Skip to content

Commit

Permalink
feat: add AWS import
Browse files Browse the repository at this point in the history
Issue GH-2
  • Loading branch information
SMillerDev committed Jul 15, 2024
1 parent b662b4a commit d1e134f
Show file tree
Hide file tree
Showing 8 changed files with 260 additions and 6 deletions.
17 changes: 17 additions & 0 deletions .terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

135 changes: 135 additions & 0 deletions aws/iam-sso.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
data "aws_ssoadmin_instances" "main" {}

resource "aws_identitystore_group" "group" {
for_each = var.teams
display_name = each.key
identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
}

resource "aws_identitystore_user" "main" {
for_each = merge(nonsensitive(var.teams.PLC), nonsensitive(var.teams.Ops), nonsensitive(var.teams.Security), nonsensitive(var.teams.Analytics))
identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]

display_name = each.key
user_name = each.key
nickname = each.key

name {
given_name = each.key
family_name = "Brew"
}

emails {
value = sensitive(each.value)
}

lifecycle {
ignore_changes = [name, display_name]
}
}

resource "aws_identitystore_group_membership" "plc" {
for_each = nonsensitive(var.teams.PLC)

identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
group_id = aws_identitystore_group.group["PLC"].group_id
member_id = aws_identitystore_user.main[each.key].user_id
}

resource "aws_identitystore_group_membership" "ops" {
for_each = nonsensitive(var.teams.Ops)

identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
group_id = aws_identitystore_group.group["Ops"].group_id
member_id = aws_identitystore_user.main[each.key].user_id
}

resource "aws_identitystore_group_membership" "security" {
for_each = nonsensitive(var.teams.Security)

identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
group_id = aws_identitystore_group.group["Security"].group_id
member_id = aws_identitystore_user.main[each.key].user_id
}

resource "aws_identitystore_group_membership" "analytics" {
for_each = nonsensitive(var.teams.Analytics)

identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
group_id = aws_identitystore_group.group["Analytics"].group_id
member_id = aws_identitystore_user.main[each.key].user_id
}

resource "aws_ssoadmin_permission_set" "OpsAccess" {
name = "OpsAccess"
description = "Access for Ops"
instance_arn = tolist(data.aws_ssoadmin_instances.main.arns)[0]
}
resource "aws_ssoadmin_managed_policy_attachment" "OpsAccess" {
depends_on = [aws_ssoadmin_account_assignment.Ops]

instance_arn = tolist(data.aws_ssoadmin_instances.main.arns)[0]
managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
permission_set_arn = aws_ssoadmin_permission_set.OpsAccess.arn
}

resource "aws_ssoadmin_permission_set" "SecurityTeam" {
name = "SecurityTeam"
description = "Access for the security team"
instance_arn = tolist(data.aws_ssoadmin_instances.main.arns)[0]
}
resource "aws_ssoadmin_managed_policy_attachment" "SecurityTeam" {
depends_on = [aws_ssoadmin_account_assignment.security]

instance_arn = tolist(data.aws_ssoadmin_instances.main.arns)[0]
managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
permission_set_arn = aws_ssoadmin_permission_set.SecurityTeam.arn
}

resource "aws_ssoadmin_permission_set" "Billing" {
name = "Billing"
description = "Access for the PLC"
instance_arn = tolist(data.aws_ssoadmin_instances.main.arns)[0]
}
resource "aws_ssoadmin_managed_policy_attachment" "Billing" {
depends_on = [aws_ssoadmin_account_assignment.billing]

instance_arn = tolist(data.aws_ssoadmin_instances.main.arns)[0]
managed_policy_arn = "arn:aws:iam::aws:policy/job-function/Billing"
permission_set_arn = aws_ssoadmin_permission_set.Billing.arn
}

data "aws_caller_identity" "current" {}

resource "aws_ssoadmin_account_assignment" "billing" {
instance_arn = tolist(data.aws_ssoadmin_instances.main.arns)[0]
permission_set_arn = aws_ssoadmin_permission_set.Billing.arn

principal_id = aws_identitystore_group.group["PLC"].group_id
principal_type = "GROUP"

target_id = data.aws_caller_identity.current.account_id
target_type = "AWS_ACCOUNT"
}

resource "aws_ssoadmin_account_assignment" "security" {
instance_arn = tolist(data.aws_ssoadmin_instances.main.arns)[0]
permission_set_arn = aws_ssoadmin_permission_set.SecurityTeam.arn

principal_id = aws_identitystore_group.group["Security"].group_id
principal_type = "GROUP"

