StackGuardian
diff --git a/‎aws_oidc/main.tf
+3-3 b/‎aws_oidc/main.tf
+3-3
diff --git a/‎aws_oidc/variables.tf
-10 b/‎aws_oidc/variables.tf
-10
diff --git a/‎aws_rbac/main.tf
+2-2 b/‎aws_rbac/main.tf
+2-2
diff --git a/‎main.tf
+42-40 b/‎main.tf
+42-40
diff --git a/‎provider.tf
+2 b/‎provider.tf
+2
diff --git a/‎stackguardian_connector_cloud/main.tf
+15-1 b/‎stackguardian_connector_cloud/main.tf
+15-1
diff --git a/‎stackguardian_connector_cloud/provider.tf
-6 b/‎stackguardian_connector_cloud/provider.tf
-6
diff --git a/‎stackguardian_connector_cloud/variables.tf
+19-2 b/‎stackguardian_connector_cloud/variables.tf
+19-2
diff --git a/‎stackguardian_connector_vcs/main.tf
+3-3 b/‎stackguardian_connector_vcs/main.tf
+3-3
diff --git a/‎stackguardian_connector_vcs/outputs.tf
+1-1 b/‎stackguardian_connector_vcs/outputs.tf
+1-1
diff --git a/‎stackguardian_connector_vcs/provider.tf
-6 b/‎stackguardian_connector_vcs/provider.tf
-6
diff --git a/‎stackguardian_connector_vcs/variables.tf
+5-6 b/‎stackguardian_connector_vcs/variables.tf
+5-6
diff --git a/‎stackguardian_role/main.tf
+1-1 b/‎stackguardian_role/main.tf
+1-1
@@ -1,7 +1,7 @@
 # Step 1: Create an OpenID Connect provider in AWS IAM
 resource "aws_iam_openid_connect_provider" "oidc_provider" {
-  url                     = var.url  # OIDC provider URL
-  client_id_list          = [ var.client_id ]            # OIDC client ID or the Audience id
+  url                     = "https://api.app.stackguardian.io"  # OIDC provider URL
+  client_id_list          = [ "https://api.app.stackguardian.io" ]            # OIDC client ID or the Audience id
   thumbprint_list         = []
 }
 
@@ -19,7 +19,7 @@ resource "aws_iam_role" "oidc_role" {
 			"Action": "sts:AssumeRoleWithWebIdentity",
 			"Condition": {
 				"StringEquals": {
-					"api.app.stackguardian.io:aud" = var.url
+					"api.app.stackguardian.io:aud" = "https://api.app.stackguardian.io"
 				},
 				"StringLike": {
             "api.app.stackguardian.io:sub" = "/orgs/${var.org_name}"
 
@@ -3,16 +3,6 @@ variable "region" {
   description = "the region for deploying the resources"
 }
 
-variable "url" {
-  type = string
-  description = "URL of the identity provider"
-}
-
-variable "client_id" {
-  type = string
-  description = "List of client IDs (audiences) that identify the application registered with the OpenID Connect provider" 
-}
-
 variable "role_name" {
   type = string
   description = "name of the aws role thats getting created"
 
@@ -1,5 +1,5 @@
 resource "aws_iam_role" "sg-test-role" {
-  name               = var.role_name
+  name               = var.aws_role_name
   description = "StackGuardianIntegrationRole"
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
@@ -23,7 +23,7 @@ resource "aws_iam_role" "sg-test-role" {
 }
 
 resource "aws_iam_policy_attachment" "sg_role_policy" {
-  name       = "${var.role_name}-policy"
+  name       = "${var.aws_role_name}-policy"
   policy_arn = var.aws_policy
   roles      = [aws_iam_role.sg-test-role.name]
 }
@@ -1,52 +1,36 @@
+locals {
+  cloud_connectors_list = [for con in var.cloud_connectors : con.name]
+}
+
 # ################################
 #  # Stackguardian Workflow Group
 # ################################
 module "stackguardian_workflow_group" {
-  source = "../terraform-stackguardian-modules/stackguardian_workflow_group"
+  for_each = toset(var.workflow_groups)
+  source = "./stackguardian_workflow_group"
   api_key = var.api_key
   org_name = var.org_name
-  workflow_group_name = var.workflow_group_name
-}
-
-# ################################
-#  # Stackguardian aws oidc
-# ################################
-module "aws_oidc" {
-  source = "../terraform-stackguardian-modules/aws_oidc"
-  account_number = var.account_number
-  client_id = var.client_id
-  region = var.region
-  aws_policy = var.aws_policy
-  role_name = var.role_name
-  url = var.url
-  org_name = var.org_name
+  workflow_group_name = each.key
 }
 
