feat: add AWS import

Issue GH-2

aws/iam-sso.tf

@@ -0,0 +1,135 @@
+data "aws_ssoadmin_instances" "main" {}
+
+resource "aws_identitystore_group" "group" {
+  for_each          = var.teams
+  display_name      = each.key
+  identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
+}
+
+resource "aws_identitystore_user" "main" {
+  for_each          = merge(nonsensitive(var.teams.PLC), nonsensitive(var.teams.Ops), nonsensitive(var.teams.Security), nonsensitive(var.teams.Analytics))
+  identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
+
+  display_name = each.key
+  user_name    = each.key
+  nickname = each.key
+
+  name {
+    given_name  = each.key
+    family_name = "Brew"
+  }
+
+  emails {
+    value = sensitive(each.value)
+  }
+
+  lifecycle {
+    ignore_changes = [name, display_name]
+  }
+}
+
+resource "aws_identitystore_group_membership" "plc" {
+  for_each = nonsensitive(var.teams.PLC)
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
+  group_id          = aws_identitystore_group.group["PLC"].group_id
+  member_id         = aws_identitystore_user.main[each.key].user_id
+}
+
+resource "aws_identitystore_group_membership" "ops" {
+  for_each = nonsensitive(var.teams.Ops)
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
+  group_id          = aws_identitystore_group.group["Ops"].group_id
+  member_id         = aws_identitystore_user.main[each.key].user_id
+}
+
+resource "aws_identitystore_group_membership" "security" {
+  for_each = nonsensitive(var.teams.Security)
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
+  group_id          = aws_identitystore_group.group["Security"].group_id
+  member_id         = aws_identitystore_user.main[each.key].user_id
+}
+
+resource "aws_identitystore_group_membership" "analytics" {
+  for_each = nonsensitive(var.teams.Analytics)
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
+  group_id          = aws_identitystore_group.group["Analytics"].group_id
+  member_id         = aws_identitystore_user.main[each.key].user_id
+}
+
+resource "aws_ssoadmin_permission_set" "OpsAccess" {
+  name             = "OpsAccess"
+  description      = "Access for Ops"
+  instance_arn       = tolist(data.aws_ssoadmin_instances.main.arns)[0]
+}
+resource "aws_ssoadmin_managed_policy_attachment" "OpsAccess" {
+  depends_on = [ aws_ssoadmin_account_assignment.Ops ]
+
+  instance_arn       = tolist(data.aws_ssoadmin_instances.main.arns)[0]
+  managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+  permission_set_arn = aws_ssoadmin_permission_set.OpsAccess.arn
+}
+
+resource "aws_ssoadmin_permission_set" "SecurityTeam" {
+  name             = "SecurityTeam"
+  description      = "Access for the security team"
+  instance_arn       = tolist(data.aws_ssoadmin_instances.main.arns)[0]
+}
+resource "aws_ssoadmin_managed_policy_attachment" "SecurityTeam" {
+  depends_on = [ aws_ssoadmin_account_assignment.security ]
+
+  instance_arn       = tolist(data.aws_ssoadmin_instances.main.arns)[0]
+  managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+  permission_set_arn = aws_ssoadmin_permission_set.SecurityTeam.arn
+}
+
+resource "aws_ssoadmin_permission_set" "Billing" {
+  name             = "Billing"
+  description      = "Access for the PLC"
+  instance_arn       = tolist(data.aws_ssoadmin_instances.main.arns)[0]
+}
+resource "aws_ssoadmin_managed_policy_attachment" "Billing" {
+  depends_on = [ aws_ssoadmin_account_assignment.billing ]
+
+  instance_arn       = tolist(data.aws_ssoadmin_instances.main.arns)[0]
+  managed_policy_arn = "arn:aws:iam::aws:policy/job-function/Billing"
+  permission_set_arn = aws_ssoadmin_permission_set.Billing.arn
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_ssoadmin_account_assignment" "billing" {
+  instance_arn       = tolist(data.aws_ssoadmin_instances.main.arns)[0]
+  permission_set_arn = aws_ssoadmin_permission_set.Billing.arn
+
+  principal_id   = aws_identitystore_group.group["PLC"].group_id
+  principal_type = "GROUP"
+
+  target_id   = data.aws_caller_identity.current.account_id
+  target_type = "AWS_ACCOUNT"
+}
+
+resource "aws_ssoadmin_account_assignment" "security" {
+  instance_arn       = tolist(data.aws_ssoadmin_instances.main.arns)[0]
+  permission_set_arn = aws_ssoadmin_permission_set.SecurityTeam.arn
+
+  principal_id   = aws_identitystore_group.group["Security"].group_id
+  principal_type = "GROUP"
+
+  target_id   = data.aws_caller_identity.current.account_id
+  target_type = "AWS_ACCOUNT"
+}
+
+resource "aws_ssoadmin_account_assignment" "Ops" {
+  instance_arn       = tolist(data.aws_ssoadmin_instances.main.arns)[0]
+  permission_set_arn = aws_ssoadmin_permission_set.OpsAccess.arn
+
+  principal_id   = aws_identitystore_group.group["Ops"].group_id
+  principal_type = "GROUP"
+
+  target_id   = data.aws_caller_identity.current.account_id
+  target_type = "AWS_ACCOUNT"
+}

