Allow using existing IAM identity during bootstrap

2025-12-10 14:57:49 +08:00 · 2025-12-10 14:57:49 +08:00 · ba458e93da
commit ba458e93da
parent a614b8ab2a
4 changed files with 59 additions and 8 deletions
--- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/locals.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/locals.tf
@ -7,6 +7,9 @@ locals {
  config_terraform_user   = coalesce(var.terraform_user_name, local.bootstrap.iam.terraform_user_name)
  environment             = coalesce(try(local.bootstrap.environment, null), try(local.bootstrap.iam.environment, null), "bootstrap")
  extra_tags              = try(local.bootstrap.tags, {})
+
+  role_name          = coalesce(var.existing_role_name, local.config_role_name)
+  terraform_user_name = coalesce(var.existing_user_name, local.config_terraform_user)
 }

 locals {
--- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/main.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/main.tf
@ -2,7 +2,9 @@
 # IAM Role: Terraform Deploy Role
 # ----------------------------------------
 resource "aws_iam_role" "terraform_deploy_role" {
-  name = local.config_role_name
+  count = var.create_role ? 1 : 0
+
+  name = local.role_name

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
@ -28,7 +30,9 @@ resource "aws_iam_role" "terraform_deploy_role" {
 # 可选：当前阶段保持你原来的 Admin full access
 # （未来你可以把它缩到最小权限）
 resource "aws_iam_role_policy_attachment" "attach_admin" {
-  role       = aws_iam_role.terraform_deploy_role.name
+  count = var.create_role ? 1 : 0
+
+  role       = aws_iam_role.terraform_deploy_role[0].name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
 }

@ -36,15 +40,19 @@ resource "aws_iam_role_policy_attachment" "attach_admin" {
 # IAM User for Terraform (AK/SK)
 # ----------------------------------------
 resource "aws_iam_user" "terraform_user" {
-  name = local.config_terraform_user
+  count = var.create_user ? 1 : 0
+
+  name = local.terraform_user_name
 }

 #
 # IAM User Policy: 最小权限
 # ----------------------------------------
 resource "aws_iam_user_policy" "terraform_user_policy" {
-  name = "${local.config_terraform_user}-iac-policy"
-  user = aws_iam_user.terraform_user.name
+  count = var.create_user ? 1 : 0
+
+  name = "${local.terraform_user_name}-iac-policy"
+  user = aws_iam_user.terraform_user[0].name

  policy = jsonencode({
    Version = "2012-10-17",
@ -55,7 +63,7 @@ resource "aws_iam_user_policy" "terraform_user_policy" {
        Action = [
          "sts:AssumeRole"
        ],
-        Resource = aws_iam_role.terraform_deploy_role.arn
+        Resource = var.create_role ? aws_iam_role.terraform_deploy_role[0].arn : var.existing_role_arn
      },

      # S3: Terraform state bucket
--- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/outputs.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/outputs.tf
@ -1,9 +1,9 @@
 output "iam_role_arn" {
-  value       = aws_iam_role.terraform_deploy_role.arn
+  value       = var.create_role ? aws_iam_role.terraform_deploy_role[0].arn : var.existing_role_arn
  description = "The ARN of the role assumed by Terraform"
 }

 output "terraform_user_name" {
-  value       = aws_iam_user.terraform_user.name
+  value       = var.create_user ? aws_iam_user.terraform_user[0].name : local.terraform_user_name
  description = "Terraform IAM User"
 }
--- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/variables.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/variables.tf
@ -10,14 +10,54 @@ variable "account_name" {
  default     = null
 }

+variable "create_role" {
+  description = "Whether to create the Terraform deploy IAM role"
+  type        = bool
+  default     = true
+}
+
+variable "existing_role_name" {
+  description = "Existing IAM role name to reference when create_role is false"
+  type        = string
+  default     = null
+}
+
+variable "existing_role_arn" {
+  description = "Existing IAM role ARN to reference when create_role is false"
+  type        = string
+  default     = null
+}
+
 variable "role_name" {
  type        = string
  description = "IAM role name to create (e.g., TerraformDeployRole-Dev)"
  default     = null
 }

+variable "create_user" {
+  description = "Whether to create the IAM user for Terraform"
+  type        = bool
+  default     = true
+}
+
+variable "existing_user_name" {
+  description = "Existing IAM username to reference when create_user is false"
+  type        = string
+  default     = null
+}
+
 variable "terraform_user_name" {
  type        = string
  description = "IAM username for Terraform IAC runner"
  default     = null
 }
+
+validation "require_existing_role_arn_when_not_creating" {
+  condition     = var.create_role || (var.existing_role_arn != null && var.existing_role_name != null)
+  error_message = "existing_role_name and existing_role_arn must be provided when create_role is false."
+}
+
+validation "require_existing_user_name_when_not_creating" {
+  condition     = var.create_user || var.existing_user_name != null
+  error_message = "existing_user_name must be provided when create_user is false."
+}