 # ################################
 #  # Stackguardian cloud connector
 # ################################
 module "stackguardian_connector_cloud" {
-  source = "../terraform-stackguardian-modules/stackguardian_connector_cloud"
-  cloud_connector_name = var.cloud_connector_name
-  connector_type = var.connector_type
+  for_each = { for c in var.cloud_connectors : c.name => c }
+  source = "./stackguardian_connector_cloud"
+  cloud_connector_name = each.key
+  connector_type = each.value.connector_type
+  role_arn = each.value.role_arn
+  role_external_id = each.value.aws_role_external_id
   api_key = var.api_key
   org_name = var.org_name
-
-  role_arn = module.aws_oidc.oidc_role_arn
-
-  aws_access_key_id = var.aws_access_key_id
-  aws_secret_access_key = var.aws_secret_access_key
-  aws_default_region = var.aws_default_region
-
-  armTenantId = var.armTenantId
-  armSubscriptionId = var.armSubscriptionId
-  armClientId = var.client_id
-  armClientSecret = var.armClientSecret
 }
 
 ################################
  # Stackguardian vcs
 ################################
+/*
 locals {
   # Determine which VCS connector to create based on non-empty credentials
   selected_connector = merge(
@@ -81,26 +65,28 @@ locals {
     } : {}
   )
 }
+*/
+
 
-module "stackguardian_connector_vcs" {
-  source = "../terraform-stackguardian-modules/stackguardian_connector_vcs"
-  stackguardian_connector_vcs_name = var.stackguardian_connector_vcs_name
+module "vcs_connector" {
+  source = "./stackguardian_connector_vcs"
+  vcs_connectors = var.vcs_connectors
   api_key = var.api_key
   org_name = var.org_name
-  stackguardian_connector_kinds      = local.selected_connector
 }
 
+
 ################################
  # Stackguardian role
 ################################
 module "stackguardian_role" {
-  source = "../terraform-stackguardian-modules/stackguardian_role"
+  source = "./stackguardian_role"
   api_key = var.api_key
   org_name = var.org_name
   role_name = var.role_name
-  cloud_connector = var.cloud_connector
-  stackguardian_connector_vcs = var.stackguardian_connector_vcs
-  workflow_group = var.workflow_group
+  cloud_connectors = [for con in var.cloud_connectors : con.name]
+  vcs_connectors = [for vcs in var.vcs_connectors : vcs.name]
+  workflow_groups = var.workflow_groups
   template_list = var.template_list
   #depends_on = [ module.stackguardian_workflow_group, module.stackguardian_connector_cloud, module.stackguardian_connector_vcs ]
 }
@@ -109,10 +95,26 @@ module "stackguardian_role" {
 #  # Stackguardian role assignment
 # ################################
 module "stackguardian_role_assignment" {
-  source = "../terraform-stackguardian-modules/stackguardian_role_assignment"
+  source = "./stackguardian_role_assignment"
   api_key = var.api_key
   org_name = var.org_name
   role_name = var.role_name
   user_or_group = var.user_or_group
   entity_type = var.entity_type
-}
+  depends_on = [ module.stackguardian_role ]
+}
+
+/*
+# ################################
+#  # Create OIDC provider and StackGuardian Role in AWS
+# ################################
+module "aws_oidc" {
+  count = var.account_number != null ? 1 : 0
+  source = "./aws_oidc"
+  account_number = var.account_number
+  region = var.region
+  aws_policy = var.aws_policy
+  role_name = var.role_name
+  org_name = var.org_name
+}
+*/
@@ -19,6 +19,8 @@ provider "stackguardian" {
 }
 
