From 2f70344c8d32cb6335a19a3fd348a843d8ec86fd Mon Sep 17 00:00:00 2001 From: badra001 Date: Sat, 30 Sep 2023 08:37:32 -0400 Subject: [PATCH] - terraform-state - add `sso_permissionset_names` for use of assume role by SSO roles --- CHANGELOG.md | 4 ++++ common/version.tf | 2 +- terraform-state/README.md | 7 +++++++ terraform-state/main.tf | 9 +++++++++ terraform-state/policy.tf | 2 +- terraform-state/role.tf | 25 ++++++++++++++++++++----- terraform-state/variables.tf | 12 ++++++++++++ 7 files changed, 54 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f1386a..1c08ee8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -196,3 +196,7 @@ * 1.16.6 -- 2023-01-03 - iam-general-policies - add ipr_vpc_endpoints to enable S3 interface endpoints + +* 1.16.7 -- 2023-09-30 + - terraform-state + - add `sso_permissionset_names` for use of assume role by SSO roles diff --git a/common/version.tf b/common/version.tf index 5c4c7bb..43bc769 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.16.6" + _module_version = "1.16.7" } diff --git a/terraform-state/README.md b/terraform-state/README.md index 8efda6e..4f41e3d 100644 --- a/terraform-state/README.md +++ b/terraform-state/README.md @@ -36,6 +36,7 @@ module "tfstate_full" { tfstate_bucket = "inf-tfstate-123456789012" tfstate_bucket_prefix = "inf-tfstate" tfstate_key_suffix = "terraform.tfstate" + ## sso_permissionset_names = [ "inf-terraform" ] # this is generally not needed and not recommended component_tags = { @@ -46,6 +47,8 @@ module "tfstate_full" { } } ``` +## sso\_permissionset\_names +This is a list of SSO Permission set names, which turn into a role name, for which to allow an assume role into the `inf-terraform` role. ## Requirements @@ -94,7 +97,9 @@ No modules. | [aws_iam_policy_document.tfstate_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfstate_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfstate_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_key.kms_dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | ## Inputs @@ -102,10 +107,12 @@ No modules. |------|-------------|------|---------|:--------:| | [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | | [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documetnation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no | | [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | | [kms\_tfstate\_key](#input\_kms\_tfstate\_key) | Terraform remote state KMS key alias | `string` | `"k-kms-inf-tfstate"` | no | | [name](#input\_name) | Name suffix to use for policies, roles and groups (default: inf-terraform) | `string` | `"inf-terraform"` | no | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [sso\_permissionset\_names](#input\_sso\_permissionset\_names) | List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role | `list(string)` | 
[
  "inf-terraform"
]
| no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | | [tfstate\_bucket](#input\_tfstate\_bucket) | Terraform remote state S3 bucket | `string` | `""` | no | | [tfstate\_bucket\_prefix](#input\_tfstate\_bucket\_prefix) | Terraform remote state S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-tfstate"` | no | diff --git a/terraform-state/main.tf b/terraform-state/main.tf index cc8c9ca..250b106 100644 --- a/terraform-state/main.tf +++ b/terraform-state/main.tf @@ -37,6 +37,7 @@ * tfstate_bucket = "inf-tfstate-123456789012" * tfstate_bucket_prefix = "inf-tfstate" * tfstate_key_suffix = "terraform.tfstate" +* ## sso_permissionset_names = [ "inf-terraform" ] * * # this is generally not needed and not recommended * component_tags = { @@ -47,6 +48,9 @@ * } * } * ``` +* ## sso_permissionset_names +* This is a list of SSO Permission set names, which turn into a role name, for which to allow an assume role into the `inf-terraform` role. +* */ locals { @@ -64,6 +68,10 @@ locals { } } +# this pre-loads the key so that it is ready when the DDB table create happens +data "aws_kms_key" "kms_dynamodb" { + key_id = "alias/aws/dynamodb" +} #--- # dynamodb table @@ -146,6 +154,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "tfstate" { kms_master_key_id = aws_kms_key.tfstate_key.arn sse_algorithm = "aws:kms" } + bucket_key_enabled = var.bucket_key_enabled } } diff --git a/terraform-state/policy.tf b/terraform-state/policy.tf index 29c5487..7458a45 100644 --- a/terraform-state/policy.tf +++ b/terraform-state/policy.tf @@ -25,7 +25,7 @@ resource "aws_iam_policy" "tfstate_write" { } resource "aws_iam_policy" "allow_assume_role" { - name = format("%v-%v", var.name, "allow-assume") + name = format("%v%v-%v", lookup(local._prefixes, "policy", ""), var.name, "allow-assume") path = "/" description = "Assume role for Terraform activity" policy = data.aws_iam_policy_document.allow_assume_role.json diff --git a/terraform-state/role.tf b/terraform-state/role.tf index 137f9a9..50b9cb5 100644 --- a/terraform-state/role.tf +++ b/terraform-state/role.tf @@ -3,9 +3,12 @@ locals { role_description = format("Role to be assumed Terraform execution %v", var.name) role_managed_policies_names = ["AdministratorAccess"] role_managed_policies = [for k, p in data.aws_iam_policy.role_managed_policies : p.arn] + sso_role_arn_formats = [ + format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id), + format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id), + ] } - data "aws_iam_policy" "role_managed_policies" { for_each = toset(local.role_managed_policies_names) name = each.key @@ -51,10 +54,22 @@ data "aws_iam_policy_document" "allow_sts" { effect = "Allow" actions = ["sts:AssumeRole"] principals { - type = "AWS" - identifiers = [ - format(local.iam_arn, "root"), - ] + type = "AWS" + identifiers = [format(local.iam_arn, "root")] + } + } + statement { + sid = "AllowSTSAssumeFromSSO" + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = [format(local.iam_arn, "root")] + } + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = flatten([for p in var.sso_permissionset_names : [for f in local.sso_role_arn_formats : format(f, p)]]) } } } diff --git a/terraform-state/variables.tf b/terraform-state/variables.tf index aaa5218..7c24353 100644 --- a/terraform-state/variables.tf +++ b/terraform-state/variables.tf @@ -54,3 +54,15 @@ variable "name" { type = string default = "inf-terraform" } + +variable "bucket_key_enabled" { + description = "Enable or disable the use of S3 Bucket Keys (see AWS documetnation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)." + type = bool + default = false +} + +variable "sso_permissionset_names" { + description = "List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role" + type = list(string) + default = ["inf-terraform"] +}