feat: reducing the need for data lookup which go insane on changes

gambol99 · gambol99 · commit 09f40ed843ee · 2024-10-10T17:37:55.000+01:00
diff --git a/modules/role/README.md b/modules/role/README.md
@@ -133,6 +133,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | Name of the role to create | `string` | n/a | yes |
 | <a name="input_repository"></a> [repository](#input\_repository) | List of repositories to be allowed in the OIDC federation mapping | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply resoures created by this module | `map(string)` | n/a | yes |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | The AWS account ID to create the role in | `string` | `null` | no |
 | <a name="input_additional_audiences"></a> [additional\_audiences](#input\_additional\_audiences) | Additional audiences to be allowed in the OIDC federation mapping | `list(string)` | `[]` | no |
 | <a name="input_common_provider"></a> [common\_provider](#input\_common\_provider) | The name of a common OIDC provider to be used as the trust for the role | `string` | `"github"` | no |
 | <a name="input_custom_provider"></a> [custom\_provider](#input\_custom\_provider) | An object representing an `aws_iam_openid_connect_provider` resource | <pre>object({<br/>    url                    = string<br/>    audiences              = list(string)<br/>    subject_reader_mapping = string<br/>    subject_branch_mapping = string<br/>    subject_env_mapping    = string<br/>    subject_tag_mapping    = string<br/>  })</pre> | `null` | no |
diff --git a/modules/role/checks.tf b/modules/role/checks.tf
@@ -31,17 +31,3 @@ check "protected_by_config" {
     error_message = "'protected_by.tag' must not be an empty string"
   }
 }
-
-check "permission_boundary" {
-  # Either permission_boundary or permission_boundary_arn must be specified
-  assert {
-    condition     = !(var.permission_boundary == null && var.permission_boundary_arn == null)
-    error_message = "Either 'permission_boundary' or 'permission_boundary_arn' must be specified"
-  }
-
-  # Both permission_boundary and permission_boundary_arn cannot be specified 
-  assert {
-    condition     = !(var.permission_boundary != null && var.permission_boundary_arn != null)
-    error_message = "Only one of 'permission_boundary' or 'permission_boundary_arn' may be specified"
-  }
-}
diff --git a/modules/role/locals.tf b/modules/role/locals.tf
@@ -6,8 +6,8 @@ locals {
 }
 
 locals {
-  # The current account ID 
-  account_id = data.aws_caller_identity.current.account_id
+  # The current account ID, if not provided
+  account_id = var.account_id != null ? var.account_id : data.aws_caller_identity.current.account_id
   ## The common OIDC providers to use 
   common_providers = {
     github = {
diff --git a/modules/role/variables.tf b/modules/role/variables.tf
@@ -3,6 +3,12 @@ variable "name" {
   description = "Name of the role to create"
 }
 
+variable "account_id" {
+  type        = string
+  description = "The AWS account ID to create the role in"
+  default     = null
+}
+
 variable "workspace_name" {
   description = "The name of the workspace."
   type        = string
