fix(aws): configure an External ID in IAM Role

[ghost]

Lacework's AWS Config Integration requires two things, a Role ARN and
its External ID, such ID is missing.

This PR is adding the External ID inside the IAM Role we create.

If you are wondering what is this External ID thing, look at these AWS docs.

Ticket

https://lacework.atlassian.net/browse/ALLY-23

Signed-off-by: Salim Afiune Maya [email protected]

[scottford-lw]

@afiunelw should we be providing a default value for this, or force the user to make this decision each time? Do we know what happens if a person uses the same value for external_id each time?

[ghost]

I'm guessing it would be a good idea to force the user, I am really not so sure about it, that is why I wanted to talk with Brian. I will change it to be required.

[scottford-lw]

Same thing @afiunelw , should we be providing a default value?

[ghost]

I didn't change this variable, I can change it though to be required.

[scottford-lw]

@afiunelw Do we want to consider an update to output.tf to print out the external_id?

https://github.com/lacework/terraform-provisioning/blob/afiune/aws/iam_role/external_id/aws/output.tf

[ghost]

I don't think we should output a variable that the user inputs.

[scottford-lw]

I am looking at this from the perspective of executing the automation for many accounts in a pipeline. Yes, you know what the external ID that you input, but that external_id is going to be tied to a bunch of resources that you don't know until you converge. Spitting out the external_id with the resources it is attached to might be useful.

[ghost]

My perspective is that, when we finish this Terraform integration, the user inputs an External ID that we will use to configure the AIM Role and the AWS Config Integration in Lacework, so I don't feel it is useful but we can add it for a few until lacework/terraform-provider-lacework#11 is working.