target_id = data.aws_caller_identity.current.account_id
target_type = "AWS_ACCOUNT"
}

resource "aws_ssoadmin_account_assignment" "Ops" {
instance_arn = tolist(data.aws_ssoadmin_instances.main.arns)[0]
permission_set_arn = aws_ssoadmin_permission_set.OpsAccess.arn

principal_id = aws_identitystore_group.group["Ops"].group_id
principal_type = "GROUP"

target_id = data.aws_caller_identity.current.account_id
target_type = "AWS_ACCOUNT"
}
11 changes: 11 additions & 0 deletions aws/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
provider "aws" {
region = "us-east-1"
}

resource "aws_iam_openid_connect_provider" "github_actions" {
url = "https://token.actions.githubusercontent.com"

client_id_list = ["sts.amazonaws.com"]

thumbprint_list = ["1c58a3a8518e8759bf075b76b750d4f2df264fcd"]
}
64 changes: 64 additions & 0 deletions aws/roles.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
data "aws_iam_policy_document" "codebuild_policy_document" {
statement {
actions = ["logs:*"]
resources = ["arn:aws:logs:*:*:*"]
effect = "Allow"
}
statement {
actions = [
"s3:List*",
"s3:Get*",
"s3:Put*",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
]
resources = [
"arn:aws:s3:::homebrew-terraform-state/*",
"arn:aws:s3:::homebrew-terraform-state"
]
effect = "Allow"
}
statement {
effect = "Allow"
actions = [
"iam:*",
]
resources = ["*"]
}
}

resource "aws_iam_policy" "policy" {
name = "OpentofuPolicy"
path = "/"
description = "Policy to allow Opentofu to do it's thing"

policy = data.aws_iam_policy_document.codebuild_policy_document.json
}

resource "aws_iam_role" "github_tf" {
name = "GitHubActionsS3Role"
description = "Allow GitHub actions access to S3 to store TF state"
assume_role_policy = jsonencode({
Statement = [
{
Action = "sts:AssumeRoleWithWebIdentity"
Effect = "Allow"
Condition = {
StringEquals = {
"token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
}
StringLike = {
"token.actions.githubusercontent.com:sub" = "repo:Homebrew/homebrew-user-management:*"
}
}
Principal = {
Federated = aws_iam_openid_connect_provider.github_actions.arn
}
},
]
Version = "2012-10-17"
})
managed_policy_arns = [
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
]
}
3 changes: 3 additions & 0 deletions aws/vars.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
variable "teams" {
type = map(map(string))
}
12 changes: 6 additions & 6 deletions dnsimple/contacts.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ resource "dnsimple_contact" "ocf" {
last_name = "Maintainers"
email = "[email protected]"

phone = "+1 555 1234"
address1 = "123 Homebrew Street"
city = "Homebrew"
state_province = "HB"
postal_code = "00001"
country = "United States"
phone = sensitive("+1 555 1234")
address1 = sensitive("123 Homebrew Street")
city = sensitive("Homebrew")
state_province = sensitive("HB")
postal_code = sensitive("00001")
country = "US"

lifecycle {
ignore_changes = [address1, city, state_province, postal_code, phone]
Expand Down
10 changes: 10 additions & 0 deletions import.tf
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,13 @@ import {
to = module.dnsimple.dnsimple_contact.ocf
id = 52414
}

import {
to = module.aws.aws_iam_openid_connect_provider.github_actions
id = "arn:aws:iam::765021812025:oidc-provider/token.actions.githubusercontent.com"
}

import {
to = module.aws.aws_iam_role.github_tf
id = "GitHubActionsS3Role"
}
14 changes: 14 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,20 @@ module "github" {
unmanagable_members = local.unmanagable_members
}

locals {
emails = nonsensitive({ for username, email in module.github.member_emails : username => lookup(var.email_overrides, username, email) })
}

module "aws" {
source = "./aws"
teams = {
Ops = { for username in var.teams.maintainers.ops : username => local.emails[username] if lookup(local.emails, username, "") != "" }
Security = { for username in var.teams.security : username => local.emails[username] if lookup(local.emails, username, "") != "" }
PLC = { for username in var.teams.plc : username => local.emails[username] if lookup(local.emails, username, "") != "" }
Analytics = { for username in var.teams.maintainers.analytics : username => local.emails[username] if lookup(local.emails, username, "") != "" }
}
}

module "google-cloud" {
source = "./google-cloud"
ops = module.github.ops
Expand Down

0 comments on commit d1e134f

Please sign in to comment.