Merge branch 'aws-ia:main' into main

aws-ia · Jun 27, 2023 · dac12d5 · dac12d5
2 parents 8bd4cc4 + 1066050
commit dac12d5
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 33 deletions.
diff --git a/README.md b/README.md
@@ -29,12 +29,17 @@ module "mwaa" {
   environment_class    = "mw1.medium"
 
   vpc_id                = "<ENTER_VPC_ID>"
-  private_subnet_ids    = ["<ENTER_SIBNET_ID1>","<ENTER_SIBNET_ID2>"]
+  private_subnet_ids    = ["<ENTER_SUBNET_ID1>","<ENTER_SUBNET_ID2>"]
 
   min_workers           = 1
   max_workers           = 25
   webserver_access_mode = "PUBLIC_ONLY" # Default PRIVATE_ONLY for production environments
 
+  input_iam_role_additional_policies = {
+    "additional-policy-1" = "<ENTER_POLICY_ARN1>"
+    "additional-policy-2" = "<ENTER_POLICY_ARN2>"
+  }
+
   logging_configuration = {
     dag_processing_logs = {
       enabled   = true
@@ -86,13 +91,13 @@ Apache-2.0 Licensed. See [LICENSE](https://github.com/aws-ia/terraform-aws-mwaa/
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.20.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.63.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.20.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.63.0 |
 
 ## Modules
 
@@ -134,7 +139,7 @@ No modules.
 | <a name="input_environment_class"></a> [environment\_class](#input\_environment\_class) | (Optional) Environment class for the cluster. Possible options are mw1.small, mw1.medium, mw1.large.<br>Will be set by default to mw1.small. Please check the AWS Pricing for more information about the environment classes. | `string` | `"mw1.small"` | no |
 | <a name="input_execution_role_arn"></a> [execution\_role\_arn](#input\_execution\_role\_arn) | (Required) The Amazon Resource Name (ARN) of the task execution role that the Amazon MWAA and its environment can assume<br>Mandatory if `create_iam_role=false` | `string` | `null` | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | IAM role Force detach policies | `bool` | `false` | no |
-| <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
+| <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | A map of additional policy ARNs to be added to the IAM role, with an arbitary key name | `map(string)` | `{}` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | IAM Role Name to be created if execution\_role\_arn is null | `string` | `null` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `"/"` | no |
 | <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | IAM role Permission boundary | `string` | `null` | no |
@@ -146,13 +151,15 @@ No modules.
 | <a name="input_plugins_s3_object_version"></a> [plugins\_s3\_object\_version](#input\_plugins\_s3\_object\_version) | (Optional) The plugins.zip file version you want to use. | `string` | `null` | no |
 | <a name="input_plugins_s3_path"></a> [plugins\_s3\_path](#input\_plugins\_s3\_path) | (Optional) The relative path to the plugins.zip file on your Amazon S3 storage bucket. For example, plugins.zip. If a relative path is provided in the request, then plugins\_s3\_object\_version is required. | `string` | `null` | no |
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | (Required) The private subnet IDs in which the environment should be created.<br>MWAA requires two subnets. | `list(string)` | n/a | yes |
-| <a name="input_requirements_s3_object_version"></a> [requirements\_s3\_object\_version](#input\_requirements\_s3\_object\_version) | Optional) The requirements.txt file version you want to use. | `string` | `null` | no |
+| <a name="input_requirements_s3_object_version"></a> [requirements\_s3\_object\_version](#input\_requirements\_s3\_object\_version) | (Optional) The requirements.txt file version you want to use. | `string` | `null` | no |
 | <a name="input_requirements_s3_path"></a> [requirements\_s3\_path](#input\_requirements\_s3\_path) | (Optional) The relative path to the requirements.txt file on your Amazon S3 storage bucket. For example, requirements.txt. If a relative path is provided in the request, then requirements\_s3\_object\_version is required. | `string` | `null` | no |
 | <a name="input_schedulers"></a> [schedulers](#input\_schedulers) | (Optional) The number of schedulers that you want to run in your environment. | `string` | `null` | no |
 | <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | Security group IDs for MWAA | `list(string)` | `[]` | no |
 | <a name="input_source_bucket_arn"></a> [source\_bucket\_arn](#input\_source\_bucket\_arn) | (Required) The Amazon Resource Name (ARN) of your Amazon S3 storage bucket. For example, arn:aws:s3:::airflow-mybucketname | `string` | `null` | no |
 | <a name="input_source_bucket_name"></a> [source\_bucket\_name](#input\_source\_bucket\_name) | New bucket will be created with the given name for MWAA when create\_s3\_bucket=true | `string` | `null` | no |
 | <a name="input_source_cidr"></a> [source\_cidr](#input\_source\_cidr) | (Required) Source CIDR block which will be allowed on MWAA SG to access Airflow UI<br>Used only if `create_security_group=true` | `list(string)` | `[]` | no |
+| <a name="input_startup_script_s3_object_version"></a> [startup\_script\_s3\_object\_version](#input\_startup\_script\_s3\_object\_version) | (Optional) The version of the startup shell script you want to use. You must specify the version ID that Amazon S3 assigns to the file every time you update the script. | `string` | `null` | no |
+| <a name="input_startup_script_s3_path"></a> [startup\_script\_s3\_path](#input\_startup\_script\_s3\_path) | (Optional) The relative path to the script hosted in your bucket. The script runs as your environment starts before starting the Apache Airflow process. Use this script to install dependencies, modify configuration options, and set environment variables. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of resource tags to associate with the resource | `map(string)` | `{}` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | (Required) VPC ID to deploy the MWAA Environment.<br>Mandatory if `create_security_group=true` | `string` | `""` | no |
 | <a name="input_webserver_access_mode"></a> [webserver\_access\_mode](#input\_webserver\_access\_mode) | (Optional) Specifies whether the webserver should be accessible over the internet or via your specified VPC. Possible options: PRIVATE\_ONLY (default) and PUBLIC\_ONLY | `string` | `"PRIVATE_ONLY"` | no |

diff --git a/locals.tf b/locals.tf
@@ -1,7 +1,7 @@
 locals {
   execution_role_arn = var.create_iam_role ? aws_iam_role.mwaa[0].arn : var.execution_role_arn
 
