From 137746d21fad0f2663804daad5e599dd058216f5 Mon Sep 17 00:00:00 2001
From: Jeremy Frasier <jeremy.frasier@gwe.cisa.dhs.gov>
Date: Tue, 24 Sep 2024 17:16:23 -0400
Subject: [PATCH] Update role description to mention "read-only" or
 "read-write"

The phrase that is used depends on the value of the read_only
variable.
---
 README.md    |  2 +-
 locals.tf    | 10 ++++++----
 variables.tf |  4 ++--
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 65ce7ef..7dc4e92 100644
--- a/README.md
+++ b/README.md
@@ -109,7 +109,7 @@ No modules.
 | entity\_name | The name of the entity that the role is being created for (e.g. "test-user"). | `string` | n/a | yes |
 | iam\_usernames | The list of IAM usernames allowed to assume the role.  If not provided, defaults to allowing any user in the specified account(s).  Note that including "root" in this list will override any other usernames in the list. | `list(string)` | ```[ "root" ]``` | no |
 | read\_only | A Boolean value indicating whether or not to make the role and policy read-only.  If false then the role and policy will allow write permissions. | `bool` | `true` | no |
-| role\_description | The description to associate with the IAM role (as well as the corresponding policy) that allows access to the specified object(s) in the specified S3 buckets.  Note that the first "%s" in this value will get replaced with the s3\_bucket variable and the second "%s" will get replaced with the entity\_name variable.  If there are less than two instances of "%s" present in this value, no replacements will be made and the value will be used as is.  Including more than two instances of "%s" in this value will result in a Terraform error, so don't do that. | `string` | `"Allows access to S3 bucket %s required for %s."` | no |
+| role\_description | The description to associate with the IAM role (as well as the corresponding policy) that allows access to the specified object(s) in the specified S3 buckets.  Note that the first "%s" in this value will get replaced with either "read-only" or "read-write" depending on the value of read\_only, the second "%s" will get replaced with the s3\_bucket variable, and the third "%s" will get replaced with the entity\_name variable.  If there are less than three instances of "%s" present in this value, no replacements will be made and the value will be used as is.  Including more than three instances of "%s" in this value will result in a Terraform error, so don't do that. | `string` | `"Allows %s access to S3 bucket %s required for %s."` | no |
 | role\_name | The name to assign the IAM role (as well as the corresponding policy) that allows access to the specified S3 buckets.  Note that the first "%s" in this value will get replaced with the s3\_bucket variable and the third "%s" will get replaced with the entity\_name variable.  The second "%s" in this value will get replaced by "ReadOnly" if read\_only is true and "ReadWrite" otherwise.  If there are less than three instances of "%s" present in this value then no replacements will be made and the value will be used as is.  Including more than three instances of "%s" in this value will result in a Terraform error, so don't do that.  If the role name is longer than the current AWS limit of 64 characters (either as-is or after "%s" replacements), the role name will be truncated to the first 64 characters. | `string` | `"%s-%s-%s"` | no |
 | s3\_bucket | The name of the S3 bucket that the created role will be allowed access to (e.g. "my-bucket"). | `string` | n/a | yes |
 | s3\_objects | A list specifying the objects in the S3 bucket that the created role will be allowed to access (e.g. ["my-file", "projects\example\*"]).  AWS-supported S3 ARN wildcards (* and ?) can be used, but full regular expressions can not.  If not specified, the role will be allowed to access any object in the bucket. | `list(string)` | ```[ "*" ]``` | no |
diff --git a/locals.tf b/locals.tf
index d4daa36..339e8ab 100644
--- a/locals.tf
+++ b/locals.tf
@@ -18,10 +18,12 @@ locals {
     local.object_actions_write,
   )
 
-  # If var.role_description contains two instances of "%s", use format()
-  # to replace the first "%s" with var.s3_bucket and the second "%s"
-  # with var.entity_name, otherwise just use var.role_description as is
-  role_description = length(regexall(".*%s.*%s.*", var.role_description)) > 0 ? format(var.role_description, var.s3_bucket, var.entity_name) : var.role_description
+  # If var.role_description contains three instances of "%s", use
+  # format() to replace the first "%s" with "read-only" or
+  # "read-write" depending on the value of var.read_only, the second
+  # "%s" with var.s3_bucket, and the third "%s" with var.entity_name;
+  # otherwise, just use var.role_description as is
+  role_description = length(regexall(".*%s.*%s.*%s.*", var.role_description)) > 0 ? format(var.role_description, var.read_only ? "read-only" : "read-write", var.s3_bucket, var.entity_name) : var.role_description
 
   # If var.role_name contains three instances of "%s", use format() to
   # replace the first "%s" with var.s3_bucket, the second "%s" with
diff --git a/variables.tf b/variables.tf
index 38015bd..01ef904 100644
--- a/variables.tf
+++ b/variables.tf
@@ -51,8 +51,8 @@ variable "read_only" {
 }
 
 variable "role_description" {
-  default     = "Allows access to S3 bucket %s required for %s."
-  description = "The description to associate with the IAM role (as well as the corresponding policy) that allows access to the specified object(s) in the specified S3 buckets.  Note that the first \"%s\" in this value will get replaced with the s3_bucket variable and the second \"%s\" will get replaced with the entity_name variable.  If there are less than two instances of \"%s\" present in this value, no replacements will be made and the value will be used as is.  Including more than two instances of \"%s\" in this value will result in a Terraform error, so don't do that."
+  default     = "Allows %s access to S3 bucket %s required for %s."
+  description = "The description to associate with the IAM role (as well as the corresponding policy) that allows access to the specified object(s) in the specified S3 buckets.  Note that the first \"%s\" in this value will get replaced with either \"read-only\" or \"read-write\" depending on the value of read_only, the second \"%s\" will get replaced with the s3_bucket variable, and the third \"%s\" will get replaced with the entity_name variable.  If there are less than three instances of \"%s\" present in this value, no replacements will be made and the value will be used as is.  Including more than three instances of \"%s\" in this value will result in a Terraform error, so don't do that."
   type        = string
 }