add submodule iam-saml

CHANGELOG.md

@@ -14,3 +14,6 @@
 * v1.3 -- 20210223
   - module: rename access-logging to s3-access-logs
   - module: add s3-flow-logs
+
+* v1.4 -- 20210223
+  - module: add iam-saml

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.3"
+  _module_version = "1.4"
 }

iam-saml/bin/get-saml-metadata.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+if [ -z $AWS_ENVIRONMENT ]
+then
+  AWS_ENVIRONMENT=$1
+fi
+if [ -z $AWS_ENVIRONMENT ]
+then
+  AWS_ENVIRONMENT="east-west"
+fi
+
+if [ -z $URL_PREFIX ]
+then
+  URL_PREFIX="https://id-provider.tco.census.gov/nidp/saml2/metadata?PID="
+fi
+
+if [[ $AWS_ENVIRONMENT == "east-west" ]] || [[ $AWS_ENVIRONMENT == "ew" ]]
+then
+  SELECT="urn:amazon:webservices"
+fi
+if [[ $AWS_ENVIRONMENT == "govcloud" ]]  || [[ $AWS_ENVIRONMENT == "gov" ]]
+then
+  SELECT="urn:amazon:webservices:govcloud"
+fi
+
+if [ -z $SELECT ]
+then
+  echo "* no URL available for AWS_ENVIRONMENT=$AWS_ENVIRONMENT"
+  exit 1
+fi
+
+URL="${URL_PREFIX}${SELECT}"
+#OUTFILE="metadata.xml"
+echo "# environment=$AWS_ENVIRONMENT command=curl -q -k $URL" >&2
+curl -q -k $URL 
+status=$?
+echo $status
+

iam-saml/data.tf

@@ -0,0 +1 @@
+../common/data.tf

iam-saml/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

iam-saml/main.tf

@@ -0,0 +1,93 @@
+/*
+* # aws-inf-setup :: iam-saml
+* 
+* This set up the default SAML provider with the enterprise IDP, id-provider.tco.census.gov.
+* The appropriate metadata and URL are selected from the environment either East/West (ew)
+* or GovCloud (gov).
+*
+* The resulting metadata XML is saved in `setup/metdata.xml`.
+* 
+* # Usage
+* Here is a simple example, the one most commonly expected to be used.
+*
+* ```hcl
+* module "saml" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-saml"
+*
+*   # optional
+*   saml_provider_name = "Census_TCO_IDMS"
+* }
+* ```
+*
+* When creating a role to use SAML, you will need the SAML policy document as a reference:
+*
+* ```hcl
+* resource "aws_iam_role" "role" {
+*   name                  = "my-role-name"
+*   description           = "SAML role for my-role-name"
+*   force_detach_policies = false
+*   max_session_duration  = 3600
+*   assume_role_policy    = module.saml.saml_policy_document
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  saml_ew_url  = "https://signin.aws.amazon.com/saml"
+  saml_gov_url = "https://signin.amazonaws-us-gov.com/saml"
+  saml_url     = local.account_environment == "gov" ? local.saml_gov_url : local.saml_ew_url
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+resource "null_resource" "saml_metadata" {
+  provisioner "local-exec" {
+    command = "test -d ${path.root}/setup || mkdir ${path.root}/setup"
+  }
+
+  provisioner "local-exec" {
+    command = "bash ${path.module}/bin/get-saml-metadata.sh > ${path.root}/setup/metadata.xml"
+    environment = {
+      #      AWS_ENVIRONMENT = var.aws_environment
+      AWS_ENVIRONMENT = local.account_environment
+    }
+  }
+}
+
+resource "aws_iam_saml_provider" "saml" {
+  name                   = var.saml_provider_name
+  saml_metadata_document = file("${path.root}/setup/metadata.xml")
+  depends_on             = [null_resource.saml_metadata]
+
+  # when the provider supports tags, enable this section
+  #  tags = merge(
+  #    var.tags,
+  #    local.base_tags,
+  #    map("Name", local.provider_name),
+  #  )
+}
+
+data "aws_iam_policy_document" "saml_assume" {
+  statement {
+    sid     = "SAMLFederationCensusIdP"
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithSAML"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_saml_provider.saml.arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "SAML:aud"
+      values   = [local.saml_url]
+    }
+  }
+}

iam-saml/outputs.tf

@@ -0,0 +1,9 @@
+output "saml_provider" {
+  description = "SAML Provider ARN"
+  value       = aws_iam_saml_provider.saml.arn
+}
+
+output "saml_assume_policy" {
+  description = "SAML Assume Policy document JSON"
+  value       = data.aws_iam_policy_document.saml_assume.json
+}

iam-saml/policy_data.tf

@@ -0,0 +1,18 @@
+data "aws_iam_policy_document" "saml_assume" {
+  statement {
+    sid     = "SAMLFederationCensusIdP"
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithSAML"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_saml_provider.saml.arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "SAML:aud"
+      values   = [local.saml_url]
+    }
+  }
+}

iam-saml/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

iam-saml/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

iam-saml/variables.tf

@@ -0,0 +1,11 @@
+variable "saml_provider_name" {
+  description = "SAML Provider Name"
+  type        = string
+  default     = "Census_TCO_IDMS"
+}
+
+variable "component_tags" {
+  description = "Additional tags for Components (s3, kms, ddb)"
+  type        = map(map(string))
+  default     = { "s3" = {}, "kms" = {}, "ddb" = {} }
+}

iam-saml/version.tf

@@ -0,0 +1 @@
+../common/version.tf