Improve variable description

README.md

@@ -513,7 +513,7 @@ the COOL environment.
 | email\_sending\_domains | The list of domains to send emails from within the assessment environment (e.g. [ "example.com" ]).  Teamserver and Gophish instances will be deployed with each sequential domain in the list, so teamserver0 and gophish0 will get the first domain, teamserver1 and gophish1 will get the second domain, and so on.  If there are more Teamserver or Gophish instances than email-sending domains, the domains in the list will be reused in a wrap-around fashion. For example, if there are three Teamservers and only two email-sending domains, teamserver0 will get the first domain, teamserver1 will get the second domain, and teamserver2 will wrap-around back to using the first domain.  Note that all letters in this variable must be lowercase or else an error will be displayed. | `list(string)` | ```[ "example.com" ]``` | no |
 | findings\_data\_bucket\_name | The name of the AWS S3 bucket where findings data is to be written.  The default value is not a valid string for a bucket name, so findings data cannot be written to any bucket unless a value is specified. | `string` | `""` | no |
 | guac\_connection\_setup\_path | The full path to the dbinit directory where initialization files must be stored in order to work properly. (e.g. "/var/guacamole/dbinit") | `string` | `"/var/guacamole/dbinit"` | no |
-| iam\_users\_allowed\_to\_self\_deploy | A list of IAM usernames corresponding to the IAM users in the Users account who are allowed to self-deploy.  E.g., ["first.last"]. | `list(string)` | `[]` | no |
+| iam\_users\_allowed\_to\_self\_deploy | A list of IAM usernames corresponding to the IAM users in the Users account who are allowed to self-deploy.  E.g., ["first.last"].  Note that these users must already be included in cisagov/cool-assessment-provisioner-iam, presumably with backend\_access equal to false. | `list(string)` | `[]` | no |
 | inbound\_ports\_allowed | An object specifying the ports allowed inbound (from anywhere) to the various instance types (e.g. {"assessorworkbench" : [], "debiandesktop" : [], "egressassess" : [], "gophish" : [], "kali": [{"protocol": "tcp", "from\_port": 443, "to\_port": 443}, {"protocol": "tcp", "from\_port": 9000, "to\_port": 9009}], "nessus" : [], "pentestportal" : [], "samba" : [], "teamserver" : [], "terraformer" : [], "windows" : [], }). | ```object({ assessorworkbench = list(object({ protocol = string, from_port = number, to_port = number })), debiandesktop = list(object({ protocol = string, from_port = number, to_port = number })), egressassess = list(object({ protocol = string, from_port = number, to_port = number })), gophish = list(object({ protocol = string, from_port = number, to_port = number })), kali = list(object({ protocol = string, from_port = number, to_port = number })), nessus = list(object({ protocol = string, from_port = number, to_port = number })), pentestportal = list(object({ protocol = string, from_port = number, to_port = number })), samba = list(object({ protocol = string, from_port = number, to_port = number })), teamserver = list(object({ protocol = string, from_port = number, to_port = number })), terraformer = list(object({ protocol = string, from_port = number, to_port = number })), windows = list(object({ protocol = string, from_port = number, to_port = number })), })``` | ```{ "assessorworkbench": [], "debiandesktop": [], "egressassess": [], "gophish": [], "kali": [], "nessus": [], "pentestportal": [], "samba": [], "teamserver": [], "terraformer": [], "windows": [] }``` | no |
 | nessus\_activation\_codes | The list of Nessus activation codes (e.g. ["AAAA-BBBB-CCCC-DDDD"]). The number of codes in this list should match the number of Nessus instances defined in operations\_instance\_counts. | `list(string)` | `[]` | no |
 | nessus\_web\_server\_port | The port on which the Nessus web server should listen (e.g. 8834). | `number` | `8834` | no |

variables.tf

@@ -159,7 +159,7 @@ variable "guac_connection_setup_path" {
 
 variable "iam_users_allowed_to_self_deploy" {
   default     = []
-  description = "A list of IAM usernames corresponding to the IAM users in the Users account who are allowed to self-deploy.  E.g., [\"first.last\"]."
+  description = "A list of IAM usernames corresponding to the IAM users in the Users account who are allowed to self-deploy.  E.g., [\"first.last\"].  Note that these users must already be included in cisagov/cool-assessment-provisioner-iam, presumably with backend_access equal to false."
   nullable    = false
   type        = list(string)
 }