feat: return resources as outputs instead of specific attributes

Since v0.12 Terraform supports returning resources from child modules.
Originally this module returns various attributes such as an ID, an ARN and a name of the same resource to the parent module.
This commit replace them with the single output directly returning the exact resource.

Author: nozaq

.chglog/CHANGELOG.tpl.md

@@ -39,4 +39,4 @@
 [{{ .Tag.Name }}]: {{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }}
 {{ end -}}
 {{ end -}}
-{{ end -}}
+{{ end -}}

README.md

@@ -135,36 +135,26 @@ This module is composed of several submodules and each of which can be used inde
 
 | Name | Description |
 |------|-------------|
-| alarms\_topic\_arn | The ARN of the SNS topic to which CloudWatch Alarms will be sent. |
-| audit\_bucket\_arn | The ARN of the S3 bucket used for storing audit logs. |
-| audit\_bucket\_id | The ID of the S3 bucket used for storing audit logs. |
-| cloudtrail\_arn | The ARN of the trail for recording events in all regions. |
-| cloudtrail\_id | The ID of the trail for recording events in all regions. |
-| cloudtrail\_kms\_key\_arn | The ARN of the KMS key used for encrypting CloudTrail events. |
-| cloudtrail\_kms\_key\_id | The ID of the KMS key used for encrypting CloudTrail events. |
-| cloudtrail\_log\_delivery\_iam\_role\_arn | The ARN of the IAM role used for delivering CloudTrail events to CloudWatch Logs. |
-| cloudtrail\_log\_delivery\_iam\_role\_name | The name of the IAM role used for delivering CloudTrail events to CloudWatch Logs. |
-| cloudtrail\_log\_group\_arn | The ARN of the CloudWatch Logs log group which stores CloudTrail events. |
-| cloudtrail\_log\_group\_name | The name of the CloudWatch Logs log group which stores CloudTrail events. |
-| config\_configuration\_recorder\_id | The name of the configuration recorder. |
-| config\_iam\_role\_arn | The ARN of the IAM role used for delivering AWS Config records to CloudWatch Logs. |
-| config\_iam\_role\_name | The name of the IAM role used for delivering AWS Config records to CloudWatch Logs. |
-| config\_topic\_arn | The ARN of the SNS topic that AWS Config delivers notifications to. |
-| default\_network\_acl\_id | The ID of the default network ACL. |
-| default\_route\_table\_id | The ID of the default route table. |
-| default\_security\_group\_id | The ID of the default security group. |
-| default\_vpc\_id | The ID of the default VPC. |
-| guardduty\_detector\_id | The ID of the GuardDuty detector. |
-| manager\_iam\_role\_arn | The ARN of the IAM role used for the manager user. |
-| manager\_iam\_role\_name | The name of the IAM role used for the manager user. |
-| master\_iam\_role\_arn | The ARN of the IAM role used for the master user. |
-| master\_iam\_role\_name | The name of the IAM role used for the master user. |
-| support\_iam\_role\_arn | The ARN of the IAM role used for the support user. |
-| support\_iam\_role\_name | The name of the IAM role used for the support user. |
-| vpc\_flow\_logs\_group\_arn | The ARN of the CloudWatch Logs log group which stores VPC Flow Logs. |
-| vpc\_flow\_logs\_group\_name | The name of the CloudWatch Logs log group which stores VPC Flow Logs. |
-| vpc\_flow\_logs\_iam\_role\_arn | The ARN of the IAM role used for delivering VPC Flow Logs to CloudWatch Logs. |
-| vpc\_flow\_logs\_iam\_role\_name | The name of the IAM role used for delivering VPC Flow Logs to CloudWatch Logs. |
+| alarm\_sns\_topic | The SNS topic to which CloudWatch Alarms will be sent. |
+| audit\_bucket\ | The S3 bucket used for storing audit logs. |
+| cloudtrail | The trail for recording events in all regions. |
+| cloudtrail\_kms\_key | The KMS key used for encrypting CloudTrail events. |
+| cloudtrail\_log\_delivery\_iam\_role | The IAM role used for delivering CloudTrail events to CloudWatch Logs. |
+| cloudtrail\_log\_group | The CloudWatch Logs log group which stores CloudTrail events. |
+| config\_configuration\_recorder | The configuration recorder. |
+| config\_iam\_role | The IAM role used for delivering AWS Config records to CloudWatch Logs. |
+| config\_sns\_topic | The SNS topic that AWS Config delivers notifications to. |
+| default\_network\_acl | The default network ACL. |
+| default\_route\_table | The default route table. |
+| default\_security\_group | The default security group. |
+| default\_vpc | The default VPC. |
+| guardduty\_detector| The GuardDuty detector. |
+| manager\_iam\_role | The IAM role used for the manager user. |
+| master\_iam\_role | The IAM role used for the master user. |
+| support\_iam\_role | The ARN of the IAM role used for the support user. |
+| vpc\_flow\_logs\_group | The ARN of the CloudWatch Logs log group which stores VPC Flow Logs. |
+| vpc\_flow\_logs\_group | The CloudWatch Logs log group which stores VPC Flow Logs. |
+| vpc\_flow\_logs\_iam\_role | The IAM role used for delivering VPC Flow Logs to CloudWatch Logs. |
 
