initial

.gitignore

@@ -0,0 +1,13 @@
+#  Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# .tfvars files
+*.tfvars
+
+.terraform/*
+logs
+common/README.md

.pre-commit-config.yaml

@@ -0,0 +1,17 @@
+repos:
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.31.0
+  hooks:
+#    - id: terraform_validate
+    - id: terraform_fmt
+    - id: terraform_docs_replace
+      args: ['table']
+      exclude: common/*.tf
+      exclude: version.tf
+
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v3.1.0
+  hooks:
+    - id: check-symlinks
+    - id: detect-aws-credentials
+    - id: detect-private-key

CHANGELOG.md

@@ -0,0 +1,4 @@
+# Versions
+
+* v1.0.0 -- 20210301
+  - initial creation

data.tf

@@ -0,0 +1,23 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_arn" "current" {
+  arn = data.aws_caller_identity.current.arn
+}
+
+data "aws_region" "current" {}
+
+# output "caller_account_id" {
+#   value = data.aws_caller_identity.current.account_id
+# }
+#
+# output "account_caller_arn" {
+#   value = data.aws_caller_identity.current.arn
+# }
+#
+# output "account_caller_arn_partition" {
+#   value = data.aws_arn.current.partition
+# }
+#
+# output "account_region"name" {
+#   value = data.aws_region.current.name
+# }

locals.tf

@@ -0,0 +1,32 @@
+locals {
+  policies = {
+    "ced-edde" = [
+      aws_iam_policy.policy_app.arn,
+    ]
+  }
+  policies_flat  = { for e in keys(local.policies) : e => flatten(local.policies[e]) }
+  policies_count = { for e in keys(local.policies) : e => length(local.policies_flat[e]) }
+
+  # for automatic ldap creation of group
+  bocappdata_auth = var.aws_environment == "govcloud" ? "Cloud_AWSGovCloud_Auth" : "Cloud_AWS_Auth"
+  bocappdata_fullauth = {
+    "ced-edde" = format("gov.census.tco:%s=%s,%s", local.bocappdata_auth, aws_iam_role.role_app.arn, data.terraform_remote_state.common.outputs.inf_saml_provider)
+  }
+  region = var.region
+  #  ldap_init = { for e in keys(local.policies) : lookup(var.ldap_init,e,e) => true }
+
+  ldap_exists = {
+    "ced-edde" = fileexists("setup/${aws_iam_role.role_app.name}.ldif")
+  }
+}
+
+#---
+# application stuff
+#---
+locals {
+  app_name        = "ced-edde"
+  role_name       = format("r-%v", local.app_name)
+  policy_name     = format("p-%v", local.app_name)
+  ec2_role_name   = format("r-ec2-%v", local.app_name)
+  ec2_policy_name = format("p-ec2-%v-%v", local.app_name, "transcribe")
+}

main.tf

@@ -0,0 +1,119 @@
+/*
+* # About aws-iam-role
+* 
+* # Usage
+* 
+* ```hcl
+* module "myrole" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.gi"
+* 
+*   role_name                  = "my-role"
+*   saml_provider_arn          = "aws:aws-us-gov:iam:1234567890:saml/X"
+*   enable_ldap_creation       = true
+*   assume_policy_document     = data.terraform_remote_state.common.outputs.saml_assume_json
+*   ec2_assume_policy_document = "X"
+*   attached_policies          = ["arn1", "arn2"]
+*   ldap_user                  = "cn=myuser,ou=Application,o=U.S. Census Bureau,c=US"
+*   ldap_password              = "password1234$$"
+* 
+*   # optional
+*   ec2_role_name         = "my-role-other"
+*   enable_instance_role  = false
+*   ec2_attached_policies = []
+*   ldap_host             = "ldap.e.tco.census.gov"
+*   ldap_port             = 389
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  region              = data.aws_region.current.name
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  _ec2_role_name   = var.ec2_role_name != "" ? var.ec2_role_name : var.role_name
+  role_name        = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name)
+  saml_string      = var.saml_provider_arn != "" ? "SAML" : ""
+  role_description = format("%vRole for %v", local.saml_string, var.role_name)
+  policy_name      = format("%v%v", lookup(local._prefixes, "policy", ""), var.role_name)
+  ec2_role_name    = format("%v-ec2-%v", lookup(local._prefixes, "role", ""), local._ec2_role_name)
+  ec2_policy_name  = format("%v-ec2-%v", lookup(local._prefixes, "policy", ""), local._ec2_role_name)
+
+  ldap_exists         = fileexists("${path.root}/setup/${aws_iam_role.role_app.name}.ldif")
+  bocappdata_auth     = local.account_environment == "gov" ? "Cloud_AWSGovCloud_Auth" : "Cloud_AWS_Auth"
+  bocappdata_fullauth = format("gov.census.tco:%v=%v,%v", local.bocappdata_auth, aws_iam_role.role.arn, var.saml_provider_arn)
+
+  enable_ldap = var.enable_ldap_creation && var.ldap_user != "" && var.ldap_password != "" && var.saml_provider_arn != ""
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+resource "aws_iam_role" "role" {
+  name                  = local.role_name
+  description           = local.role_description
+  force_detach_policies = false
+  max_session_duration  = 3600
+  #  assume_role_policy    = data.terraform_remote_state.common.outputs.inf_saml_assume_policy_document
+  assume_role_policy = var.assume_policy_document
+
+  tags = merge(
+    var.tags,
+    local.base_tags,
+    lookup(var.component_tags, "role", {}),
+    map("Name", local.role_name)
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "role" {
+  for_each   = toset(var.attached_policies)
+  role       = aws_iam_role.role.name
+  policy_arn = each.value
+}
+
+data "template_file" "role" {
+  template = file("${path.module}/templates/iam-role-ldif.${local.account_environment}.tpl")
+  vars = {
+    role_name         = aws_iam_role.role.name
+    role_arn          = aws_iam_role.role.arn
+    account_id        = local.account_id
+    saml_provider_arn = var.saml_provider_arn
+    aws_environment   = local.account_environment
+  }
+}
+
+resource "null_resource" "role_ldif" {
+  count = local.enable_ldap ? 1 : 0
+  provisioner "local-exec" {
+    command = "test -d ${path.root}/setup || mkdir ${path.root}/setup"
+  }
+  provisioner "local-exec" {
+    command = "echo '${data.template_file.role.rendered}' > ${path.root}/setup/${aws_iam_role.role.name}.ldif"
+  }
+  provisioner "local-exec" {
+    command = "echo 'Once complete, execute tf-apply again to create LDAP group'"
+  }
+}
+
+resource "ldap_object" "role" {
+  count    = local.ldap_exists && local.enable_ldap ? 1 : 0
+  provider = ldap
+  dn       = format("cn=%s,ou=%s,ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US", aws_iam_role.role.name, local.account_id)
+  object_classes = [
+    "top",
+    "bocGroup",
+    "groupOfNames",
+  ]
+  attributes = [
+    { description = format("%s account=%s type=%s", aws_iam_role.role.name, local.account_id, local.account_environment) },
+    { cn = aws_iam_role.role.name },
+    { bocApplicationData = format("gov.census.tco:CPASS_FullPath=Cloud %s %s", local.account_environment, local.account_id) },
+    { bocApplicationData = "gov.census.tco:CPASS_APP=CloudServices" },
+    { bocApplicationData = local.bocappdata_fullauth },
+  ]
+  lifecycle {
+    ignore_changes = [object_classes, attributes]
+  }
+}