 # AWS provider configuration
+/*
 provider "aws" {
   region = var.region
 }
+*/
@@ -16,11 +16,25 @@ resource "stackguardian_connector" "sg_aws_static_connector" {
 resource "stackguardian_connector" "sg_aws_oidc_connector" {
   count = (var.connector_type == "AWS_OIDC") ? 1 : 0
   resource_name = var.cloud_connector_name
-  description = "Onboarding example of terraform-provider-stackguardian for AWSConnectorCloud"
+  description = "Onboarding an AWS Role with OIDC"
+  settings = {
+    kind = var.connector_type,
+    config = [{
+        role_arn = var.role_arn
+      }]
+  }
+}
+
+resource "stackguardian_connector" "sg_aws_rbac_connector" {
+  count = (var.connector_type == "AWS_RBAC") ? 1 : 0
+  resource_name = var.cloud_connector_name
+  description = "Onboarding an AWS Role with RBAC"
   settings = {
     kind = var.connector_type,
     config = [{
         role_arn = var.role_arn
+        external_id = var.role_external_id
+        duration_seconds = 3600
       }]
   }
 }
 
@@ -5,10 +5,4 @@ terraform {
       version = "1.1.0-rc5"
     }
   }
-}
-
-provider "stackguardian" {
-  api_key = var.api_key
-  org_name = var.org_name
-  api_uri = "https://api.app.stackguardian.io"
 }
@@ -26,16 +26,19 @@ variable "cloud_connector_name" {
 variable "aws_access_key_id" {
   type = string
   description = "your AWS acoount access key"
+   default = null
 }
 
 variable "aws_secret_access_key" {
   type = string
   description = "your AWS account secret access key"
+   default = null
 }
 
 variable "aws_default_region" {
   type = string
   description = "any default region you want to set, for all your deployments"
+   default = null
 }
 
 ################
@@ -45,27 +48,41 @@ variable "aws_default_region" {
 variable "armTenantId" {
   type = string
   description = "your azure account tenant id"
+   default = null
+
 }
 
 variable "armSubscriptionId" {
   type = string
   description = "your azure subscription id"
+  default = null
+  
 }
 
 variable "armClientId" {
   type = string
   description = "your azure client id"
+   default = null
+
 }
 
 variable "armClientSecret" {
   type = string
   description = "your azure client secret"
+ default = null
 }
 
 ################
-# aws_oidc 
+# AWS_OIDC Credentials + AWS_RBAC Credentials
 ################
 variable "role_arn" {
   type = string
   description = "arn of the aws oidc role"
-}
+}
+
+###### for AWS_RBAC the externalID is also needed
+variable "role_external_id" {
+  type = string
+  description = "external id of the aws rbac role"
+  #default = "<org_name>:<random_string>"
+}
@@ -11,7 +11,7 @@
 
 resource "stackguardian_connector" "sg_vcs_connector" {
     for_each = {
-    for key, value in var.stackguardian_connector_kinds : 
+    for key, value in var.vcs_connectors : 
     key => value if (
       # Check if any credentials are provided for gitlab, github or bitbucket
       (
@@ -22,8 +22,8 @@ resource "stackguardian_connector" "sg_vcs_connector" {
     )
   }
 
-  resource_name = var.stackguardian_connector_vcs_name
-  description   = "Onboarding example of terraform-provider-stackguardian for ConnectorVcs"
+  resource_name = each.value.name
+  description   = "Onboarding VCS connector"
 
   settings = {
     kind   = each.value.kind
 
@@ -1,4 +1,4 @@
 output "connector_vcs" {
   description = "Created VCS connector"
-  value       = var.stackguardian_connector_vcs_name
+  value       = [for con in var.vcs_connectors : con.name]
 }
@@ -5,10 +5,4 @@ terraform {
       version = "1.1.0-rc5"
     }
   }
-}
-
-provider "stackguardian" {
-  api_key = var.api_key
-  org_name = var.org_name
-  api_uri = "https://api.app.stackguardian.io"
 }
@@ -1,7 +1,3 @@
-variable "stackguardian_connector_vcs_name" {
-  type = string
-  description = "name of the connector"
-}
 variable "api_key" {
   type = string
   description = "API key to authenticate to StackGuardian"
@@ -11,12 +7,13 @@ variable "org_name" {
   description = "Organisation name in StackGuardian platform"
 }
 
