From 3dd3f5d0c81b2e51049d1618beef43ee85e59721 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 24 Feb 2021 11:59:16 -0500 Subject: [PATCH 1/6] fix --- iam-saml/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iam-saml/main.tf b/iam-saml/main.tf index 7f5bf73..7562ba5 100644 --- a/iam-saml/main.tf +++ b/iam-saml/main.tf @@ -39,7 +39,7 @@ locals { saml_ew_url = "https://signin.aws.amazon.com/saml" saml_gov_url = "https://signin.amazonaws-us-gov.com/saml" saml_url = local.account_environment == "gov" ? local.saml_gov_url : local.saml_ew_url - saml_metadata_file = file("${path.root}/setup/metadata.xml") + saml_metadata_file = "${path.root}/setup/metadata.xml" saml_metadata_file_exists = fileexists(local.saml_metadata_file) base_tags = { @@ -65,7 +65,7 @@ resource "null_resource" "saml_metadata" { resource "aws_iam_saml_provider" "saml" { count = local.saml_metadata_file_exists ? 1 : 0 name = var.saml_provider_name - saml_metadata_document = local.saml_metadata_file_exists ? local.saml_metadata_file : "" + saml_metadata_document = local.saml_metadata_file_exists ? file(local.saml_metadata_file) : "" depends_on = [null_resource.saml_metadata] # when the provider supports tags, enable this section From 29236aea39bad2449b3aad075959826d0473d34d Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 24 Feb 2021 12:01:01 -0500 Subject: [PATCH 2/6] fix --- iam-saml/policy_data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iam-saml/policy_data.tf b/iam-saml/policy_data.tf index fa0d26f..07ecfdf 100644 --- a/iam-saml/policy_data.tf +++ b/iam-saml/policy_data.tf @@ -6,7 +6,7 @@ data "aws_iam_policy_document" "saml_assume" { principals { type = "Federated" - identifiers = [aws_iam_saml_provider.saml.arn] + identifiers = [aws_iam_saml_provider.saml[0].arn] } condition { From 729698d05eccce23bb4aaf7cab93bf888ec68736 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 24 Feb 2021 12:03:43 -0500 Subject: [PATCH 3/6] fix --- iam-saml/main.tf | 12 +++++------- iam-saml/outputs.tf | 3 +-- iam-saml/policy_data.tf | 2 +- 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/iam-saml/main.tf b/iam-saml/main.tf index 7562ba5..1598789 100644 --- a/iam-saml/main.tf +++ b/iam-saml/main.tf @@ -36,11 +36,10 @@ locals { account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - saml_ew_url = "https://signin.aws.amazon.com/saml" - saml_gov_url = "https://signin.amazonaws-us-gov.com/saml" - saml_url = local.account_environment == "gov" ? local.saml_gov_url : local.saml_ew_url - saml_metadata_file = "${path.root}/setup/metadata.xml" - saml_metadata_file_exists = fileexists(local.saml_metadata_file) + saml_ew_url = "https://signin.aws.amazon.com/saml" + saml_gov_url = "https://signin.amazonaws-us-gov.com/saml" + saml_url = local.account_environment == "gov" ? local.saml_gov_url : local.saml_ew_url + saml_metadata_file = "${path.root}/setup/metadata.xml" base_tags = { "boc:tf_module_version" = local._module_version @@ -63,9 +62,8 @@ resource "null_resource" "saml_metadata" { } resource "aws_iam_saml_provider" "saml" { - count = local.saml_metadata_file_exists ? 1 : 0 name = var.saml_provider_name - saml_metadata_document = local.saml_metadata_file_exists ? file(local.saml_metadata_file) : "" + saml_metadata_document = fileexists(local.saml_metadata_file_exists) ? file(local.saml_metadata_file) : "" depends_on = [null_resource.saml_metadata] # when the provider supports tags, enable this section diff --git a/iam-saml/outputs.tf b/iam-saml/outputs.tf index 0f42cda..0ec4f5e 100644 --- a/iam-saml/outputs.tf +++ b/iam-saml/outputs.tf @@ -1,7 +1,6 @@ - output "saml_provider" { description = "SAML Provider ARN" - value = aws_iam_saml_provider.saml[0].arn + value = aws_iam_saml_provider.saml.arn } output "saml_assume_policy" { diff --git a/iam-saml/policy_data.tf b/iam-saml/policy_data.tf index 07ecfdf..fa0d26f 100644 --- a/iam-saml/policy_data.tf +++ b/iam-saml/policy_data.tf @@ -6,7 +6,7 @@ data "aws_iam_policy_document" "saml_assume" { principals { type = "Federated" - identifiers = [aws_iam_saml_provider.saml[0].arn] + identifiers = [aws_iam_saml_provider.saml.arn] } condition { From c13aae801693f3917fde335fcf97599a189e039b Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 24 Feb 2021 12:15:43 -0500 Subject: [PATCH 4/6] fix --- iam-saml/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iam-saml/main.tf b/iam-saml/main.tf index 1598789..e4ed5e6 100644 --- a/iam-saml/main.tf +++ b/iam-saml/main.tf @@ -63,7 +63,7 @@ resource "null_resource" "saml_metadata" { resource "aws_iam_saml_provider" "saml" { name = var.saml_provider_name - saml_metadata_document = fileexists(local.saml_metadata_file_exists) ? file(local.saml_metadata_file) : "" + saml_metadata_document = fileexists(local.saml_metadata_file) ? file(local.saml_metadata_file) : "" depends_on = [null_resource.saml_metadata] # when the provider supports tags, enable this section From 8d17d94151454619a66d0624187a22f3b6f9748f Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 24 Feb 2021 12:35:02 -0500 Subject: [PATCH 5/6] add sections --- README.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b1700fe..ce9317b 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ This contains a bunch of submodules used for setting up an AWS account, to the standard configurations we use at Census. -## Submodules +## Submodules :: Infrastructure ### [terraform-state](terraform-state) @@ -23,9 +23,24 @@ in the bucket names: `inf-logs-{account_id}-{region}`. This sets up the S3 bucket used for VPC flow logs. One is needed per region, and the region and account are included in the bucket names: `inf-flowlogs-{account_id}-{region}`. -### splunk-user ### object-logging ### cloudtrail ### config ### gpg-key +## Submodules :: Common + +### [iam-saml](iam-saml) + +This sets up the IAM SAML Provideer with id-provider.tco.census.gov. It figures out gov or ew, and imports the +appropriate metadata accordingy, saving it in `setup/metdata.xml`. When creating a SAML role, you need to use +the output `module.name.saml_provider_document`. + +### iam-general-policies + +This creates the proper settings for the account (password policy, etc). It also creates a handful of general purpose +IAM policies. + +### iam-cloud-admin + +### splunk-user From c22ad00fd8f8de34b1659cae17c0bef9df9ee9af Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 24 Feb 2021 14:41:59 -0500 Subject: [PATCH 6/6] update --- README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ce9317b..2269d1a 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ in the bucket names: `inf-flowlogs-{account_id}-{region}`. ### [iam-saml](iam-saml) -This sets up the IAM SAML Provideer with id-provider.tco.census.gov. It figures out gov or ew, and imports the +This sets up the IAM SAML Provider with id-provider.tco.census.gov. It figures out gov or ew, and imports the appropriate metadata accordingy, saving it in `setup/metdata.xml`. When creating a SAML role, you need to use the output `module.name.saml_provider_document`. @@ -43,4 +43,7 @@ IAM policies. ### iam-cloud-admin -### splunk-user +### [splunk-user](https://github.e.it.census.gov/terraform-modules/aws-splunk-configuration/tree/master/user) + +See [terraform-modules/aws-splunk-configuration//user](https://github.e.it.census.gov/terraform-modules/aws-splunk-configuration/tree/master/user) +for the details on the splunk user module.