-  security_group_ids = var.create_security_group ? [aws_security_group.mwaa[0].id] : var.security_group_ids
+  security_group_ids = var.create_security_group ? concat([aws_security_group.mwaa[0].id], var.security_group_ids) : var.security_group_ids
 
   source_bucket_arn = var.create_s3_bucket ? aws_s3_bucket.mwaa[0].arn : var.source_bucket_arn
 
@@ -11,5 +11,5 @@ locals {
 
   airflow_configuration_options = merge(local.default_airflow_configuration_options, var.airflow_configuration_options)
 
-  iam_role_additional_policies = { for k, v in toset(concat([var.iam_role_additional_policies])) : k => v if var.execution_role_arn != null }
+  iam_role_additional_policies = { for k, v in var.iam_role_additional_policies : k => v if var.create_iam_role }
 }
diff --git a/main.tf b/main.tf
@@ -9,14 +9,16 @@ resource "aws_mwaa_environment" "mwaa" {
   max_workers       = var.max_workers
   kms_key           = var.kms_key
 
-  dag_s3_path                    = var.dag_s3_path
-  plugins_s3_object_version      = var.plugins_s3_object_version
-  plugins_s3_path                = var.plugins_s3_path
-  requirements_s3_path           = var.requirements_s3_path
-  requirements_s3_object_version = var.requirements_s3_object_version
-  schedulers                     = var.schedulers
-  execution_role_arn             = local.execution_role_arn
-  airflow_configuration_options  = local.airflow_configuration_options
+  dag_s3_path                      = var.dag_s3_path
+  plugins_s3_object_version        = var.plugins_s3_object_version
+  plugins_s3_path                  = var.plugins_s3_path
+  requirements_s3_path             = var.requirements_s3_path
+  requirements_s3_object_version   = var.requirements_s3_object_version
+  startup_script_s3_path           = var.startup_script_s3_path
+  startup_script_s3_object_version = var.startup_script_s3_object_version
+  schedulers                       = var.schedulers
+  execution_role_arn               = local.execution_role_arn
+  airflow_configuration_options    = local.airflow_configuration_options
 
   source_bucket_arn               = local.source_bucket_arn
   webserver_access_mode           = var.webserver_access_mode
@@ -91,7 +93,7 @@ resource "aws_iam_role_policy" "mwaa" {
 
 resource "aws_iam_role_policy_attachment" "mwaa" {
   for_each   = local.iam_role_additional_policies
-  policy_arn = each.key
+  policy_arn = each.value
   role       = aws_iam_role.mwaa[0].id
 }
 
@@ -106,13 +108,6 @@ resource "aws_s3_bucket" "mwaa" {
   tags          = var.tags
 }
 
-resource "aws_s3_bucket_acl" "mwaa" {
-  count = var.create_s3_bucket ? 1 : 0
-
-  bucket = aws_s3_bucket.mwaa[0].id
-  acl    = "private"
-}
-
 #tfsec:ignore:aws-s3-encryption-customer-key
 resource "aws_s3_bucket_server_side_encryption_configuration" "mwaa" {
   count = var.create_s3_bucket ? 1 : 0

diff --git a/variables.tf b/variables.tf
@@ -79,7 +79,7 @@ variable "min_workers" {
 }
 
 variable "plugins_s3_object_version" {
-  description = " (Optional) The plugins.zip file version you want to use."
+  description = "(Optional) The plugins.zip file version you want to use."
   type        = string
   default     = null
 }
@@ -90,12 +90,30 @@ variable "plugins_s3_path" {
   default     = null
 }
 
+variable "requirements_s3_object_version" {
+  description = "(Optional) The requirements.txt file version you want to use."
+  type        = string
+  default     = null
+}
+
 variable "requirements_s3_path" {
   description = "(Optional) The relative path to the requirements.txt file on your Amazon S3 storage bucket. For example, requirements.txt. If a relative path is provided in the request, then requirements_s3_object_version is required."
   type        = string
   default     = null
 }
 
+variable "startup_script_s3_object_version" {
+  description = "(Optional) The version of the startup shell script you want to use. You must specify the version ID that Amazon S3 assigns to the file every time you update the script."
+  type        = string
+  default     = null
+}
+
+variable "startup_script_s3_path" {
+  description = "(Optional) The relative path to the script hosted in your bucket. The script runs as your environment starts before starting the Apache Airflow process. Use this script to install dependencies, modify configuration options, and set environment variables."
+  type        = string
+  default     = null
+}
+
 variable "schedulers" {
   description = "(Optional) The number of schedulers that you want to run in your environment."
   type        = string
@@ -153,8 +171,8 @@ variable "force_detach_policies" {
 
 variable "iam_role_additional_policies" {
   description = "Additional policies to be added to the IAM role"
-  type        = list(string)
-  default     = []
+  type        = map(string)
+  default     = {}
 }
 
 variable "iam_role_path" {
@@ -226,9 +244,3 @@ variable "source_cidr" {
   type        = list(string)
   default     = []
 }
-
-variable "requirements_s3_object_version" {
-  description = "Optional) The requirements.txt file version you want to use."
-  type        = string
-  default     = null
-}
diff --git a/versions.tf b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.20.0"
+      version = ">= 4.63.0"
     }
   }
 }