Correct the ARN string, also fix the tag sets and allow tag filters as per the api (#9)

StephenTan-TW · nitrocode · cloudpossebot · web-flow · commit f5c4c6bb1276 · 2021-11-19T12:27:23.000-06:00
* Use the correct the lookup map object

* Remove list of lists

* Add lookups again

* Fix ARN typo

* Change ec2_tag_set and ec2_tag_filter stuctures

* Fix missing bracket

* Linting

* Auto Format

* The format of the ARNs is not consistent across platforms. Fixed.

* Conform to the Cloud Posse syntax, add some comments and remove commented out crap

* Tidy up variables documentation

* Auto Format

* Update main.tf

Co-authored-by: nitrocode &lt;nitrocode@users.noreply.github.com&gt;

* Update main.tf

Co-authored-by: nitrocode &lt;nitrocode@users.noreply.github.com&gt;

* Allow the correct AWS partition to be selected automagically

* Auto Format

* Adding enabled logic for the aws_partition data

* Update main.tf

Co-authored-by: nitrocode &lt;nitrocode@users.noreply.github.com&gt;
Co-authored-by: cloudpossebot &lt;11232728+cloudpossebot@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -160,6 +160,7 @@ Available targets:
 | [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 
@@ -177,7 +178,8 @@ Available targets:
 | <a name="input_create_default_sns_topic"></a> [create\_default\_sns\_topic](#input\_create\_default\_sns\_topic) | Whether to create default SNS topic through which notifications are sent. | `bool` | `true` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_deployment_style"></a> [deployment\_style](#input\_deployment\_style) | Configuration of the type of deployment, either in-place or blue/green, <br>you want to run and whether to route deployment traffic behind a load balancer.<br><br>deployment\_option:<br>  Indicates whether to route deployment traffic behind a load balancer. <br>  Possible values: `WITH_TRAFFIC_CONTROL`, `WITHOUT_TRAFFIC_CONTROL`.<br>deployment\_type:<br>  Indicates whether to run an in-place deployment or a blue/green deployment.<br>  Possible values: `IN_PLACE`, `BLUE_GREEN`. | <pre>object({<br>    deployment_option = string<br>    deployment_type   = string<br>  })</pre> | `null` | no |
-| <a name="input_ec2_tag_filter"></a> [ec2\_tag\_filter](#input\_ec2\_tag\_filter) | A list of sets of tag filters. If multiple tag groups are specified, <br>any instance that matches to at least one tag filter of every tag group is selected.<br><br>key:<br>  The key of the tag filter.<br>type:<br>  The type of the tag filter, either `KEY_ONLY`, `VALUE_ONLY`, or `KEY_AND_VALUE`.<br>value:<br>  The value of the tag filter. | <pre>list(object({<br>    key   = string<br>    type  = string<br>    value = string<br>  }))</pre> | `null` | no |
+| <a name="input_ec2_tag_filter"></a> [ec2\_tag\_filter](#input\_ec2\_tag\_filter) | The Amazon EC2 tags on which to filter. The deployment group includes EC2 instances with any of the specified tags.<br>Cannot be used in the same call as ec2TagSet. | <pre>set(object({<br>    key   = string<br>    type  = string<br>    value = string<br>  }))</pre> | `[]` | no |
+| <a name="input_ec2_tag_set"></a> [ec2\_tag\_set](#input\_ec2\_tag\_set) | A list of sets of tag filters. If multiple tag groups are specified,<br>any instance that matches to at least one tag filter of every tag group is selected.<br><br>key:<br>  The key of the tag filter.<br>type:<br>  The type of the tag filter, either `KEY_ONLY`, `VALUE_ONLY`, or `KEY_AND_VALUE`.<br>value:<br>  The value of the tag filter. | <pre>set(object(<br>    {<br>      ec2_tag_filter = set(object(<br>        {<br>          key   = string<br>          type  = string<br>          value = string<br>        }<br>      ))<br>    }<br>  ))</pre> | `[]` | no |
 | <a name="input_ecs_service"></a> [ecs\_service](#input\_ecs\_service) | Configuration block(s) of the ECS services for a deployment group.<br><br>cluster\_name:<br>  The name of the ECS cluster. <br>service\_name:<br>  The name of the ECS service. | <pre>list(object({<br>    cluster_name = string<br>    service_name = string<br>  }))</pre> | `null` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -30,6 +30,7 @@
