Fix formatting and remove unused code

Signed-off-by: Jim Enright <[email protected]>
cloudera-labs · Aug 16, 2024 · 0ac647c · 0ac647c
1 parent 2b5c462
commit 0ac647c
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 118 deletions.
diff --git a/modules/terraform-aws-cred-permissions/main.tf b/modules/terraform-aws-cred-permissions/main.tf
@@ -68,33 +68,3 @@ resource "time_sleep" "iam_propagation" {
   depends_on      = [aws_iam_role.cdp_xaccount_role]
   create_duration = "45s"
 }
-
-
-# # ------- Add missing iam:Tag* permissions to Cross-Account Policy -------
-# # First create the extra policy document
-# data "aws_iam_policy_document" "cdp_extra_xaccount_policy_doc" {
-#   count = var.create_extra_xaccount_policy ? 1 : 0
-
-#   version = "2012-10-17"
-
-#   statement {
-#     sid = "AllowIAMTagRole"
-
-#     actions = ["iam:TagRole"]
-#     effect  = "Allow"
-
-#     resources = [
-#       "*",
-#     ]
-#   }
-# }
-
-# # Then create the inline policy using the document
-# resource "aws_iam_role_policy" "cdp_extra_xaccount_policy" {
-#   count = var.create_extra_xaccount_policy ? 1 : 0
-
-#   name = "${var.env_prefix}-cross-account-extra"
-#   role = aws_iam_role.cdp_xaccount_role.id
-
-#   policy = data.aws_iam_policy_document.cdp_extra_xaccount_policy_doc[0].json
-# }
diff --git a/modules/terraform-aws-permissions/main.tf b/modules/terraform-aws-permissions/main.tf
@@ -1,7 +1,7 @@
 # ------- CDP IDBroker Assume Role policy -------
 resource "aws_iam_policy" "cdp_idbroker_policy" {
-  name = var.idbroker_policy_name
-  # description = "CDP IDBroker Assume Role policy for ${var.env_prefix}"
+  name        = var.idbroker_policy_name
+  description = "CDP IDBroker Assume Role policy"
 
   tags = merge(var.tags, { Name = var.idbroker_policy_name })
 
@@ -10,8 +10,8 @@ resource "aws_iam_policy" "cdp_idbroker_policy" {
 
 # ------- CDP Data Access Policies - Log -------
 resource "aws_iam_policy" "cdp_log_data_access_policy" {
-  name = var.log_data_access_policy_name
-  # description = "CDP Log Location Access policy for ${var.env_prefix}"
+  name        = var.log_data_access_policy_name
+  description = "CDP Log Location Access policy"
 
   tags = merge(var.tags, { Name = var.log_data_access_policy_name })
 
@@ -20,8 +20,8 @@ resource "aws_iam_policy" "cdp_log_data_access_policy" {
 }
 # ------- CDP Data Access Policies - ranger_audit_s3 -------
 resource "aws_iam_policy" "cdp_ranger_audit_s3_data_access_policy" {
-  name = var.ranger_audit_s3_policy_name
-  # description = "CDP Ranger Audit S3 Access policy for ${var.env_prefix}"
+  name        = var.ranger_audit_s3_policy_name
+  description = "CDP Ranger Audit S3 Access policy"
 
   tags = merge(var.tags, { Name = var.ranger_audit_s3_policy_name })
 
@@ -30,8 +30,8 @@ resource "aws_iam_policy" "cdp_ranger_audit_s3_data_access_policy" {
 
 # ------- CDP Data Access Policies - datalake_admin_s3 -------
 resource "aws_iam_policy" "cdp_datalake_admin_s3_data_access_policy" {
-  name = var.datalake_admin_s3_policy_name
-  # description = "CDP Datalake Admin S3 Access policy for ${var.env_prefix}"
+  name        = var.datalake_admin_s3_policy_name
+  description = "CDP Datalake Admin S3 Access policy"
 
   tags = merge(var.tags, { Name = var.datalake_admin_s3_policy_name })
 
