Commit 05cdb00d authored by Mark Antony's avatar Mark Antony
Browse files

initial code

parents
Pipeline #501738 passed with stages
in 1 minute and 20 seconds
### Terraform
terraform/*/.terraform.lock.hcl
terraform/*/.terraform/
terraform/develop/terraform.*
terraform/develop/.terraform.*
terraform/develop/plan.terraform
terraform/develop/checkov.json
terraform/develop/checkov.test.xml
terraform/develop/TFCompliance-Report.xml
terraform/develop/TFCompliance-Report-public.xml
checkov.json
checkov.test.xml
TFCompliance-Report.xml
TFCompliance-Report-public.xml
plan.terraform
plan.json
terraform.tfstate*
terraform.tfstate
.terraform/*
.terraform.lock.hcl
.setenv
.test-data
terraform.jq
checkov.test.xml
tflint.test.xml
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Ignore CLI configuration files
.terraformrc
terraform.rc
# Ignored Terraform files
*gitignore*.tf
# Ignore Any Generated JSON Files
operations/automation-script/apply.json
operations/automation-script/configversion.json
operations/automation-script/run.template.json
operations/automation-script/run.json
operations/automation-script/variable.template.json
operations/automation-script/variable.json
operations/automation-script/workspace.template.json
operations/automation-script/workspace.json
operations/sentinel-policies-scripts/create-policy.template.json
operations/sentinel-policies-scripts/create-policy.json
operations/variable-scripts/variable.template.json
operations/variable-scripts/variable.json
# Sentinel runtime directory
.sentinel
#############
###General###
#############
##OS - Windows
# Windows thumbnail cache files
Thumbs.db
Thumbs.db:encryptable
ehthumbs.db
ehthumbs_vista.db
# Dump file
*.stackdump
# Folder config file
[Dd]esktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Windows Installer files
*.cab
*.msi
*.msix
*.msm
*.msp
# Windows shortcuts
*.lnk
## OS - MacOS
# General
.DS_Store
.AppleDouble
.LSOverride
# Icon must end with two \r
Icon
# Thumbnails
._*
# Files that might appear in the root of a volume
.DocumentRevisions-V100
.fseventsd
.Spotlight-V100
.TemporaryItems
.Trashes
.VolumeIcon.icns
.com.apple.timemachine.donotpresent
# Directories potentially created on remote AFP share
.AppleDB
.AppleDesktop
Network Trash Folder
Temporary Items
.apdisk
## OS - Linux
*~
# temporary files which can be created if a process still has a handle open of a deleted file
.fuse_hidden*
# KDE directory preferences
.directory
# Linux trash folder which might appear on any partition or disk
.Trash-*
# .nfs files are created when an open file is removed but is still being accessed
.nfs*
## Tool - Vim
# Swap
[._]*.s[a-v][a-z]
!*.svg # comment out if you don't need vector files
[._]*.sw[a-p]
[._]s[a-rt-v][a-z]
[._]ss[a-gi-z]
[._]sw[a-p]
