-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- route53-zone-association/terraform-role
- created to be applied in an account where a PHZ is maintained but shared to other accounts and VPCs. This allows a terraform
provider using an assume role configuration (to r-inf-terraform-route53)
- must be done after addition to organization
- route53-zone-association/lambda-role
- created to be applied in an account where a PHZ is maintained but shared to other accounts and VPCs. This will be used by
the dynamic route53 lambda to assume this role to enter the route53 records
- must be done after addition to organization- Loading branch information
Showing
20 changed files
with
254 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,28 +1,30 @@ | ||
| locals { | ||
| _module_version = "2.7.0" | ||
| _module_version = "2.8.0" | ||
| _module_names = { | ||
| "_main_" = "aws-vpc-setup" | ||
|
|
||
| "flowlogs" = "aws-vpc-setup/flowlogs" | ||
| "flowlogs-transit-gateway" = "aws-vpc-setup/flowlogs-transit-gateway" | ||
| "flowlogs-role" = "aws-vpc-setup/flowlogs-role" | ||
| "nacl-rules" = "aws-vpc-setup/nacl-rules" | ||
| "nacls" = "aws-vpc-setup/nacls" | ||
| "peer" = "aws-vpc-setup/peer" | ||
| "routing" = "aws-vpc-setup/routing" | ||
| "route53-zone-assoication/vpc" = "aws-vpc/setup/route53-zone-association/vpc" | ||
| "route53-zone-assoication/zone" = "aws-vpc/setup/route53-zone-association/zone" | ||
| "security-groups" = "aws-vpc-setup/security-groups" | ||
| "share-resources" = "aws-vpc-setup/share-resources" | ||
| "subnets" = "aws-vpc-setup/subnets" | ||
| "tag-shared-vpc-resources" = "aws-vpc-setup/tag-shared-vpc-resources" | ||
| "vpc" = "aws-vpc-setup/vpc" | ||
| "vpc-interface-endpoint" = "aws-vpc-setup/vpc-interface-endpoint" | ||
| "vpn" = "aws-vpc-setup/vpn" | ||
| "vpn-transit-gateway" = "aws-vpc-setup/vpn-transit-gateway" | ||
| "vpn-transit-gateway" = "aws-vpc-setup/vpn-transit-gateway" | ||
| "vpc-transit-gateway-association/data" = "aws-vpc-setup/vpc-transit-gateway-association/data" | ||
| "vpc-transit-gateway-association/self" = "aws-vpc-setup/vpc-transit-gateway-association/self" | ||
| "vpc-transit-gateway-association/peer" = "aws-vpc-setup/vpc-transit-gateway-association/peer" | ||
| "flowlogs" = "aws-vpc-setup/flowlogs" | ||
| "flowlogs-transit-gateway" = "aws-vpc-setup/flowlogs-transit-gateway" | ||
| "flowlogs-role" = "aws-vpc-setup/flowlogs-role" | ||
| "nacl-rules" = "aws-vpc-setup/nacl-rules" | ||
| "nacls" = "aws-vpc-setup/nacls" | ||
| "peer" = "aws-vpc-setup/peer" | ||
| "routing" = "aws-vpc-setup/routing" | ||
| "route53-zone-assoication/vpc" = "aws-vpc/setup/route53-zone-association/vpc" | ||
| "route53-zone-assoication/zone" = "aws-vpc/setup/route53-zone-association/zone" | ||
| "route53-zone-assoication/terraform-role" = "aws-vpc/setup/route53-zone-association/terraform-role" | ||
| "route53-zone-assoication/lambda-role" = "aws-vpc/setup/route53-zone-association/lambda-role" | ||
| "security-groups" = "aws-vpc-setup/security-groups" | ||
| "share-resources" = "aws-vpc-setup/share-resources" | ||
| "subnets" = "aws-vpc-setup/subnets" | ||
| "tag-shared-vpc-resources" = "aws-vpc-setup/tag-shared-vpc-resources" | ||
| "vpc" = "aws-vpc-setup/vpc" | ||
| "vpc-interface-endpoint" = "aws-vpc-setup/vpc-interface-endpoint" | ||
| "vpn" = "aws-vpc-setup/vpn" | ||
| "vpn-transit-gateway" = "aws-vpc-setup/vpn-transit-gateway" | ||
| "vpn-transit-gateway" = "aws-vpc-setup/vpn-transit-gateway" | ||
| "vpc-transit-gateway-association/data" = "aws-vpc-setup/vpc-transit-gateway-association/data" | ||
| "vpc-transit-gateway-association/self" = "aws-vpc-setup/vpc-transit-gateway-association/self" | ||