 [CIS Amazon Web Services Foundations]: https://www.cisecurity.org/benchmark/amazon_web_services/
 [Providers within Modules - Terraform Docs]: https://www.terraform.io/docs/modules/usage.html#providers-within-modules

config_baselines.tf

@@ -28,7 +28,7 @@ POLICY
 data "aws_iam_policy_document" "recoder_publish_policy" {
   statement {
     actions = ["s3:PutObject"]
-    resources = ["${module.audit_log_bucket.this_bucket_arn}/config/AWSLogs/${var.aws_account_id}/*"]
+    resources = ["${module.audit_log_bucket.this_bucket.arn}/config/AWSLogs/${var.aws_account_id}/*"]
 
     condition {
       test = "StringLike"
@@ -39,29 +39,29 @@ data "aws_iam_policy_document" "recoder_publish_policy" {
 
   statement {
     actions = ["s3:GetBucketAcl"]
-    resources = [module.audit_log_bucket.this_bucket_arn]
+    resources = [module.audit_log_bucket.this_bucket.arn]
   }
 
   statement {
     actions = ["sns:Publish"]
 
     resources = [
-      module.config_baseline_ap-northeast-1.config_topic_arn,
-      module.config_baseline_ap-northeast-2.config_topic_arn,
-      module.config_baseline_ap-south-1.config_topic_arn,
-      module.config_baseline_ap-southeast-1.config_topic_arn,
-      module.config_baseline_ap-southeast-2.config_topic_arn,
-      module.config_baseline_ca-central-1.config_topic_arn,
-      module.config_baseline_eu-central-1.config_topic_arn,
-      module.config_baseline_eu-north-1.config_topic_arn,
-      module.config_baseline_eu-west-1.config_topic_arn,
-      module.config_baseline_eu-west-2.config_topic_arn,
-      module.config_baseline_eu-west-3.config_topic_arn,
-      module.config_baseline_sa-east-1.config_topic_arn,
-      module.config_baseline_us-east-1.config_topic_arn,
-      module.config_baseline_us-east-2.config_topic_arn,
-      module.config_baseline_us-west-1.config_topic_arn,
-      module.config_baseline_us-west-2.config_topic_arn,
+      module.config_baseline_ap-northeast-1.config_sns_topic.arn,
+      module.config_baseline_ap-northeast-2.config_sns_topic.arn,
+      module.config_baseline_ap-south-1.config_sns_topic.arn,
+      module.config_baseline_ap-southeast-1.config_sns_topic.arn,
+      module.config_baseline_ap-southeast-2.config_sns_topic.arn,
+      module.config_baseline_ca-central-1.config_sns_topic.arn,
+      module.config_baseline_eu-central-1.config_sns_topic.arn,
+      module.config_baseline_eu-north-1.config_sns_topic.arn,
+      module.config_baseline_eu-west-1.config_sns_topic.arn,
+      module.config_baseline_eu-west-2.config_sns_topic.arn,
+      module.config_baseline_eu-west-3.config_sns_topic.arn,
+      module.config_baseline_sa-east-1.config_sns_topic.arn,
+      module.config_baseline_us-east-1.config_sns_topic.arn,
