update argocd code connection module

modules/argocd-codeconnections/README.md

@@ -10,7 +10,7 @@ Call this submodule after creating the EKS cluster with the Argo CD capability.
 module "argocd_connections" {
   source = "../../modules/argocd-codeconnections"
 
-  argocd_capability_role_arn = module.eks.cluster_capability_role_arns["argocd"]
+  argocd_capability_role_name = module.eks.cluster_capability_role_names["argocd"]
 
   connections = [
     { name = "github", provider_type = "GitHub" }
@@ -35,11 +35,13 @@ spec:
 
 Replace `CONNECTION_ID` with `module.argocd_connections.connection_ids["github"]`, and `owner`/`repo` with your Git org and repository name.
 
+This module only grants `UseConnection`/`GetConnection` on connections it creates. Point Argo CD Applications at those connection IDs; if you need another connection, attach IAM elsewhere (e.g. root module `capabilities.argocd.code_connection_arns`) or add a second entry under `connections` here.
+
 ## Inputs
 
 | Name | Description |
 | --- | --- |
-| argocd_capability_role_arn | IAM role ARN of the Argo CD capability (e.g. from `cluster_capability_role_arns["argocd"]`). |
+| argocd_capability_role_name | IAM role name of the Argo CD capability (e.g. `cluster_capability_role_names["argocd"]`). |
 | connections | List of `{ name, provider_type }`. `provider_type`: `GitHub`, `Bitbucket`, or `GitHubEnterpriseServer`. Optional `host_arn` for GitHub Enterprise / GitLab. |
 | tags | Tags for created resources. |
 

modules/argocd-codeconnections/main.tf

@@ -4,12 +4,14 @@
 ################################################################################
 
 locals {
-  # IAM role_policy requires role name; derive from ARN (arn:aws:iam::ACCOUNT:role/NAME)
-  argocd_role_name = try(regex("role/(.+)$", var.argocd_capability_role_arn)[0], null)
+  connections_map = {
+    for c in var.connections :
+    coalesce(try(c.key, null), c.name) => c
+  }
 }
 
 resource "aws_codestarconnections_connection" "this" {
-  for_each = { for i, c in var.connections : c.name => c }
+  for_each = local.connections_map
 
   name          = each.value.name
   provider_type = each.value.provider_type
@@ -33,7 +35,14 @@ data "aws_iam_policy_document" "codeconnections_use" {
 resource "aws_iam_role_policy" "codeconnections" {
   count = var.attach_codeconnections_policy ? 1 : 0
 
-  name   = "argocd-codeconnections-use"
-  role   = local.argocd_role_name
+  name   = var.iam_role_policy_name
+  role   = var.argocd_capability_role_name
   policy = data.aws_iam_policy_document.codeconnections_use.json
+
+  lifecycle {
+    precondition {
+      condition     = length(var.connections) > 0
+      error_message = "Provide at least one entry in `connections` when attach_codeconnections_policy is true."
+    }
+  }
 }

modules/argocd-codeconnections/outputs.tf

@@ -1,3 +1,13 @@
+output "codeconnections_iam_role_name" {
+  description = "IAM role name that receives the CodeConnections inline policy (Argo CD capability role)."
+  value       = var.argocd_capability_role_name
+}
+
+output "codeconnections_iam_policy_name" {
+  description = "Name of the inline IAM policy on the Argo CD capability role (UseConnection + GetConnection)."
+  value       = var.iam_role_policy_name
+}
+
 output "connection_arns" {
   description = "ARNs of the created CodeStar Connections. Use in Argo CD Application repoURL or pass to root module capabilities.argocd.code_connection_arns if not using this submodule's IAM attachment."
   value       = [for c in aws_codestarconnections_connection.this : c.arn]
@@ -9,7 +19,7 @@ locals {
 }
 
 output "connection_ids" {
-  description = "Map of connection name to connection ID (UUID only, for building repo URL). Do not use the full ARN in the URL path."
+  description = "Map of connection key (connections[].key if set, else name) to connection ID (UUID only, for building repo URL). Do not use the full ARN in the URL path."
   value       = local.connection_id_uuid
 }
 
@@ -19,7 +29,7 @@ output "repository_url_template" {
 }
 
 output "repository_url_templates" {
-  description = "Map of connection name to repo URL template using that connection's UUID. Use format replace CONNECTION_ID with the value for the connection you want."
+  description = "Map of connection key (connections[].key if set, else name) to repo URL template using that connection's UUID."
   value = {
     for k, c in aws_codestarconnections_connection.this : k =>
     "https://codeconnections.${data.aws_region.current.id}.amazonaws.com/git-http/${data.aws_caller_identity.current.account_id}/${data.aws_region.current.id}/${local.connection_id_uuid[k]}/OWNER/REPO.git"

modules/argocd-codeconnections/variables.tf

@@ -1,5 +1,5 @@
-variable "argocd_capability_role_arn" {
-  description = "IAM role ARN of the Argo CD EKS Capability (e.g. module.eks.cluster_capability_role_arns[\"argocd\"]). UseConnection and GetConnection policies will be attached to this role."
+variable "argocd_capability_role_name" {
+  description = "IAM role name of the Argo CD EKS capability (e.g. module.eks.cluster_capability_role_names[\"argocd\"])."
   type        = string
 }
 
@@ -10,14 +10,21 @@ variable "attach_codeconnections_policy" {
 }
 
 variable "connections" {
-  description = "List of CodeStar Connections to create. Each connection is created PENDING; complete authentication in the AWS Console (e.g. GitHub OAuth) before use."
+  description = "List of CodeStar Connections to create. Each connection is created PENDING; complete authentication in the AWS Console (e.g. GitHub OAuth) before use. Optional `key` sets Terraform/for_each and output map keys; `name` is the AWS connection name only."
   type = list(object({
-    name          = string
+    key           = optional(string) # Map key for outputs; default is name
+    name          = string           # AWS CodeStar connection name (unrelated to provider_type)
     provider_type = string           # GitHub, Bitbucket, or GitHubEnterpriseServer
     host_arn      = optional(string) # For GitHub Enterprise Server or GitLab Self-Managed
   }))
 }
 
+variable "iam_role_policy_name" {
+  description = "Name of the inline IAM policy on the Argo CD capability role granting codeconnections:UseConnection and GetConnection."
+  type        = string
+  default     = "argocd-codeconnections-use"
+}
+
 variable "tags" {
   description = "Tags to apply to created resources"
   type        = map(string)