| "vpc-transit-gateway-association/peer" = "aws-vpc-setup/vpc-transit-gateway-association/peer" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/data.tf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/defaults.tf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| /* | ||
| * # About aws-vpc-setup :: route53-zone-assoication :: terraform-role | ||
| * | ||
| * Role to be assumed from terraform in a remote account (or local account) to allow for associating the VPC to the PHZ | ||
| * and for updating route53 entries. This fails if not a member of an organization. | ||
| */ | ||
|
|
||
| locals { | ||
| account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id | ||
| account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" | ||
| region = data.aws_region.current.name | ||
| region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)]) | ||
|
|
||
| base_tags = { | ||
| "boc:tf_module_version" = local._module_version | ||
| "boc:tf_module_name" = lookup(local._module_names, local._module_name, local._module_names["_main_"]) | ||
| "boc:created_by" = "terraform" | ||
| } | ||
|
|
||
| role_name = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name) | ||
| role_description = var.role_description == "" ? format("Role for %v", var.role_name) : var.role_description | ||
| } | ||
|
|
||
| data "aws_organizations_organization" "org" {} | ||
|
|
||
| # allow assume role from org | ||
| data "aws_iam_policy_document" "assume_role" { | ||
| statement { | ||
| sid = "STSAssumeRole" | ||
| effect = "Allow" | ||
| actions = ["sts:AssumeRole"] | ||
| principals { | ||
| type = "AWS" | ||
| identifiers = ["*"] | ||
| } | ||
| condition { | ||
| test = "StringEquals" | ||
| variable = "aws:PrincipalOrgID" | ||
| values = [data.aws_organizations_organization.org.id] | ||
| } | ||
| } | ||
| } | ||
|
|
||
| data "aws_iam_policy_document" "policy" { | ||
| statement { | ||
| sid = "TFRemoteRoute53Actions" | ||
| effect = "Allow" | ||
| actions = [ | ||
| "route53:Get*", | ||
| "route53:List*", | ||
| "route53:TestDNSAnswer", | ||
| "route53:ChangeResourceRecordSets", | ||
| ] | ||
| resources = ["*"] | ||
| } | ||
| } | ||
|
|
||
| resource "aws_iam_role" "role" { | ||
| name = local.role_name | ||
| description = local.role_description | ||
| force_detach_policies = local._defaults["force_detach_policies"] | ||
| max_session_duration = local._defaults["max_session_duration"] | ||
| assume_role_policy = data.aws_iam_policy_document.assume_role.json | ||
|
|
||
| inline_policy { | ||
| name = "remote-route53" | ||
| policy = data.aws_iam_policy_document.policy.json | ||
| } | ||
|
|
||
| lifecycle { | ||
| ignore_changes = [tags["boc:tf_module_version"]] | ||
| } | ||
|
|
||
| tags = merge( | ||
| local.base_tags, | ||
| var.tags, | ||
| lookup(var.component_tags, "role", {}), | ||
| { Name = local.role_name }, | ||
| ) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| locals { | ||
| _module_name = "route53-zone-assoication/lambda-role" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/prefixes.tf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/variables.common.tf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| variable "role_name" { | ||
| description = "IAM Role name (without prefix)" | ||
| type = string | ||
| default = "inf-dynamic-route53-actions" | ||
| } | ||
|
|
||
| variable "role_description" { | ||
| description = "IAM Role description" | ||
| type = string | ||
| default = "INF Lambda Assume Role for Dynamic Route53 actions" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/version.tf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| terraform { | ||
| required_version = ">= 1.0.0" | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = ">= 4.0.0" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/data.tf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/defaults.tf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| /* | ||
