feat: switching to using prefixes

gambol99 · gambol99 · commit 2ca2206f1407 · 2025-02-12T19:01:46.000Z
diff --git a/cloudwatch.tf b/cloudwatch.tf
@@ -1,11 +1,11 @@
 
-## Provision a events IAM role, this is used within the cloudwatch trigger, 
+## Provision a events IAM role, this is used within the cloudwatch trigger,
 ## permitting the event to trigger the ECS task
 
 ## Provision the ECS events IAM role, which is used to trigger the ECS task
 resource "aws_iam_role" "cloudwatch" {
-  name = var.cloudwatch_event_role_name
-  tags = var.tags
+  name_prefix = var.cloudwatch_event_role_name_prefix
+  tags        = var.tags
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
@@ -21,13 +21,13 @@ resource "aws_iam_role" "cloudwatch" {
   })
 }
 
-## Attach the ECS events policy to the role 
+## Attach the ECS events policy to the role
 resource "aws_iam_role_policy_attachment" "cloudwatch" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
   role       = aws_iam_role.cloudwatch.name
 }
 
-## Provision a CloudWatch Log Group for the task to use 
+## Provision a CloudWatch Log Group for the task to use
 # trivy:ignore:AVD-AWS-0017
 resource "aws_cloudwatch_log_group" "tasks" {
   for_each = var.tasks
@@ -38,8 +38,8 @@ resource "aws_cloudwatch_log_group" "tasks" {
   tags              = var.tags
 }
 
-## Provision the cloudwatch event rule to trigger the task - we need to provision  
-## an event rule per task 
+## Provision the cloudwatch event rule to trigger the task - we need to provision
+## an event rule per task
 resource "aws_cloudwatch_event_rule" "tasks" {
   for_each = var.tasks
 
@@ -49,7 +49,7 @@ resource "aws_cloudwatch_event_rule" "tasks" {
   tags                = var.tags
 }
 
-## Provision the cloudwatch event target to run the task 
+## Provision the cloudwatch event target to run the task
 resource "aws_cloudwatch_event_target" "tasks" {
   for_each = var.tasks
 
diff --git a/ecs.tf b/ecs.tf
@@ -1,5 +1,5 @@
 
-## Provision the ECS Cluster used to run the task 
+## Provision the ECS Cluster used to run the task
 # tfsec:ignore:aws-ecs-enable-container-insight
 resource "aws_ecs_cluster" "current" {
   name = var.ecs_cluster_name
@@ -11,13 +11,13 @@ resource "aws_ecs_cluster" "current" {
   }
 }
 
-## Provision the ECS execution IAM role; this is used by the task to execute within 
+## Provision the ECS execution IAM role; this is used by the task to execute within
 ## the ECS cluster
 resource "aws_iam_role" "execution" {
   for_each = var.tasks
 
   description = format("Used by the ECS task to execute within the ECS cluster by the nuke service: '%s'", each.key)
-  name        = format("%s%s", var.iam_execution_role_prefix, each.key)
+  name_prefix = format("%s%s", var.iam_execution_role_prefix, each.key)
   tags        = var.tags
 
   assume_role_policy = jsonencode({
@@ -34,12 +34,12 @@ resource "aws_iam_role" "execution" {
   })
 }
 
-## Provision a role for the task to use, this is used to perform actions and remove 
+## Provision a role for the task to use, this is used to perform actions and remove
 resource "aws_iam_role" "task" {
   for_each = var.tasks
 
   description          = format("Permissions for the ECS nuke task: '%s' to run under", each.key)
-  name                 = format("%s%s", var.iam_task_role_prefix, each.key)
+  name_prefix          = format("%s%s", var.iam_task_role_prefix, each.key)
   permissions_boundary = each.value.permission_boundary_arn
   tags                 = var.tags
 
@@ -57,7 +57,7 @@ resource "aws_iam_role" "task" {
   })
 }
 
-## Attach any managed polices to the task role - i.e the permissions which the task can 
+## Attach any managed polices to the task role - i.e the permissions which the task can
 ## perform within the AWS account/s
 resource "aws_iam_role_policy_attachment" "task_permissions_arns" {
   for_each = local.task_permissions_arns
@@ -66,7 +66,7 @@ resource "aws_iam_role_policy_attachment" "task_permissions_arns" {
   policy_arn = each.value.permission_arn
 }
 
-## Allow any additional permissions to be attached to the task role - these are inline 
+## Allow any additional permissions to be attached to the task role - these are inline
 ## policies applied to the task
 resource "aws_iam_role_policy" "task_additional_permissions" {
   for_each = local.task_additional_permissions
@@ -84,7 +84,7 @@ resource "aws_iam_role_policy_attachment" "execution" {
   role       = aws_iam_role.execution[each.key].name
 }
 
-## Allow the ECS task access to the ECR repository to pull the image 
+## Allow the ECS task access to the ECR repository to pull the image
 resource "aws_iam_role_policy" "execution_ecr" {
   for_each = var.tasks
 
@@ -104,7 +104,7 @@ resource "aws_iam_role_policy" "execution_ecr" {
   })
 }
 
-## Allow the ECS task to retrieve the secret from the secrets manager 
+## Allow the ECS task to retrieve the secret from the secrets manager
 resource "aws_iam_role_policy" "execution_secrets" {
   for_each = var.tasks
 
@@ -126,8 +126,8 @@ resource "aws_iam_role_policy" "execution_secrets" {
   })
 }
 
-## Provision the task definition for the nuke (aws-nuke) to remove all the resources, 
-## Also, we mount the secret from secrets manager to the task 
+## Provision the task definition for the nuke (aws-nuke) to remove all the resources,
+## Also, we mount the secret from secrets manager to the task
 resource "aws_ecs_task_definition" "tasks" {
   for_each = var.tasks
 
diff --git a/variables.tf b/variables.tf
@@ -21,10 +21,10 @@ variable "ecs_cluster_name" {
   default     = "nuke"
 }
 
-variable "cloudwatch_event_role_name" {
+variable "cloudwatch_event_role_name_prefix" {
   description = "The name of the role to use for the cloudwatch event rule"
   type        = string
-  default     = "nuke-cloudwatch"
+  default     = "nuke-cloudwatch-"
 }
 
 variable "cloudwatch_event_rule_prefix" {
@@ -53,13 +53,13 @@ variable "tasks" {
     schedule                = string
   }))
 
-  ## The tast must have a configuration 
+  ## The tast must have a configuration
   validation {
     condition     = alltrue([for task in keys(var.tasks) : contains(keys(var.tasks[task]), "configuration")])
     error_message = "The task must have a configuration"
   }
 
-  ## The task configuration must not be empty 
+  ## The task configuration must not be empty
   validation {
     condition     = alltrue([for task in keys(var.tasks) : length(var.tasks[task].configuration) > 0])
     error_message = "The task configuration must not be empty"
@@ -71,7 +71,7 @@ variable "tasks" {
     error_message = "The task key must be all lowercase and contain only alphanumeric characters"
   }
 
-  ## The task name cannot be longer than 32 
+  ## The task name cannot be longer than 32
   validation {
     condition     = alltrue([for task in keys(var.tasks) : length(task) <= 32])
     error_message = "The task name cannot be longer than 32 characters"
