Update outputs for recent changes

Also update the terraform-docs output in README.md in accordance with recent changes.
cisagov · Oct 8, 2024 · ea86a0a · ea86a0a
1 parent 8237dc3
commit ea86a0a
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -62,12 +62,20 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_group.assessment_provisioners](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
-| [aws_iam_group_policy_attachment.assessment_provisioners](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
-| [aws_iam_policy.provision_assessment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_group.assessment_provisioners_no_backend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
+| [aws_iam_group_policy_attachment.assessment_provisioners_backend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_group_policy_attachment.assessment_provisioners_base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_group_policy_attachment.assessment_provisioners_no_backend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_group_policy_attachment.assessment_provisioners_no_backend_base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_policy.provision_assessment_backend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.provision_assessment_base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.provision_assessment_no_backend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_user_group_membership.assessment_provisioners](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_group_membership) | resource |
 | [aws_caller_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_caller_identity.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.provision_assessment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.provision_assessment_backend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.provision_assessment_base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.provision_assessment_no_backend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_organizations_organization.cool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 | [terraform_remote_state.dns_certboto](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
 | [terraform_remote_state.images_parameterstore-production](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
@@ -83,20 +91,28 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | assessment\_provisioners\_group\_name | The name of the IAM group whose members are allowed to provision assessment environments. | `string` | `"assessment_provisioners"` | no |
+| assessment\_provisioners\_no\_backend\_group\_name | The name of the IAM group whose members are allowed to provision assessment environments but do not have general access to the Terraform backend. | `string` | `"assessment_provisioners_no_backend"` | no |
 | aws\_region | The AWS region to deploy into (e.g. us-east-1). | `string` | `"us-east-1"` | no |
-| provision\_assessment\_policy\_description | The description to associate with the IAM policy in the Users account that allows the assessment provisioner group to assume all roles needed in order to provision assessment environments. | `string` | `"Allows the assessment provisioner group to assume all roles needed in order to provision assessment environments."` | no |
-| provision\_assessment\_policy\_name | The name of the IAM policy in the Users account that allows the assessment provisioner group to assume all roles needed in order to provision assessment environments. | `string` | `"AssumeProvisionAssessment"` | no |
+| provision\_assessment\_backend\_policy\_description | The description to associate with the IAM policy in the Users account that allows assumption of all non-assessment roles needed in order to provision assessment environments. | `string` | `"Allows assumption of all non-assessment roles needed in order to provision assessment environments."` | no |
+| provision\_assessment\_backend\_policy\_name | The name of the IAM policy in the Users account that allows assumption of all non-assessment roles needed in order to provision assessment environments. | `string` | `"AssumeProvisionAssessmentBackend"` | no |
+| provision\_assessment\_base\_policy\_description | The description to associate with the IAM policy in the Users account that allows assumption of all assessment roles needed in order to provision assessment environments. | `string` | `"Allows assumption of all assessment roles needed in order to provision assessment environments."` | no |
+| provision\_assessment\_base\_policy\_name | The name of the IAM policy in the Users account that allows the assessment provisioner group to assume all assessment roles needed in order to provision assessment environments. | `string` | `"AssumeProvisionAssessment"` | no |
+| provision\_assessment\_no\_backend\_policy\_description | The description to associate with the IAM policy in the Users account that allows assumption of all non-assessment roles needed in order to provision assessment environments, with the exception of Terraform backend access. | `string` | `"Allows assumption of all non-assessment roles needed in order to provision assessment environments, with the exception of backend access."` | no |
+| provision\_assessment\_no\_backend\_policy\_name | The name of the IAM policy in the Users account that allows assumption of all non-assessment roles needed in order to provision assessment environments, with the exception of Terraform backend access. | `string` | `"AssumeProvisionAssessmentNoBackend"` | no |
 | provision\_assessment\_role\_name | The name of the IAM role in assessment accounts that includes all permissions necessary to provision the assessment environment in that account.  If this role does not exist in an account, an assessment environment cannot be provisioned in that account. | `string` | `"ProvisionAccount"` | no |
 | startstopssmsession\_role\_name | The name of the IAM role in assessment accounts that includes all permissions necessary to start and stop an SSM session in that account. | `string` | `"StartStopSSMSession"` | no |
 | tags | Tags to apply to all AWS resources created. | `map(string)` | `{}` | no |
-| users | A list containing the usernames of users that exist in the Users account who are allowed to provision assessment environments.  Example: [ "firstname1.lastname1", "firstname2.lastname2" ]. | `list(string)` | n/a | yes |
+| users | A list of maps, each containing a "name" and a "backend\_access" key.  The "name" value contains the name of a user that exists in the Users account who is to be allowed to provision assessment environments.  The "backend\_access" value contains a boolean value indicating whether or not the user should have general Terraform backend access.  Example: [ { name: "firstname1.lastname1", backend\_access: true }, {name: "firstname2.lastname2", backend\_access: false } ]. | `list(object({name=string, backend_access=bool}))` | n/a | yes |
 
 ## Outputs ##
 
 | Name | Description |
 |------|-------------|
+| assessment\_provisioners\_backend\_policy | The IAM policy in the Users account that allows assumption of all non-assessment roles needed in order to provision assessment environments. |
+| assessment\_provisioners\_base\_policy | The IAM policy in the Users account that allows assumption of all assessment roles needed in order to provision assessment environments. |
 | assessment\_provisioners\_group | The IAM group whose members are allowed to provision assessment environments. |
-| assessment\_provisioners\_policy | The IAM policy in the Users account that allows the assessment provisioners group to assume the provisioning role in assessment accounts. |
+| assessment\_provisioners\_no\_backend\_group | The IAM group whose members are allowed to provision assessment environments but do not have general access to the Terraform backend. |
+| assessment\_provisioners\_no\_backend\_policy | The IAM policy in the Users account that allows assumption of all non-assessment roles needed in order to provision assessment environments, with the exception of Terraform backend access. |
 <!-- END_TF_DOCS -->
 
 ## Notes ##

diff --git a/outputs.tf b/outputs.tf
@@ -3,7 +3,22 @@ output "assessment_provisioners_group" {
   value       = aws_iam_group.assessment_provisioners
 }
 
-output "assessment_provisioners_policy" {
-  description = "The IAM policy in the Users account that allows the assessment provisioners group to assume the provisioning role in assessment accounts."
-  value       = aws_iam_policy.provision_assessment
+output "assessment_provisioners_no_backend_group" {
+  description = "The IAM group whose members are allowed to provision assessment environments but do not have general access to the Terraform backend."
+  value       = aws_iam_group.assessment_provisioners_no_backend
+}
+
+output "assessment_provisioners_backend_policy" {
+  description = "The IAM policy in the Users account that allows assumption of all non-assessment roles needed in order to provision assessment environments."
+  value       = aws_iam_policy.provision_assessment_backend
+}
+
+output "assessment_provisioners_base_policy" {
+  description = "The IAM policy in the Users account that allows assumption of all assessment roles needed in order to provision assessment environments."
+  value       = aws_iam_policy.provision_assessment_base
+}
+
+output "assessment_provisioners_no_backend_policy" {
+  description = "The IAM policy in the Users account that allows assumption of all non-assessment roles needed in order to provision assessment environments, with the exception of Terraform backend access."
+  value       = aws_iam_policy.provision_assessment_no_backend
 }