policies.tf

@@ -0,0 +1,15 @@
+#----
+# STS: ec2 assume
+#---
+data "aws_iam_policy_document" "ec2_assume" {
+  statement {
+    sid     = "AWSEC2AssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}

prefixes.tf

@@ -0,0 +1,12 @@
+locals {
+  _prefixes = {
+    "efs"            = "v-efs-"
+    "s3"             = "v-s3-"
+    "ebs"            = "v-ebs-"
+    "kms"            = "k-kms-"
+    "role"           = "r-"
+    "policy"         = "p-"
+    "security-group" = ""
+    #    "security-group" = "sg-"
+  }
+}

provider.ldap.tf

@@ -0,0 +1,7 @@
+provider "ldap" {
+  ldap_host     = var.ldap_host
+  ldap_port     = var.ldap_port
+  use_tls       = true
+  bind_user     = var.ldap_user
+  bind_password = var.ldap_password
+}

templates/iam-role-ldif.east-west.tpl

@@ -0,0 +1,13 @@
+# fields: role_name role_arn account_id saml_provider_arn aws_environment
+
+# ${role_name}, ${account_id}, AWS, Cloud, Application, U.S. Census Bureau, US
+dn: cn=${role_name},ou=${account_id},ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US
+description: ${role_name} ( ${account_id} )
+cn: ${role_name}
+bocApplicationData: gov.census.tco:CPASS_FullPath=Cloud ${aws_environment} ${account_id}
+bocApplicationData: gov.census.tco:CPASS_APP=CloudServices
+bocApplicationData: gov.census.tco:Cloud_AWS_Auth=${role_arn},${saml_provider_arn}
+#bocApplicationData: gov.census.tco:Cloud_AWSGovCloud_Auth=${role_arn},${saml_provider_arn}
+objectClass: groupOfNames
+objectClass: bocGroup
+objectClass: Top

templates/iam-role-ldif.ew.tpl

@@ -0,0 +1 @@
+iam-role-ldif.east-west.tpl

templates/iam-role-ldif.gov.tpl

@@ -0,0 +1 @@
+iam-role-ldif.govcloud.tpl

templates/iam-role-ldif.govcloud.tpl

@@ -0,0 +1,13 @@
+# fields: role_name role_arn account_id saml_provider_arn aws_environment
+
+# ${role_name}, ${account_id}, AWS, Cloud, Application, U.S. Census Bureau, US
+dn: cn=${role_name},ou=${account_id},ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US
+description: ${role_name} ( ${account_id} )
+cn: ${role_name}
+bocApplicationData: gov.census.tco:CPASS_FullPath=Cloud ${aws_environment} ${account_id}
+bocApplicationData: gov.census.tco:CPASS_APP=CloudServices
+#bocApplicationData: gov.census.tco:Cloud_AWS_Auth=${role_arn},${saml_provider_arn}
+bocApplicationData: gov.census.tco:Cloud_AWSGovCloud_Auth=${role_arn},${saml_provider_arn}
+objectClass: groupOfNames
+objectClass: bocGroup
+objectClass: Top

variables.common.tf

@@ -0,0 +1,26 @@
+#---
+# account info
+#---
+variable "account_id" {
+  description = "AWS Account ID (default will pull from current user)"
+  type        = string
+  default     = ""
+}
+
+variable "account_alias" {
+  description = "AWS Account Alias"
+  type        = string
+  default     = ""
+}
+
+variable "override_prefixes" {
+  description = "Override built-in prefixes by component (role, policy). This should be used primarily for common infrastructure things"
+  type        = map(string)
+  default     = {}
+}
+
+variable "tags" {
+  description = "AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data_safeguard field for such things."
+  type        = map(string)
+  default     = {}
+}