aws/main.tf

@@ -0,0 +1,11 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+resource "aws_iam_openid_connect_provider" "github_actions" {
+  url = "https://token.actions.githubusercontent.com"
+
+  client_id_list = ["sts.amazonaws.com"]
+
+  thumbprint_list = ["1c58a3a8518e8759bf075b76b750d4f2df264fcd"]
+}

aws/roles.tf

@@ -0,0 +1,64 @@
+data "aws_iam_policy_document" "codebuild_policy_document" {
+  statement {
+    actions   = ["logs:*"]
+    resources = ["arn:aws:logs:*:*:*"]
+    effect    = "Allow"
+  }
+  statement {
+    actions = [
+      "s3:List*",
+      "s3:Get*",
+      "s3:Put*",
+      "s3:DeleteObject",
+      "s3:DeleteObjectVersion"
+    ]
+    resources = [
+      "arn:aws:s3:::homebrew-terraform-state/*",
+      "arn:aws:s3:::homebrew-terraform-state"
+    ]
+    effect = "Allow"
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "iam:*",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "policy" {
+  name        = "OpentofuPolicy"
+  path        = "/"
+  description = "Policy to allow Opentofu to do it's thing"
+
+  policy = data.aws_iam_policy_document.codebuild_policy_document.json
+}
+
+resource "aws_iam_role" "github_tf" {
+  name        = "GitHubActionsS3Role"
+  description = "Allow GitHub actions access to S3 to store TF state"
+  assume_role_policy = jsonencode({
+    Statement = [
+      {
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Effect = "Allow"
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+          }
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" = "repo:Homebrew/homebrew-user-management:*"
+          }
+        }
+        Principal = {
+          Federated = aws_iam_openid_connect_provider.github_actions.arn
+        }
+      },
+    ]
+    Version = "2012-10-17"
+  })
+  managed_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
+  ]
+}

aws/vars.tf

@@ -0,0 +1,3 @@
+variable "teams" {
+  type = map(map(string))
+}

import.tf

@@ -56,3 +56,13 @@ import {
   to = module.dnsimple.dnsimple_contact.ocf
   id = 52414
 }
+
+import {
+  to = module.aws.aws_iam_openid_connect_provider.github_actions
+  id = "arn:aws:iam::765021812025:oidc-provider/token.actions.githubusercontent.com"
+}
+
+import {
+  to = module.aws.aws_iam_role.github_tf
+  id = "GitHubActionsS3Role"
+}

main.tf

@@ -31,6 +31,20 @@ module "github" {
   unmanagable_members = local.unmanagable_members
 }
 
+locals {
+  emails = nonsensitive({ for username, email in module.github.member_emails : username => lookup(var.email_overrides, username, email) })
+}
+
+module "aws" {
+  source = "./aws"
+  teams = {
+    Ops      = { for username in var.teams.maintainers.ops : username => local.emails[username] if lookup(local.emails, username, "") != "" }
+    Security = { for username in var.teams.security : username => local.emails[username] if lookup(local.emails, username, "") != "" }
+    PLC      = { for username in var.teams.plc : username => local.emails[username] if lookup(local.emails, username, "") != "" }
+    Analytics = { for username in var.teams.maintainers.analytics : username => local.emails[username] if lookup(local.emails, username, "") != "" }
+  }
+}
+
 module "google-cloud" {
   source = "./google-cloud"
   ops    = module.github.ops