@@ -42,8 +42,8 @@ resource "aws_iam_policy" "cdp_datalake_admin_s3_data_access_policy" {
 # ------- CDP Data Access Policies - bucket_access -------
 # Policy for Data bucket
 resource "aws_iam_policy" "cdp_data_bucket_data_access_policy" {
-  name = var.data_bucket_access_policy_name
-  # description = "CDP Data Bucket S3 Access policy for ${var.env_prefix}"
+  name        = var.data_bucket_access_policy_name
+  description = "CDP Data Bucket S3 Access policy"
 
   tags = merge(var.tags, { Name = var.data_bucket_access_policy_name })
 
@@ -52,31 +52,17 @@ resource "aws_iam_policy" "cdp_data_bucket_data_access_policy" {
 
 # Policy for Log bucket...Only required if log bucket different from data bucket
 resource "aws_iam_policy" "cdp_log_bucket_data_access_policy" {
-
-  # count = ((
-  #   var.log_storage_bucket != var.data_storage_bucket) ?
-  #   1 : 0
-  # )
-
-  name = var.log_bucket_access_policy_name
-  # description = "CDP Log Bucket S3 Access policy for ${var.env_prefix}"
+  name        = var.log_bucket_access_policy_name
+  description = "CDP Log Bucket S3 Access policy"
 
   tags = merge(var.tags, { Name = var.log_bucket_access_policy_name })
 
   policy = local.log_bucket_access_policy_doc
 }
 # Policy for backup bucket...requied only if different from backup and log bucket
 resource "aws_iam_policy" "cdp_backup_bucket_data_access_policy" {
-
-  # count = ((
-  #   var.backup_storage_bucket != var.data_storage_bucket
-  #   ||
-  #   var.backup_storage_bucket != var.log_storage_bucket) ?
-  #   1 : 0
-  # )
-
-  name = var.backup_bucket_access_policy_name
-  # description = "CDP Backup Bucket S3 Access policy for ${var.env_prefix}"
+  name        = var.backup_bucket_access_policy_name
+  description = "CDP Backup Bucket S3 Access policy"
 
   tags = merge(var.tags, { Name = var.backup_bucket_access_policy_name })
 
@@ -85,8 +71,8 @@ resource "aws_iam_policy" "cdp_backup_bucket_data_access_policy" {
 
 # ------- CDP Data Access Policies - datalake_backup_policy -------
 resource "aws_iam_policy" "cdp_datalake_backup_policy" {
-  name = var.datalake_backup_policy_name
-  # description = "CDP Datalake Backup policy for ${var.env_prefix}"
+  name        = var.datalake_backup_policy_name
+  description = "CDP Datalake Backup policy"
 
   tags = merge(var.tags, { Name = var.datalake_backup_policy_name })
 
@@ -95,8 +81,8 @@ resource "aws_iam_policy" "cdp_datalake_backup_policy" {
 
 # ------- CDP Data Access Policies - datalake_restore_policy -------
 resource "aws_iam_policy" "cdp_datalake_restore_policy" {
-  name = var.datalake_restore_policy_name
-  # description = "CDP Datalake Restore policy for ${var.env_prefix}"
+  name        = var.datalake_restore_policy_name
+  description = "CDP Datalake Restore policy"
 
   tags = merge(var.tags, { Name = var.datalake_restore_policy_name })
 
@@ -121,8 +107,8 @@ data "aws_iam_policy_document" "cdp_idbroker_role_policy_doc" {
 
 # Create the IAM role that uses the above assume_role_policy document
 resource "aws_iam_role" "cdp_idbroker_role" {
-  name = var.idbroker_role_name
-  # description = "CDP IDBroker role for ${var.env_prefix}"
+  name        = var.idbroker_role_name
+  description = "CDP IDBroker role"
 
   assume_role_policy = data.aws_iam_policy_document.cdp_idbroker_role_policy_doc.json
 
