diff --git a/CHANGELOG.md b/CHANGELOG.md index e59245c..1dbc789 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,3 +2,8 @@ * v1.0.0 -- 20210301 - initial creation + +* v1.0.1 -- 20210301 + - add docs + - comment out ec2* role stuff + - add check for ldap provider diff --git a/README.md b/README.md index fcdb730..f809e12 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,21 @@ # About aws-iam-role +This module will create an IAM role. Its primary purpose is for a SAML-enbled role, and to create the +necessary LDAP object in eBOCAS, provided credentials and the provider exists (it checks for this). +The [ldap-provider](https://github.e.it.census.gov/terraform/support/tree/master/providers/terraform-provider-ldap) binary is +expected to be in your `$PATH`. + +There are some quirks to the `ldap-provider` (we use [this](https://github.com/Pryz/terraform-provider-ldap) one), where if any +details change in the DN or the DN cannot be constructed due to missing data, a *tcp connection closed* message occurs. + +Because of this quirk, this is a two-step apply. The first step creates the IAM role and creates an LDIF file in +`setup/{role-name}.ldif`. It uses the presence of this file to create the LDAP object in the second step. Example: + +```shell +terraform apply -target=module.myrole +terraform apply -target=module.myrole +``` + # Usage ```hcl @@ -15,10 +31,6 @@ module "myrole" { ldap_password = "password1234$$" # optional - ec2_role_name = "my-role-other" - enable_instance_role = false - ec2_assume_policy_document = "X" - ec2_attached_policies = [] ldap_host = "ldap.e.tco.census.gov" ldap_port = 389 } @@ -33,6 +45,7 @@ No requirements. | Name | Version | |------|---------| | aws | n/a | +| external | n/a | | ldap | n/a | | null | n/a | | template | n/a | @@ -51,6 +64,7 @@ No Modules. | [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | | [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | | [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | +| [external_external](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | | [ldap_object](https://registry.terraform.io/providers/hashicorp/ldap/latest/docs/resources/object) | | [null_resource](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | | [template_file](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | @@ -64,10 +78,6 @@ No Modules. | assume\_policy\_document | JSON policy document for role to assume (i.e., the SAML assume document) | `string` | `""` | no | | attached\_policies | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no | | component\_tags | Additional tags for Components (role, policy) | `map(map(string))` | 
{
  "policy": {},
  "role": {}
}
| no | -| ec2\_assume\_policy\_document | JSON policy document for EC2 instance role (default is sts:AssumeRole for ec2 service) | `string` | `""` | no | -| ec2\_attached\_policies | List of IAM Policy ARNs to attach to this EC2 instance role | `list(string)` | `[]` | no | -| ec2\_role\_name | EC2 instace Role/application name without prefix | `string` | `""` | no | -| enable\_instance\_role | Flag to enable the creation of a partner EC2 instance role with specific policies and optionally a different name | `bool` | `false` | no | | enable\_ldap\_creation | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `bool` | `false` | no | | ldap\_host | LDAP Hostname (default is for eBOCAS) | `string` | `"ldap.e.tco.census.gov"` | no | | ldap\_password | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no | @@ -80,3 +90,6 @@ No Modules. ## Outputs +| Name | Description | +|------|-------------| +| role\_arn | Created role ARN | diff --git a/main.tf b/main.tf index 36d84d0..cf10f7e 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,22 @@ /* * # About aws-iam-role +* +* This module will create an IAM role. Its primary purpose is for a SAML-enbled role, and to create the +* necessary LDAP object in eBOCAS, provided credentials and the provider exists (it checks for this). +* The [ldap-provider](https://github.e.it.census.gov/terraform/support/tree/master/providers/terraform-provider-ldap) binary is +* expected to be in your `$PATH`. * +* There are some quirks to the `ldap-provider` (we use [this](https://github.com/Pryz/terraform-provider-ldap) one), where if any +* details change in the DN or the DN cannot be constructed due to missing data, a *tcp connection closed* message occurs. +* +* Because of this quirk, this is a two-step apply. The first step creates the IAM role and creates an LDIF file in +* `setup/{role-name}.ldif`. It uses the presence of this file to create the LDAP object in the second step. Example: +* +* ```shell +* terraform apply -target=module.myrole +* terraform apply -target=module.myrole +* ``` +* * # Usage * * ```hcl @@ -16,34 +32,36 @@ * ldap_password = "password1234$$" * * # optional -* ec2_role_name = "my-role-other" -* enable_instance_role = false -* ec2_assume_policy_document = "X" -* ec2_attached_policies = [] * ldap_host = "ldap.e.tco.census.gov" * ldap_port = 389 * } * ``` */ +#* ec2_role_name = "my-role-other" +#* enable_instance_role = false +#* ec2_assume_policy_document = "X" +#* ec2_attached_policies = [] + locals { account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id region = data.aws_region.current.name account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - _ec2_role_name = var.ec2_role_name != "" ? var.ec2_role_name : var.role_name + # _ec2_role_name = var.ec2_role_name != "" ? var.ec2_role_name : var.role_name role_name = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name) saml_string = var.saml_provider_arn != "" ? "SAML " : "" role_description = format("%vRole for %v", local.saml_string, var.role_name) policy_name = format("%v%v", lookup(local._prefixes, "policy", ""), var.role_name) - ec2_role_name = format("%v-ec2-%v", lookup(local._prefixes, "role", ""), local._ec2_role_name) - ec2_policy_name = format("%v-ec2-%v", lookup(local._prefixes, "policy", ""), local._ec2_role_name) + # ec2_role_name = format("%v-ec2-%v", lookup(local._prefixes, "role", ""), local._ec2_role_name) + # ec2_policy_name = format("%v-ec2-%v", lookup(local._prefixes, "policy", ""), local._ec2_role_name) ldap_exists = fileexists("${path.root}/setup/${aws_iam_role.role.name}.ldif") bocappdata_auth = local.account_environment == "gov" ? "Cloud_AWSGovCloud_Auth" : "Cloud_AWS_Auth" bocappdata_fullauth = format("gov.census.tco:%v=%v,%v", local.bocappdata_auth, aws_iam_role.role.arn, var.saml_provider_arn) - enable_ldap = var.enable_ldap_creation && var.ldap_user != "" && var.ldap_password != "" && var.saml_provider_arn != "" + ldap_provider_exists = data.external.ldap_provider_bin.result.status == 0 ? true : false + enable_ldap = var.enable_ldap_creation && var.ldap_user != "" && var.ldap_password != "" && var.saml_provider_arn != "" && local.ldap_provider_exists base_tags = { "boc:tf_module_version" = local._module_version @@ -117,3 +135,12 @@ resource "ldap_object" "role" { ignore_changes = [object_classes, attributes] } } + +# data.external.ldap_provider_bin.result.path +# data.external.ldap_provider_bin.result.status +data "external" "ldap_provider_bin" { + program = ["bash", "${path.root}/bin/find_binary.sh"] + query = { + "program" = "terraform-provider-ldap" + } +} diff --git a/variables.tf b/variables.tf index eb2d218..144aab7 100644 --- a/variables.tf +++ b/variables.tf @@ -1,25 +1,8 @@ -#--- -# application stuff -#--- -#locals { -# app_name = "ced-edde" -# role_name = format("r-%v", local.app_name) -# policy_name = format("p-%v", local.app_name) -# ec2_role_name = format("r-ec2-%v", local.app_name) -# ec2_policy_name = format("p-ec2-%v-%v", local.app_name, "transcribe") -#} - variable "role_name" { description = "Role/application name without prefix" type = string } -variable "ec2_role_name" { - description = "EC2 instace Role/application name without prefix" - type = string - default = "" -} - variable "saml_provider_arn" { description = "ARN of SAML Provider" type = string @@ -32,36 +15,18 @@ variable "enable_ldap_creation" { default = false } -variable "enable_instance_role" { - description = "Flag to enable the creation of a partner EC2 instance role with specific policies and optionally a different name" - type = bool - default = false -} - variable "assume_policy_document" { description = "JSON policy document for role to assume (i.e., the SAML assume document)" type = string default = "" } -variable "ec2_assume_policy_document" { - description = "JSON policy document for EC2 instance role (default is sts:AssumeRole for ec2 service)" - type = string - default = "" -} - variable "attached_policies" { description = "List of IAM Policy ARNs to attach to this role" type = list(string) default = [] } -variable "ec2_attached_policies" { - description = "List of IAM Policy ARNs to attach to this EC2 instance role" - type = list(string) - default = [] -} - #--- # ldap #--- @@ -95,3 +60,31 @@ variable "component_tags" { default = { "role" = {}, "policy" = {} } } + +## #--- +## # instance role +## #--- +## variable "ec2_role_name" { +## description = "EC2 instace Role/application name without prefix" +## type = string +## default = "" +## } +## +## variable "enable_instance_role" { +## description = "Flag to enable the creation of a partner EC2 instance role with specific policies and optionally a different name" +## type = bool +## default = false +## } +## +## variable "ec2_assume_policy_document" { +## description = "JSON policy document for EC2 instance role (default is sts:AssumeRole for ec2 service)" +## type = string +## default = "" +## } +## +## variable "ec2_attached_policies" { +## description = "List of IAM Policy ARNs to attach to this EC2 instance role" +## type = list(string) +## default = [] +## } +## diff --git a/version.tf b/version.tf index fa2705b..374ba43 100644 --- a/version.tf +++ b/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.0.0" + _module_version = "1.0.1" }