 | [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 
@@ -47,7 +48,8 @@
 | <a name="input_create_default_sns_topic"></a> [create\_default\_sns\_topic](#input\_create\_default\_sns\_topic) | Whether to create default SNS topic through which notifications are sent. | `bool` | `true` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_deployment_style"></a> [deployment\_style](#input\_deployment\_style) | Configuration of the type of deployment, either in-place or blue/green, <br>you want to run and whether to route deployment traffic behind a load balancer.<br><br>deployment\_option:<br>  Indicates whether to route deployment traffic behind a load balancer. <br>  Possible values: `WITH_TRAFFIC_CONTROL`, `WITHOUT_TRAFFIC_CONTROL`.<br>deployment\_type:<br>  Indicates whether to run an in-place deployment or a blue/green deployment.<br>  Possible values: `IN_PLACE`, `BLUE_GREEN`. | <pre>object({<br>    deployment_option = string<br>    deployment_type   = string<br>  })</pre> | `null` | no |
-| <a name="input_ec2_tag_filter"></a> [ec2\_tag\_filter](#input\_ec2\_tag\_filter) | A list of sets of tag filters. If multiple tag groups are specified, <br>any instance that matches to at least one tag filter of every tag group is selected.<br><br>key:<br>  The key of the tag filter.<br>type:<br>  The type of the tag filter, either `KEY_ONLY`, `VALUE_ONLY`, or `KEY_AND_VALUE`.<br>value:<br>  The value of the tag filter. | <pre>list(object({<br>    key   = string<br>    type  = string<br>    value = string<br>  }))</pre> | `null` | no |
+| <a name="input_ec2_tag_filter"></a> [ec2\_tag\_filter](#input\_ec2\_tag\_filter) | The Amazon EC2 tags on which to filter. The deployment group includes EC2 instances with any of the specified tags.<br>Cannot be used in the same call as ec2TagSet. | <pre>set(object({<br>    key   = string<br>    type  = string<br>    value = string<br>  }))</pre> | `[]` | no |
+| <a name="input_ec2_tag_set"></a> [ec2\_tag\_set](#input\_ec2\_tag\_set) | A list of sets of tag filters. If multiple tag groups are specified,<br>any instance that matches to at least one tag filter of every tag group is selected.<br><br>key:<br>  The key of the tag filter.<br>type:<br>  The type of the tag filter, either `KEY_ONLY`, `VALUE_ONLY`, or `KEY_AND_VALUE`.<br>value:<br>  The value of the tag filter. | <pre>set(object(<br>    {<br>      ec2_tag_filter = set(object(<br>        {<br>          key   = string<br>          type  = string<br>          value = string<br>        }<br>      ))<br>    }<br>  ))</pre> | `[]` | no |
 | <a name="input_ecs_service"></a> [ecs\_service](#input\_ecs\_service) | Configuration block(s) of the ECS services for a deployment group.<br><br>cluster\_name:<br>  The name of the ECS cluster. <br>service\_name:<br>  The name of the ECS service. | <pre>list(object({<br>    cluster_name = string<br>    service_name = string<br>  }))</pre> | `null` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
diff --git a/main.tf b/main.tf
@@ -14,10 +14,10 @@ locals {
   default_service_role_enabled        = local.enabled && var.create_default_service_role
   default_service_role_count          = local.default_service_role_enabled ? 1 : 0
   service_role_arn                    = local.default_service_role_enabled ? join("", aws_iam_role.default.*.arn) : var.service_role_arn
-  default_policy_name = {
-    Server = "AWSCodeDeployRole"
-    Lambda = "AWSCodeDeployRoleForLambda"
-    ECS    = "AWSCodeDeployRoleForECS"
+  default_policy_arn = {
+    Server = "arn:${join("", data.aws_partition.current.*.partition)}:iam::aws:policy/service-role/AWSCodeDeployRole"
+    Lambda = "arn:${join("", data.aws_partition.current.*.partition)}:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda"
+    ECS    = "arn:${join("", data.aws_partition.current.*.partition)}:iam::aws:policy/AWSCodeDeployRoleForECS"
   }
 }
 