@@ -143,7 +129,6 @@ resource "aws_iam_role_policy_attachment" "cdp_idbroker_role_attach1" {
 
 # Attach AWS Log Location Policy to the Role
 resource "aws_iam_role_policy_attachment" "cdp_idbroker_role_attach2" {
-
   role       = aws_iam_role.cdp_idbroker_role.name
   policy_arn = aws_iam_policy.cdp_log_data_access_policy.arn
 }
@@ -166,8 +151,8 @@ data "aws_iam_policy_document" "cdp_log_role_policy_doc" {
 
 # Create the IAM role that uses the above assume_role_policy document
 resource "aws_iam_role" "cdp_log_role" {
-  name = var.log_role_name
-  # description = "CDP Log role for ${var.env_prefix}"
+  name        = var.log_role_name
+  description = "CDP Log role"
 
   assume_role_policy = data.aws_iam_policy_document.cdp_log_role_policy_doc.json
 
@@ -182,7 +167,6 @@ resource "aws_iam_instance_profile" "cdp_log_role_instance_profile" {
 
 # Attach AWS Log Location Policy to the Role
 resource "aws_iam_role_policy_attachment" "cdp_log_role_attach1" {
-
   role       = aws_iam_role.cdp_log_role.name
   policy_arn = aws_iam_policy.cdp_log_data_access_policy.arn
 }
@@ -196,7 +180,6 @@ resource "aws_iam_role_policy_attachment" "cdp_log_role_attach2" {
 
 # Attach AWS Datalake Backup Policy to the Role
 resource "aws_iam_role_policy_attachment" "cdp_log_role_attach3" {
-
   role       = aws_iam_role.cdp_log_role.name
   policy_arn = aws_iam_policy.cdp_datalake_backup_policy.arn
 }
@@ -219,8 +202,8 @@ data "aws_iam_policy_document" "cdp_datalake_admin_role_policy_doc" {
 
 # Create the IAM role that uses the above assume_role_policy document
 resource "aws_iam_role" "cdp_datalake_admin_role" {
-  name = var.datalake_admin_role_name
-  # description = "CDP Datalake Admin role for ${var.env_prefix}"
+  name        = var.datalake_admin_role_name
+  description = "CDP Datalake Admin role"
 
   assume_role_policy = data.aws_iam_policy_document.cdp_datalake_admin_role_policy_doc.json
 
@@ -235,57 +218,37 @@ resource "aws_iam_instance_profile" "cdp_datalake_admin_role_instance_profile" {
 
 # Attach AWS Datalake Admin S3 Policy to the Role
 resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach1" {
-
   role       = aws_iam_role.cdp_datalake_admin_role.name
   policy_arn = aws_iam_policy.cdp_datalake_admin_s3_data_access_policy.arn
 }
 
 # Attach AWS Bucket Access Policy to the Role
 # ..data bucket policy
 resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach2" {
-
   role       = aws_iam_role.cdp_datalake_admin_role.name
   policy_arn = aws_iam_policy.cdp_data_bucket_data_access_policy.arn
 }
 
 # ..log bucket policy, if required
 resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach3" {
-
-  # count = ((
-  #   var.log_storage_bucket != var.data_storage_bucket) ?
-  #   1 : 0
-  # )
-
-  role = aws_iam_role.cdp_datalake_admin_role.name
-  # policy_arn = aws_iam_policy.cdp_log_bucket_data_access_policy[0].arn
+  role       = aws_iam_role.cdp_datalake_admin_role.name
   policy_arn = aws_iam_policy.cdp_log_bucket_data_access_policy.arn
 }
 
