists"
+  type        = string
+}
+
+variable region {
+  description = "Region where the aggregator exists"
+  type        = string
+}
+
+variable tags {
+  description = "Map of tags to apply to the Config Aggregator Authorization"
+  type        = map(string)
+  default     = {}
+}

outputs.tf

@@ -1,10 +1,9 @@
-output "config_authorization_arn" {
-  description = "The Amazon Resource Name (ARN) of the config authorization"
-  value       = join("", aws_config_aggregate_authorization.this.*.arn)
+output aggregator {
+  description = "Object containing the Config Aggregator attributes"
+  value       = var.aggregator != null ? module.aggregator[0].aggregator : null
 }
 
-output "config_aggregator_arn" {
-  description = "The Amazon Resource Name (ARN) of the config aggregator"
-  value       = join("", aws_config_configuration_aggregator.this.*.arn)
+output authorization {
+  description = "Object containing the Config Aggregator Authorization attributes"
+  value       = var.authorization != null ? module.authorization[0].authorization : null
 }
-

tests/config_aggregator/main.tf

@@ -0,0 +1,31 @@
+provider aws {
+  region = "us-east-1"
+}
+
+module config_aggregator {
+  source = "../../"
+
+  aggregator = {
+    name = "tardigrade-config-aggregator-${random_string.this.result}"
+    tags = {}
+    account_aggregation_source = {
+      account_ids = [data.aws_caller_identity.current.account_id]
+      all_regions = true
+      regions     = null
+    }
+    organization_aggregation_source = null
+  }
+}
+
+resource random_string this {
+  length  = 6
+  number  = false
+  special = false
+  upper   = false
+}
+
+data aws_caller_identity current {}
+
+output config_aggregator {
+  value = module.config_aggregator
+}

tests/config_authorization/main.tf

@@ -0,0 +1,27 @@
+provider aws {
+  region = "us-east-1"
+}
+
+module config_authorization {
+  source = "../../"
+
+  authorization = {
+    name       = "tardigrade-config-auth-${random_string.this.result}"
+    account_id = data.aws_caller_identity.current.account_id
+    region     = "us-east-1"
+    tags       = {}
+  }
+}
+
+resource random_string this {
+  length  = 6
+  number  = false
+  special = false
+  upper   = false
+}
+
+data aws_caller_identity current {}
+
+output config_authorization {
+  value = module.config_authorization
+}