| * # About aws-vpc-setup :: route53-zone-assoication :: terraform-role | ||
| * | ||
| * Role to be assumed from terraform in a remote account (or local account) to allow for associating the VPC to the PHZ | ||
| * and for updating route53 entries. This fails if not a member of an organization. | ||
| */ | ||
|
|
||
| locals { | ||
| account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id | ||
| account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" | ||
| region = data.aws_region.current.name | ||
| region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)]) | ||
|
|
||
| base_tags = { | ||
| "boc:tf_module_version" = local._module_version | ||
| "boc:tf_module_name" = lookup(local._module_names, local._module_name, local._module_names["_main_"]) | ||
| "boc:created_by" = "terraform" | ||
| } | ||
|
|
||
| role_name = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name) | ||
| role_description = var.role_description == "" ? format("Role for %v", var.role_name) : var.role_description | ||
| } | ||
|
|
||
| data "aws_organizations_organization" "org" {} | ||
|
|
||
| # allow assume role from org | ||
| data "aws_iam_policy_document" "assume_role" { | ||
| statement { | ||
| sid = "STSAssumeRole" | ||
| effect = "Allow" | ||
| actions = ["sts:AssumeRole"] | ||
| principals { | ||
| type = "AWS" | ||
| identifiers = ["*"] | ||
| } | ||
| condition { | ||
| test = "StringEquals" | ||
| variable = "aws:PrincipalOrgID" | ||
| values = [data.aws_organizations_organization.org.id] | ||
| } | ||
| } | ||
| } | ||
|
|
||
| data "aws_iam_policy_document" "policy" { | ||
| statement { | ||
| sid = "TFRemoteRoute53Actions" | ||
| effect = "Allow" | ||
| actions = [ | ||
| "route53:Get*", | ||
| "route53:List*", | ||
| "route53:AssociateVPCWithHostedZone", | ||
| "route53:DisassociateVPCFromHostedZone", | ||
| "route53:CreateVPCAssociationAuthorization", | ||
| "route53:DeleteVPCAssociationAuthorization", | ||
| "route53:TestDNSAnswer", | ||
| "route53:ChangeResourceRecordSets", | ||
| ] | ||
| resources = ["*"] | ||
| } | ||
| } | ||
|
|
||
| resource "aws_iam_role" "role" { | ||
| name = local.role_name | ||
| description = local.role_description | ||
| force_detach_policies = local._defaults["force_detach_policies"] | ||
| max_session_duration = local._defaults["max_session_duration"] | ||
| assume_role_policy = data.aws_iam_policy_document.assume_role.json | ||
|
|
||
| inline_policy { | ||
| name = "remote-route53" | ||
| policy = data.aws_iam_policy_document.policy.json | ||
| } | ||
|
|
||
| lifecycle { | ||
| ignore_changes = [tags["boc:tf_module_version"]] | ||
| } | ||
|
|
||
| tags = merge( | ||
| local.base_tags, | ||
| var.tags, | ||
| lookup(var.component_tags, "role", {}), | ||
| { Name = local.role_name }, | ||
| ) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| locals { | ||
| _module_name = "route53-zone-assoication/terraform-role" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/prefixes.tf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/variables.common.tf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| variable "role_name" { | ||
| description = "IAM Role name (without prefix)" | ||
| type = string | ||
| default = "inf-terraform-route53" | ||
| } | ||
|
|
||
| variable "role_description" { | ||
| description = "IAM Role description" | ||
| type = string | ||
| default = "INF Terraform Role for Route53 actions" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/version.tf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| terraform { | ||
| required_version = ">= 1.0.0" | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = ">= 4.0.0" | ||
| } | ||
| } | ||
| } |