+      module.config_baseline_us-east-2.config_sns_topic.arn,
+      module.config_baseline_us-west-1.config_sns_topic.arn,
+      module.config_baseline_us-west-2.config_sns_topic.arn,
     ]
   }
 }
@@ -85,7 +85,7 @@ resource "aws_iam_role_policy_attachment" "recoder_read_policy" {
 module "config_baseline_ap-northeast-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -98,7 +98,7 @@ module "config_baseline_ap-northeast-1" {
 module "config_baseline_ap-northeast-2" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -111,7 +111,7 @@ module "config_baseline_ap-northeast-2" {
 module "config_baseline_ap-south-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -124,7 +124,7 @@ module "config_baseline_ap-south-1" {
 module "config_baseline_ap-southeast-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -137,7 +137,7 @@ module "config_baseline_ap-southeast-1" {
 module "config_baseline_ap-southeast-2" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -150,7 +150,7 @@ module "config_baseline_ap-southeast-2" {
 module "config_baseline_ca-central-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -163,7 +163,7 @@ module "config_baseline_ca-central-1" {
 module "config_baseline_eu-central-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -176,7 +176,7 @@ module "config_baseline_eu-central-1" {
 module "config_baseline_eu-north-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -189,7 +189,7 @@ module "config_baseline_eu-north-1" {
 module "config_baseline_eu-west-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -202,7 +202,7 @@ module "config_baseline_eu-west-1" {
 module "config_baseline_eu-west-2" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -215,7 +215,7 @@ module "config_baseline_eu-west-2" {
 module "config_baseline_eu-west-3" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -228,7 +228,7 @@ module "config_baseline_eu-west-3" {
 module "config_baseline_sa-east-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -241,7 +241,7 @@ module "config_baseline_sa-east-1" {
 module "config_baseline_us-east-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -254,7 +254,7 @@ module "config_baseline_us-east-1" {
 module "config_baseline_us-east-2" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -267,7 +267,7 @@ module "config_baseline_us-east-2" {
 module "config_baseline_us-west-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -280,7 +280,7 @@ module "config_baseline_us-west-1" {
 module "config_baseline_us-west-2" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name

main.tf

@@ -15,7 +15,7 @@ module "audit_log_bucket" {
 }
 
 resource "aws_s3_bucket_policy" "audit_log_bucket_policy" {
-  bucket = module.audit_log_bucket.this_bucket_id
+  bucket = module.audit_log_bucket.this_bucket.id
 