@@ -35,6 +35,10 @@ data "aws_iam_policy_document" "assume_role" {
   }
 }
 
+data "aws_partition" "current" {
+  count = local.default_service_role_count
+}
+
 resource "aws_iam_role" "default" {
   count              = local.default_service_role_count
   name               = module.this.id
@@ -44,7 +48,7 @@ resource "aws_iam_role" "default" {
 
 resource "aws_iam_role_policy_attachment" "default" {
   count      = local.default_service_role_count
-  policy_arn = format("arn:aws:iam::aws:policy/%s", lookup(local.default_policy_name, var.compute_platform))
+  policy_arn = format("%s", lookup(local.default_policy_arn, var.compute_platform))
   role       = join("", aws_iam_role.default.*.name)
 }
 
@@ -171,14 +175,30 @@ resource "aws_codedeploy_deployment_group" "default" {
     }
   }
 
+  # Note that you cannot have both ec_tag_filter and ec2_tag_set vars set!
+  # See https://docs.aws.amazon.com/cli/latest/reference/deploy/create-deployment-group.html for details
+  dynamic "ec2_tag_filter" {
+    for_each = length(var.ec2_tag_filter) > 0 ? [] : var.ec2_tag_filter
+    content {
+      key   = ec2_tag_filter.value["key"]
+      type  = ec2_tag_filter.value["type"]
+      value = ec2_tag_filter.value["value"]
+    }
+  }
+
+  # Note that you cannot have both ec_tag_filter and ec2_tag_set vars set!
+  # See https://docs.aws.amazon.com/cli/latest/reference/deploy/create-deployment-group.html for details
   dynamic "ec2_tag_set" {
-    for_each = var.ec2_tag_filter == null ? [] : var.ec2_tag_filter
+    for_each = length(var.ec2_tag_set) > 0 ? [] : var.ec2_tag_set
 
     content {
-      ec2_tag_filter {
-        key   = lookup(ec2_tag_set.value, "key", null)
-        type  = lookup(ec2_tag_set.value, "type", null)
-        value = lookup(ec2_tag_set.value, "value", null)
+      dynamic "ec2_tag_filter" {
+        for_each = ec2_tag_set.value.ec2_tag_filter
+        content {
+          key   = ec2_tag_filter.value["key"]
+          type  = ec2_tag_filter.value["type"]
+          value = ec2_tag_filter.value["value"]
+        }
       }
     }
   }
diff --git a/variables.tf b/variables.tf
@@ -118,14 +118,33 @@ variable "deployment_style" {
 }
 
 variable "ec2_tag_filter" {
-  type = list(object({
+  type = set(object({
     key   = string
     type  = string
     value = string
   }))
-  default     = null
+  default     = []
+  description = <<-DOC
+    The Amazon EC2 tags on which to filter. The deployment group includes EC2 instances with any of the specified tags.
+    Cannot be used in the same call as ec2TagSet.
+  DOC
+}
+
+variable "ec2_tag_set" {
+  type = set(object(
+    {
+      ec2_tag_filter = set(object(
+        {
+          key   = string
+          type  = string
+          value = string
+        }
+      ))
+    }
+  ))
+  default     = []
   description = <<-DOC
-    A list of sets of tag filters. If multiple tag groups are specified, 
+    A list of sets of tag filters. If multiple tag groups are specified,
     any instance that matches to at least one tag filter of every tag group is selected.
 
     key:
