update

CHANGELOG.md

@@ -17,3 +17,6 @@
 
 * v1.4 -- 20210223
   - module: add iam-saml
+
+* v1.5 -- 20210226
+  - module: add iam-general-policies

README.md

@@ -3,7 +3,7 @@
 This contains a bunch of submodules used for setting up an AWS account, to the standard configurations we use
 at Census.
 
-## Submodules
+## Submodules :: Infrastructure
 
 ### [terraform-state](terraform-state)
 
@@ -23,9 +23,27 @@ in the bucket names: `inf-logs-{account_id}-{region}`.
 This sets up the S3 bucket used for VPC flow logs.  One is needed per region, and the region and account are included
 in the bucket names: `inf-flowlogs-{account_id}-{region}`. 
 
-### splunk-user
 ### object-logging
 ### cloudtrail
 ### config
 ### gpg-key
 
+## Submodules :: Common
+
+### [iam-saml](iam-saml)
+
+This sets up the IAM SAML Provider with id-provider.tco.census.gov.  It figures out gov or ew, and imports the
+appropriate metadata accordingy, saving it in `setup/metdata.xml`.  When creating a SAML role, you need to use
+the output `module.name.saml_provider_document`.
+
+### iam-general-policies
+
+This creates the proper settings for the account (password policy, etc).  It also creates a handful of general purpose
+IAM policies.
+
+### iam-cloud-admin
+
+### [splunk-user](https://github.e.it.census.gov/terraform-modules/aws-splunk-configuration/tree/master/user)
+
+See [terraform-modules/aws-splunk-configuration//user](https://github.e.it.census.gov/terraform-modules/aws-splunk-configuration/tree/master/user)
+for the details on the splunk user module.

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.4"
+  _module_version = "1.5"
 }

iam-saml/main.tf

@@ -36,11 +36,10 @@ locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
 
-  saml_ew_url               = "https://signin.aws.amazon.com/saml"
-  saml_gov_url              = "https://signin.amazonaws-us-gov.com/saml"
-  saml_url                  = local.account_environment == "gov" ? local.saml_gov_url : local.saml_ew_url
-  saml_metadata_file        = file("${path.root}/setup/metadata.xml")
-  saml_metadata_file_exists = fileexists(local.saml_metadata_file)
+  saml_ew_url        = "https://signin.aws.amazon.com/saml"
+  saml_gov_url       = "https://signin.amazonaws-us-gov.com/saml"
+  saml_url           = local.account_environment == "gov" ? local.saml_gov_url : local.saml_ew_url
+  saml_metadata_file = "${path.root}/setup/metadata.xml"
 
   base_tags = {
     "boc:tf_module_version" = local._module_version
@@ -63,9 +62,8 @@ resource "null_resource" "saml_metadata" {
 }
 
 resource "aws_iam_saml_provider" "saml" {
-  count                  = local.saml_metadata_file_exists ? 1 : 0
   name                   = var.saml_provider_name
-  saml_metadata_document = local.saml_metadata_file_exists ? local.saml_metadata_file : ""
+  saml_metadata_document = fileexists(local.saml_metadata_file) ? file(local.saml_metadata_file) : ""
   depends_on             = [null_resource.saml_metadata]
 
   # when the provider supports tags, enable this section

iam-saml/outputs.tf

@@ -1,7 +1,6 @@
-
 output "saml_provider" {
   description = "SAML Provider ARN"
-  value       = aws_iam_saml_provider.saml[0].arn
+  value       = aws_iam_saml_provider.saml.arn
 }
 
 output "saml_assume_policy" {