 # ..backup bucket policy, if required
 resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach4" {
-
-  # count = ((
-  #   var.backup_storage_bucket != var.data_storage_bucket
-  #   ||
-  #   var.backup_storage_bucket != var.log_storage_bucket) ?
-  #   1 : 0
-  # )
-
-  role = aws_iam_role.cdp_datalake_admin_role.name
-  # policy_arn = aws_iam_policy.cdp_backup_bucket_data_access_policy[0].arn
+  role       = aws_iam_role.cdp_datalake_admin_role.name
   policy_arn = aws_iam_policy.cdp_backup_bucket_data_access_policy.arn
 }
 
 # Attach AWS Datalake Backup Policy to the Role
 resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach5" {
-
   role       = aws_iam_role.cdp_datalake_admin_role.name
   policy_arn = aws_iam_policy.cdp_datalake_backup_policy.arn
 }
 
 # Attach AWS Datalake Restore Policy to the Role
 resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach6" {
-
   role       = aws_iam_role.cdp_datalake_admin_role.name
   policy_arn = aws_iam_policy.cdp_datalake_restore_policy.arn
 }
@@ -309,8 +272,8 @@ data "aws_iam_policy_document" "cdp_ranger_audit_role_policy_doc" {
 
 # Create the IAM role that uses the above assume_role_policy document
 resource "aws_iam_role" "cdp_ranger_audit_role" {
-  name = var.ranger_audit_role_name
-  # description = "CDP Ranger Audit role for ${var.env_prefix}"
+  name        = var.ranger_audit_role_name
+  description = "CDP Ranger Audit role"
 
   assume_role_policy = data.aws_iam_policy_document.cdp_ranger_audit_role_policy_doc.json
 
@@ -325,58 +288,37 @@ resource "aws_iam_instance_profile" "cdp_ranger_audit_role_instance_profile" {
 
 # Attach AWS Ranger Audit S3 Policy to the Role
 resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach1" {
-
   role       = aws_iam_role.cdp_ranger_audit_role.name
   policy_arn = aws_iam_policy.cdp_ranger_audit_s3_data_access_policy.arn
 }
 
 # Attach AWS Bucket Access Policies to the Role
 # ..data bucket policy
 resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach2" {
-
   role       = aws_iam_role.cdp_ranger_audit_role.name
   policy_arn = aws_iam_policy.cdp_data_bucket_data_access_policy.arn
 }
 
 # ..log bucket policy, if required
 resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach3" {
-
-  # count = ((
-  #   var.log_storage_bucket != var.data_storage_bucket) ?
-  #   1 : 0
-  # )
-
-  role = aws_iam_role.cdp_ranger_audit_role.name
-  # policy_arn = aws_iam_policy.cdp_log_bucket_data_access_policy[0].arn
+  role       = aws_iam_role.cdp_ranger_audit_role.name
   policy_arn = aws_iam_policy.cdp_log_bucket_data_access_policy.arn
 }
 
 # ..backup bucket policy, if required
 resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach4" {
-
-  # count = ((
-  #   var.backup_storage_bucket != var.data_storage_bucket
-  #   ||
-  #   var.backup_storage_bucket != var.log_storage_bucket) ?
-  #   1 : 0
-  # )
-
-  role = aws_iam_role.cdp_ranger_audit_role.name
-  # policy_arn = aws_iam_policy.cdp_backup_bucket_data_access_policy[0].arn
+  role       = aws_iam_role.cdp_ranger_audit_role.name
   policy_arn = aws_iam_policy.cdp_backup_bucket_data_access_policy.arn
 }
 
 # Attach AWS Datalake Backup Policy to the Role
 resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach5" {
-
   role       = aws_iam_role.cdp_ranger_audit_role.name
   policy_arn = aws_iam_policy.cdp_datalake_backup_policy.arn
 }
 
 # Attach AWS Datalake Restore Policy to the Role
 resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach6" {
-
   role       = aws_iam_role.cdp_ranger_audit_role.name
   policy_arn = aws_iam_policy.cdp_datalake_restore_policy.arn
 }
-