From 54716377dfa50be19ed5c2ac7a464c42edaa50d0 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 26 Feb 2021 15:31:55 -0500 Subject: [PATCH] update --- CHANGELOG.md | 3 +++ README.md | 22 ++++++++++++++++++++-- common/version.tf | 2 +- iam-saml/main.tf | 12 +++++------- iam-saml/outputs.tf | 3 +-- 5 files changed, 30 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cfff987..7c2ddb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,3 +17,6 @@ * v1.4 -- 20210223 - module: add iam-saml + +* v1.5 -- 20210226 + - module: add iam-general-policies diff --git a/README.md b/README.md index b1700fe..2269d1a 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ This contains a bunch of submodules used for setting up an AWS account, to the standard configurations we use at Census. -## Submodules +## Submodules :: Infrastructure ### [terraform-state](terraform-state) @@ -23,9 +23,27 @@ in the bucket names: `inf-logs-{account_id}-{region}`. This sets up the S3 bucket used for VPC flow logs. One is needed per region, and the region and account are included in the bucket names: `inf-flowlogs-{account_id}-{region}`. -### splunk-user ### object-logging ### cloudtrail ### config ### gpg-key +## Submodules :: Common + +### [iam-saml](iam-saml) + +This sets up the IAM SAML Provider with id-provider.tco.census.gov. It figures out gov or ew, and imports the +appropriate metadata accordingy, saving it in `setup/metdata.xml`. When creating a SAML role, you need to use +the output `module.name.saml_provider_document`. + +### iam-general-policies + +This creates the proper settings for the account (password policy, etc). It also creates a handful of general purpose +IAM policies. + +### iam-cloud-admin + +### [splunk-user](https://github.e.it.census.gov/terraform-modules/aws-splunk-configuration/tree/master/user) + +See [terraform-modules/aws-splunk-configuration//user](https://github.e.it.census.gov/terraform-modules/aws-splunk-configuration/tree/master/user) +for the details on the splunk user module. diff --git a/common/version.tf b/common/version.tf index eadf0b6..6830365 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.4" + _module_version = "1.5" } diff --git a/iam-saml/main.tf b/iam-saml/main.tf index 7f5bf73..e4ed5e6 100644 --- a/iam-saml/main.tf +++ b/iam-saml/main.tf @@ -36,11 +36,10 @@ locals { account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - saml_ew_url = "https://signin.aws.amazon.com/saml" - saml_gov_url = "https://signin.amazonaws-us-gov.com/saml" - saml_url = local.account_environment == "gov" ? local.saml_gov_url : local.saml_ew_url - saml_metadata_file = file("${path.root}/setup/metadata.xml") - saml_metadata_file_exists = fileexists(local.saml_metadata_file) + saml_ew_url = "https://signin.aws.amazon.com/saml" + saml_gov_url = "https://signin.amazonaws-us-gov.com/saml" + saml_url = local.account_environment == "gov" ? local.saml_gov_url : local.saml_ew_url + saml_metadata_file = "${path.root}/setup/metadata.xml" base_tags = { "boc:tf_module_version" = local._module_version @@ -63,9 +62,8 @@ resource "null_resource" "saml_metadata" { } resource "aws_iam_saml_provider" "saml" { - count = local.saml_metadata_file_exists ? 1 : 0 name = var.saml_provider_name - saml_metadata_document = local.saml_metadata_file_exists ? local.saml_metadata_file : "" + saml_metadata_document = fileexists(local.saml_metadata_file) ? file(local.saml_metadata_file) : "" depends_on = [null_resource.saml_metadata] # when the provider supports tags, enable this section diff --git a/iam-saml/outputs.tf b/iam-saml/outputs.tf index 0f42cda..0ec4f5e 100644 --- a/iam-saml/outputs.tf +++ b/iam-saml/outputs.tf @@ -1,7 +1,6 @@ - output "saml_provider" { description = "SAML Provider ARN" - value = aws_iam_saml_provider.saml[0].arn + value = aws_iam_saml_provider.saml.arn } output "saml_assume_policy" {