-variable "stackguardian_connector_kinds" {
-  description = "A map of connector kinds and their respective configurations"
+variable "vcs_connectors" {
+  description = "A map of connectors and their respective configurations"
   type = map(any)
   default = {
     vcs_gitlab = {
       kind   = "GITLAB_COM"
+      name   = "gitlab-connector"
       config = [{
         gitlab_creds = {
             gitlabCreds =  "gitlabuser:gitlab_pat",
@@ -26,6 +23,7 @@ variable "stackguardian_connector_kinds" {
       }]
     },
     vcs_github = {
+      name   = "github-connector"
       kind   = "GITHUB_COM"
       config = [{
         github_creds = {
@@ -35,6 +33,7 @@ variable "stackguardian_connector_kinds" {
       }]
     },
     vcs_bitbucket = {
+      name   = "bitbucket-connector"
       kind   = "BITBUCKET_ORG"
       config = [{
         bitbucket_creds = {
 
@@ -3,7 +3,7 @@ resource "stackguardian_role" "role" {
   resource_name = var.role_name
   description   = "Onboarding example of terraform-provider-stackguardian for Role Developer"
   tags = [
-    "demo-org"
+    var.org_name
   ]
     allowed_permissions = local.team_onboarding_permissions
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`resource "aws_iam_role" "sg-test-role" {`
`2`		`- name = var.role_name`
	`2`	`+ name = var.aws_role_name`
`3`	`3`	`description = "StackGuardianIntegrationRole"`
`4`	`4`	`assume_role_policy = jsonencode({`
`5`	`5`	`Version = "2012-10-17"`
`@@ -23,7 +23,7 @@ resource "aws_iam_role" "sg-test-role" {`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`resource "aws_iam_policy_attachment" "sg_role_policy" {`
`26`		`- name = "${var.role_name}-policy"`
	`26`	`+ name = "${var.aws_role_name}-policy"`
`27`	`27`	`policy_arn = var.aws_policy`
`28`	`28`	`roles = [aws_iam_role.sg-test-role.name]`
`29`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,8 @@ provider "stackguardian" {`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`# AWS provider configuration`
	`22`	`+/*`
`22`	`23`	`provider "aws" {`
`23`	`24`	`region = var.region`
`24`	`25`	`}`
	`26`	`+*/`
Original file line number	Diff line number	Diff line change
`@@ -5,10 +5,4 @@ terraform {`
`5`	`5`	`version = "1.1.0-rc5"`
`6`	`6`	`}`
`7`	`7`	`}`
`8`		`-}`
`9`		`-`
`10`		`-provider "stackguardian" {`
`11`		`- api_key = var.api_key`
`12`		`- org_name = var.org_name`
`13`		`- api_uri = "https://api.app.stackguardian.io"`
`14`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`
`12`	`12`	`resource "stackguardian_connector" "sg_vcs_connector" {`
`13`	`13`	`for_each = {`
`14`		`- for key, value in var.stackguardian_connector_kinds :`
	`14`	`+ for key, value in var.vcs_connectors :`
`15`	`15`	`key => value if (`
`16`	`16`	`# Check if any credentials are provided for gitlab, github or bitbucket`
`17`	`17`	`(`
`@@ -22,8 +22,8 @@ resource "stackguardian_connector" "sg_vcs_connector" {`
`22`	`22`	`)`
`23`	`23`	`}`
`24`	`24`
`25`		`- resource_name = var.stackguardian_connector_vcs_name`
`26`		`- description = "Onboarding example of terraform-provider-stackguardian for ConnectorVcs"`
	`25`	`+ resource_name = each.value.name`
	`26`	`+ description = "Onboarding VCS connector"`
`27`	`27`
`28`	`28`	`settings = {`
`29`	`29`	`kind = each.value.kind`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`output "connector_vcs" {`
`2`	`2`	`description = "Created VCS connector"`
`3`		`- value = var.stackguardian_connector_vcs_name`
	`3`	`+ value = [for con in var.vcs_connectors : con.name]`
`4`	`4`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ resource "stackguardian_role" "role" {`
`3`	`3`	`resource_name = var.role_name`
`4`	`4`	`description = "Onboarding example of terraform-provider-stackguardian for Role Developer"`
`5`	`5`	`tags = [`
`6`		`- "demo-org"`
	`6`	`+ var.org_name`
`7`	`7`	`]`
`8`	`8`	`allowed_permissions = local.team_onboarding_permissions`
`9`	`9`