   policy = <<END_OF_POLICY
 {
@@ -26,14 +26,14 @@ resource "aws_s3_bucket_policy" "audit_log_bucket_policy" {
       "Effect": "Allow",
       "Principal": {"Service": "config.amazonaws.com"},
       "Action": "s3:GetBucketAcl",
-      "Resource": "${module.audit_log_bucket.this_bucket_arn}"
+      "Resource": "${module.audit_log_bucket.this_bucket.arn}"
     },
     {
       "Sid": " AWSCloudTrailWriteForConfig",
       "Effect": "Allow",
       "Principal": {"Service": "config.amazonaws.com"},
       "Action": "s3:PutObject",
-      "Resource": "${module.audit_log_bucket.this_bucket_arn}/config/AWSLogs/${var.aws_account_id}/Config/*",
+      "Resource": "${module.audit_log_bucket.this_bucket.arn}/config/AWSLogs/${var.aws_account_id}/Config/*",
       "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
     },
     {
@@ -43,7 +43,7 @@ resource "aws_s3_bucket_policy" "audit_log_bucket_policy" {
             "Service": "cloudtrail.amazonaws.com"
         },
         "Action": "s3:GetBucketAcl",
-        "Resource": "${module.audit_log_bucket.this_bucket_arn}"
+        "Resource": "${module.audit_log_bucket.this_bucket.arn}"
     },
     {
         "Sid": "AWSCloudTrailWriteForCloudTrail",
@@ -52,7 +52,7 @@ resource "aws_s3_bucket_policy" "audit_log_bucket_policy" {
             "Service": "cloudtrail.amazonaws.com"
         },
         "Action": "s3:PutObject",
-        "Resource": "${module.audit_log_bucket.this_bucket_arn}/cloudtrail/AWSLogs/${var.aws_account_id}/*",
+        "Resource": "${module.audit_log_bucket.this_bucket.arn}/cloudtrail/AWSLogs/${var.aws_account_id}/*",
         "Condition": {
             "StringEquals": {
                 "s3:x-amz-acl": "bucket-owner-full-control"
@@ -104,7 +104,7 @@ module "cloudtrail_baseline" {
   iam_role_policy_name = var.cloudtrail_iam_role_policy_name
   key_deletion_window_in_days = var.cloudtrail_key_deletion_window_in_days
   region = var.region
-  s3_bucket_name = module.audit_log_bucket.this_bucket_id
+  s3_bucket_name = module.audit_log_bucket.this_bucket.id
   s3_key_prefix = var.cloudtrail_s3_key_prefix
 }
 
@@ -116,7 +116,7 @@ module "alarm_baseline" {
   source = "./modules/alarm-baseline"
 
   alarm_namespace = var.alarm_namespace
-  cloudtrail_log_group_name = module.cloudtrail_baseline.log_group_name
+  cloudtrail_log_group_name = module.cloudtrail_baseline.log_group.name
   sns_topic_name = var.alarm_sns_topic_name
 }
 

modules/alarm-baseline/README.md

@@ -14,4 +14,4 @@ Set up CloudWatch alarms to notify you when critical changes happen in your AWS
 
 | Name | Description |
 |------|-------------|
-| alarm_topic_arn | The ARN of the SNS topic to which CloudWatch Alarms will be sent. |
+| alarm_sns_topic | The SNS topic to which CloudWatch Alarms will be sent. |

modules/alarm-baseline/outputs.tf

@@ -1,4 +1,4 @@
-output "alarm_topic_arn" {
-  description = "The ARN of the SNS topic to which CloudWatch Alarms will be sent."
-  value       = aws_sns_topic.alarms.arn
+output "alarm_sns_topic" {
+  description = "The SNS topic to which CloudWatch Alarms will be sent."
+  value       = aws_sns_topic.alarms
 }

modules/cloudtrail-baseline/README.md

@@ -21,12 +21,8 @@ Enable CloudTrail in all regions and deliver events to CloudWatch Logs. CloudTra
 
 | Name | Description |
 |------|-------------|
-| cloudtrail_arn | The ARN of the trail for recording events in all regions. |
-| cloudtrail_id | The ID of the trail for recording events in all regions. |
-| kms_key_arn | The ARN of the KMS key used for encrypting CloudTrail events. |
-| kms_key_id | The ID of the KMS key used for encrypting CloudTrail events. |
-| log_delivery_iam_role_arn | The ARN of the IAM role used for delivering CloudTrail events to CloudWatch Logs. |
-| log_delivery_iam_role_name | The name of the IAM role used for delivering CloudTrail events to CloudWatch Logs. |
-| log_group_arn | The ARN of the CloudWatch Logs log group which stores CloudTrail events. |
-| log_group_name | The name of the CloudWatch Logs log group which stores CloudTrail events. |
+| cloudtrail | The trail for recording events in all regions. |
+| kms_key | The KMS key used for encrypting CloudTrail events. |
+| log_delivery_iam_role | The IAM role used for delivering CloudTrail events to CloudWatch Logs. |
+| log_group | The CloudWatch Logs log group which stores CloudTrail events. |