From 13faceabae3c815c598bbb32d567a5255cb13103 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 8 May 2023 07:45:10 -0400
Subject: [PATCH] - terraform-organzation-info-role   - new role to allow
 remote account to read org data for sharing purposes

---
 CHANGELOG.md                                  |  3 +
 common/version.tf                             |  2 +-
 terraform-organzation-info-role/README.md     | 61 ++++++++++++
 terraform-organzation-info-role/data.tf       |  1 +
 terraform-organzation-info-role/defaults.tf   |  1 +
 terraform-organzation-info-role/main.tf       | 93 +++++++++++++++++++
 .../module_name.tf                            |  3 +
 terraform-organzation-info-role/prefixes.tf   |  1 +
 .../variables.common.tf                       |  1 +
 terraform-organzation-info-role/variables.tf  | 11 +++
 terraform-organzation-info-role/version.tf    |  1 +
 terraform-organzation-info-role/versions.tf   |  9 ++
 12 files changed, 186 insertions(+), 1 deletion(-)
 create mode 100644 terraform-organzation-info-role/README.md
 create mode 120000 terraform-organzation-info-role/data.tf
 create mode 120000 terraform-organzation-info-role/defaults.tf
 create mode 100644 terraform-organzation-info-role/main.tf
 create mode 100644 terraform-organzation-info-role/module_name.tf
 create mode 120000 terraform-organzation-info-role/prefixes.tf
 create mode 120000 terraform-organzation-info-role/variables.common.tf
 create mode 100644 terraform-organzation-info-role/variables.tf
 create mode 120000 terraform-organzation-info-role/version.tf
 create mode 100644 terraform-organzation-info-role/versions.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2788b01..dd0c854 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -261,3 +261,6 @@
     - cloudforms_ami
  - This will lead to a change in the distributed INF.service.cloudforms.tf, as well as an upgrade/import operation each account
    
+* 2.4.1 -- 2023-05-08
+  - terraform-organzation-info-role
+    - new role to allow remote account to read org data for sharing purposes
diff --git a/common/version.tf b/common/version.tf
index f403a49..183f689 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.4.0"
+  _module_version = "2.4.1"
 }
diff --git a/terraform-organzation-info-role/README.md b/terraform-organzation-info-role/README.md
new file mode 100644
index 0000000..dc8ca42
--- /dev/null
+++ b/terraform-organzation-info-role/README.md
@@ -0,0 +1,61 @@
+# About aws-info-setup :: terraform-organization-info-role
+
+Role to be assumed from terraform in a remote account (or local account) to grab organization information
+used for sharing resources across the organization.
+
+# Usage
+```hcl
+module "tf_org_role" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//terraform-organization-info-role?ref=tf-upgrade"
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_role_description"></a> [role\_description](#input\_role\_description) | IAM Role description | `string` | `"INF Terraform Role for Organization Information"` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | IAM Role name (without prefix) | `string` | `"inf-terraform-organization-info"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+No outputs.
diff --git a/terraform-organzation-info-role/data.tf b/terraform-organzation-info-role/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/terraform-organzation-info-role/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/terraform-organzation-info-role/defaults.tf b/terraform-organzation-info-role/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/terraform-organzation-info-role/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/terraform-organzation-info-role/main.tf b/terraform-organzation-info-role/main.tf
new file mode 100644
index 0000000..c171e06
--- /dev/null
+++ b/terraform-organzation-info-role/main.tf
@@ -0,0 +1,93 @@
+/*
+* # About aws-info-setup :: terraform-organization-info-role
+* 
+* Role to be assumed from terraform in a remote account (or local account) to grab organization information
+* used for sharing resources across the organization.
+*
+* # Usage
+* ```hcl
+* module "tf_org_role" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//terraform-organization-info-role?ref=tf-upgrade"
+* 
+*   tags = merge(
+*     local.common_tags,
+*     var.application_tags,
+*   )
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region              = data.aws_region.current.name
+  region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:tf_module_name"    = lookup(local._module_names, local._module_name, local._module_names["_main_"])
+    "boc:created_by"        = "terraform"
+  }
+
+  role_name        = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name)
+  role_description = var.role_description == "" ? format("Role for %v", var.role_name) : var.role_description
+}
+
+data "aws_organizations_organization" "org" {}
+
+# allow assume role from org
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    sid     = "STSAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalOrgID"
+      values   = [data.aws_organizations_organization.org.id]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "policy" {
+  statement {
+    sid    = "TFRemoteOrganizationActions"
+    effect = "Allow"
+    actions = [
+      "organization:Describe*",
+      "organization:List*",
+      "ssm:DescribeParameters",
+      "ssm:GetParameter*",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_role" "role" {
+  name                  = local.role_name
+  description           = local.role_description
+  force_detach_policies = local._defaults["role"]["force_detach_policies"]
+  max_session_duration  = local._defaults["role"]["max_session_duration"]
+  assume_role_policy    = data.aws_iam_policy_document.assume_role.json
+
+  inline_policy {
+    name   = "remote-org-info"
+    policy = data.aws_iam_policy_document.policy.json
+  }
+
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    #    lookup(var.component_tags, "role", {}),
+    { Name = local.role_name },
+  )
+}
+
diff --git a/terraform-organzation-info-role/module_name.tf b/terraform-organzation-info-role/module_name.tf
new file mode 100644
index 0000000..bf4cb61
--- /dev/null
+++ b/terraform-organzation-info-role/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+  _module_name = "aws-inf-setup/terraform-organization-info-role"
+}
diff --git a/terraform-organzation-info-role/prefixes.tf b/terraform-organzation-info-role/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/terraform-organzation-info-role/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/terraform-organzation-info-role/variables.common.tf b/terraform-organzation-info-role/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/terraform-organzation-info-role/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/terraform-organzation-info-role/variables.tf b/terraform-organzation-info-role/variables.tf
new file mode 100644
index 0000000..0472e38
--- /dev/null
+++ b/terraform-organzation-info-role/variables.tf
@@ -0,0 +1,11 @@
+variable "role_name" {
+  description = "IAM Role name (without prefix)"
+  type        = string
+  default     = "inf-terraform-organization-info"
+}
+
+variable "role_description" {
+  description = "IAM Role description"
+  type        = string
+  default     = "INF Terraform Role for Organization Information"
+}
diff --git a/terraform-organzation-info-role/version.tf b/terraform-organzation-info-role/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/terraform-organzation-info-role/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file
diff --git a/terraform-organzation-info-role/versions.tf b/terraform-organzation-info-role/versions.tf
new file mode 100644
index 0000000..2aa1770
--- /dev/null
+++ b/terraform-organzation-info-role/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0.0"
+    }
+  }
+}