v1.6.0: add iam-cloud-admin

CHANGELOG.md

@@ -25,3 +25,6 @@
   - iam-general-policies
     - add `managed_policies` for AWS managed policy references
     - change `policies` to `custom_policies`
+
+* v1.6.0 -- 20210302
+  - module: iam-cloud-admin

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.5.1"
+  _module_version = "1.6.0"
 }

iam-cloud-admin/README.md

@@ -0,0 +1,87 @@
+# aws-inf-setup :: s3-flow-logs
+
+This set up the needed components for S3 VPC flow log bucket.  Only one flow log bucket is  
+needed
+
+* S3 bucket
+* S3 bucket objects (key prefixes, aka "directories")
+* S3 bucket policy
+
+# Usage  
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "flowlogs" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs"
+}
+```
+
+This one can be used if you need to customize stuff, though really, the defaults are all built  
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in  
+variable file generation.
+
+```hcl
+module "flowlogs_full" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs"
+
+  # optional
+  account_alias         = "do2-govcloud"
+  bucket_name           = "inf-flowlogs-123456789012"
+
+  # flowlogs is generally not needed and not recommended
+  component_tags        = {
+    "s3" = {
+      "SpecialTag1" = "something"
+      "SpecialTag2" = "somethingElse"
+    }
+  }
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Modules
+
+No Modules.
+
+## Resources
+
+| Name |
+|------|
+| [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) |
+| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
+| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
+| [aws_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) |
+| [aws_s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) |
+| [aws_s3_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| account\_alias | AWS Account Alias | `string` | `""` | no |
+| account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| bucket\_name | VPC Flow Logs S3 bucket name | `string` | `""` | no |
+| bucket\_name\_prefix | VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-flowlogs"` | no |
+| component\_tags | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| override\_prefixes | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| flowlogs\_bucket\_arn | VPC Flow Logs S3 bucket ARN |
+| flowlogs\_bucket\_id | VPC Flow Logs S3 bucket ID |
+| policy\_assume\_ec2 | Policy for assume for ec2 |

iam-cloud-admin/data.tf

@@ -0,0 +1 @@
+../common/data.tf

iam-cloud-admin/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

iam-cloud-admin/inf-roles.tf

@@ -0,0 +1,40 @@
+
+#resource "aws_iam_role" "inf-cloud-admin" { 
+#   name        = "r-inf-cloud-admin"
+#   description = "r-inf-cloud-admin role for CSVD admins"
+# 
+#   assume_role_policy    = data.aws_iam_policy_document.inf-saml_assume.json
+#   force_detach_policies = false
+#   max_session_duration  = 3600
+# }
+# imported
+
+resource "aws_iam_role" "inf-cloud-admin" {
+  assume_role_policy = jsonencode(
+    {
+      Statement = [
+        {
+          Action = "sts:AssumeRoleWithSAML"
+          Condition = {
+            StringEquals = {
+              "SAML:aud" = "https://signin.amazonaws-us-gov.com/saml"
+            }
+          }
+          Effect = "Allow"
+          Principal = {
+            Federated = "arn:aws-us-gov:iam::107742151971:saml-provider/Census_TCO_IDMS"
+          }
+        },
+      ]
+      Version = "2012-10-17"
+    }
+  )
+  description           = "r-inf-cloud-admin role for CSVD admins"
+  force_detach_policies = false
+  max_session_duration  = 3600
+  name                  = "r-inf-cloud-admin"
+  tags = {
+    "Creator" = "ashle001"
+    "Name"    = "r-inf-cloud-admin"
+  }
+}

iam-cloud-admin/main.tf

@@ -0,0 +1,110 @@
+/*
+* # aws-inf-setup :: s3-flow-logs
+* 
+* This set up the needed components for S3 VPC flow log bucket.  Only one flow log bucket is
+* needed
+* 
+* * S3 bucket
+* * S3 bucket objects (key prefixes, aka "directories")
+* * S3 bucket policy
+* 
+* # Usage
+* Here is a simple example, the one most commonly expected to be used.
+*
+* ```hcl
+* module "flowlogs" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs"
+* }
+* ```
+*
+* This one can be used if you need to customize stuff, though really, the defaults are all built 
+* for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+* variable file generation.
+*
+* ```hcl
+* module "flowlogs_full" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs"
+* 
+*   # optional
+*   account_alias         = "do2-govcloud"
+*   bucket_name           = "inf-flowlogs-123456789012"
+*
+*   # flowlogs is generally not needed and not recommended
+*   component_tags        = {
+*     "s3" = {
+*       "SpecialTag1" = "something"
+*       "SpecialTag2" = "somethingElse"
+*     }
+*   }
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  flowlogs_region     = data.aws_region.current.name
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.flowlogs_region)
+
+  base_tags = {
+    "Organization"          = "census:aditcio:csvd"
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+#---
+# s3
+#---
+resource "aws_s3_bucket" "flowlogs" {
+  bucket = local.bucket_name
+  acl    = "log-delivery-write"
+
+  # need to create the inf_ key used for infrastucture things like
+  # vpc flow, cloudtrail, config, sns, sqs
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        #        kms_master_key_id = local.inf_key_arn
+        sse_algorithm = "aws:kms"
+      }
+    }
+  }
+
+  versioning {
+    enabled = false
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  # probably want some migration of old data to some other location
+  # like glacier
+
+  tags = merge(
+    var.tags,
+    local.base_tags,
+    lookup(var.component_tags, "s3", {}),
+    map("Name", local.bucket_name),
+  )
+
+  provisioner "local-exec" {
+    command = "sleep 30"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "flowlogs" {
+  bucket                  = aws_s3_bucket.flowlogs.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_policy" "flowlogs" {
+  bucket = aws_s3_bucket.flowlogs.id
+  policy = data.aws_iam_policy_document.flowlogs_s3.json
+}

iam-cloud-admin/outputs.tf

@@ -0,0 +1,9 @@
+output "flowlogs_bucket_id" {
+  description = "VPC Flow Logs S3 bucket ID"
+  value       = aws_s3_bucket.flowlogs.id
+}
+
+output "flowlogs_bucket_arn" {
+  description = "VPC Flow Logs S3 bucket ARN"
+  value       = aws_s3_bucket.flowlogs.arn
+}

iam-cloud-admin/policies.sts.tf

@@ -0,0 +1,21 @@
+#----
+# STS: ec2 assume
+#---
+data "aws_iam_policy_document" "ec2_assume" {
+  statement {
+    sid     = "AWSEC2AssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+output "policy_assume_ec2" {
+  description = "Policy for assume for ec2"
+  value       = data.aws_iam_policy_document.ec2_assume.json
+}
+