# Session
Session.vim
Sessionx.vim
# Temporary
.netrwhist
*~
# Auto-generated tag files
tags
# Persistent undo
[._]*.un~
## Tool - Emacs
# -*- mode: gitignore; -*-
*~
\#*\#
/.emacs.desktop
/.emacs.desktop.lock
*.elc
auto-save-list
tramp
.\#*
# Org-mode
.org-id-locations
*_archive
# flymake-mode
*_flymake.*
# eshell files
/eshell/history
/eshell/lastdir
# elpa packages
/elpa/
# reftex files
*.rel
# AUCTeX auto folder
/auto/
# cask packages
.cask/
dist/
# Flycheck
flycheck_*.el
# server auth directory
/server/
# projectiles files
.projectile
# directory configuration
.dir-locals.el
# network security
/network-security.data
## Tool - Vagrant
# General
.vagrant/
# Log files (if you are creating logs in debug mode, uncomment this)
*.log
## Tools - Tags
# Ignore tags created by etags, ctags, gtags (GNU global) and cscope
TAGS
.TAGS
!TAGS/
tags
.tags
!tags/
gtags.files
GTAGS
GRTAGS
GPATH
GSYMS
cscope.files
cscope.out
cscope.in.out
cscope.po.out
## IDE - NetBeans
**/nbproject/private/
**/nbproject/Makefile-*.mk
**/nbproject/Package-*.bash
build/
nbbuild/
dist/
nbdist/
.nb-gradle/
## IDE - VSCode
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
*.code-workspace
# Local History for Visual Studio Code
.history/
## IDE - Jetbrains
# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
# User-specific stuff
.idea/**/workspace.xml
.idea/**/tasks.xml
.idea/**/usage.statistics.xml
.idea/**/dictionaries
.idea/**/shelf
# AWS User-specific
.idea/**/aws.xml
# Generated files
.idea/**/contentModel.xml
# Sensitive or high-churn files
.idea/**/dataSources/
.idea/**/dataSources.ids
.idea/**/dataSources.local.xml
.idea/**/sqlDataSources.xml
.idea/**/dynamic.xml
.idea/**/uiDesigner.xml
.idea/**/dbnavigator.xml
# Gradle
.idea/**/gradle.xml
.idea/**/libraries
# Gradle and Maven with auto-import
# When using Gradle or Maven with auto-import, you should exclude module files,
# since they will be recreated, and may cause churn. Uncomment if using
# auto-import.
.idea/artifacts
.idea/compiler.xml
.idea/jarRepositories.xml
.idea/modules.xml
.idea/*.iml
.idea/modules
*.iml
*.ipr
# CMake
cmake-build-*/
# Mongo Explorer plugin
.idea/**/mongoSettings.xml
# File-based project format
*.iws
# IntelliJ
out/
# mpeltonen/sbt-idea plugin
.idea_modules/
# JIRA plugin
atlassian-ide-plugin.xml
# Cursive Clojure plugin
.idea/replstate.xml
# Crashlytics plugin (for Android Studio and IntelliJ)
com_crashlytics_export_strings.xml
crashlytics.properties
crashlytics-build.properties
fabric.properties
# Editor-based Rest Client
.idea/httpRequests
# Android studio 3.1+ serialized cache file
.idea/caches/build_file_checksums.ser
## IDE - JDeveloper
# default application storage directory used by the IDE Performance Cache feature
.data/
# used for ADF styles caching
temp/
# default output directories
classes/
deploy/
javadoc/
# lock file, a part of Oracle Credential Store Framework
cwallet.sso.lck
## IDE - Eclipse
.metadata
bin/
tmp/
*.tmp
*.bak
*.swp
*~.nib
local.properties
.settings/
.loadpath
.recommenders
# External tool builders
.externalToolBuilders/
# Locally stored "Eclipse launch configurations"
*.launch
# PyDev specific (Python IDE for Eclipse)
*.pydevproject
# CDT-specific (C/C++ Development Tooling)
.cproject
# CDT- autotools
.autotools
# Java annotation processor (APT)
.factorypath
# PDT-specific (PHP Development Tools)
.buildpath
# sbteclipse plugin
.target
# Tern plugin
.tern-project
# TeXlipse plugin
.texlipse
# STS (Spring Tool Suite)
.springBeans
# Code Recommenders
.recommenders/
# Annotation Processing
.apt_generated/
.apt_generated_test/
# Scala IDE specific (Scala & Java development for Eclipse)
.cache-main
.scala_dependencies
.worksheet
# Uncomment this line if you wish to ignore the project description file.
# Typically, this file would be tracked if it contains build/dependency configurations:
#.project
## IDE - Cloud9
# Cloud9 IDE - http://c9.io
.c9revisions
.c9
## MISC - backup
*.bak
*.gho
*.ori
*.orig
*.tmp
## MISC - Archives
# It's better to unpack these files and commit the raw source because
# git has its own built in compression methods.
*.7z
*.jar
*.rar
*.zip
*.gz
*.gzip
*.tgz
*.bzip
*.bzip2
*.bz2
*.xz
*.lzma
*.cab
*.xar
# Packing-only formats
*.iso
*.tar
# Package management formats
*.dmg
*.xpi
*.gem
*.egg
*.deb
*.rpm
*.msi
*.msm
*.msp
*.txz
\ No newline at end of file
include:
- project: 'datateam/ecdp-infra/aws/pipeline'
ref: master
file: '.tf_with_lint_template.yml'
variables:
TF_ROOT: ${CI_PROJECT_DIR}/
TF_STATE_NAME: test
TF_TEST_VARS: '-var-file=testing.tfvars'
export DATATEAM_GROUP_DEPLOY_TOKEN="$digit_d1_datateam_test_DATATEAM_GROUP_DEPLOY_TOKEN"
export AWS_SECRET_ACCESS_KEY="$digit_d1_datateam_test_AWS_SECRET_ACCESS_KEY"
export AWS_ACCESS_KEY_ID="$digit_d1_datateam_test_AWS_ACCESS_KEY_ID"
export AWS_DEFAULT_REGION="$AWS_DEFAULT_REGION"
\ No newline at end of file
formatter: markdown table
header-from: main.tf
sections:
hide:
show-all: true
output-values:
enabled: false
from: ""
sort:
enabled: true
by:
- required
settings:
color: true
escape: true
indent: 3
required: false
sensitive: true
\ No newline at end of file
MIT License
Copyright © 2021, Mark Antony Lisle - EC Datateam
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
\ No newline at end of file
# iam-group-with-assumable-roles-policy
Creates IAM group with users who are allowed to assume IAM roles. This is typically done in resource AWS account where IAM users can jump into from IAM AWS account.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.6 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.23 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.23 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_iam_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
| [aws_iam_group_membership.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
| [aws_iam_group_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_assumable_roles"></a> [assumable\_roles](#input\_assumable\_roles) | List of IAM roles ARNs which can be assumed by the group | `list(string)` | `[]` | no |
| <a name="input_group_users"></a> [group\_users](#input\_group\_users) | List of IAM users to have in an IAM group which can assume the role | `list(string)` | `[]` | no |
| <a name="input_name"></a> [name](#input\_name) | Name of IAM policy and IAM group | `string` | n/a | yes |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_assumable_roles"></a> [assumable\_roles](#output\_assumable\_roles) | List of ARNs of IAM roles which members of IAM group can assume |
| <a name="output_group_arn"></a> [group\_arn](#output\_group\_arn) | IAM group arn |
| <a name="output_group_name"></a> [group\_name](#output\_group\_name) | IAM group name |
| <a name="output_group_users"></a> [group\_users](#output\_group\_users) | List of IAM users in IAM group |
| <a name="output_policy_arn"></a> [policy\_arn](#output\_policy\_arn) | Assume role policy ARN of IAM group |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
terraform {
backend "http" {
}
}
\ No newline at end of file
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
resources = var.assumable_roles
}
}
resource "aws_iam_policy" "this" {
name = var.name
description = "Allows to assume role in another AWS account"
policy = data.aws_iam_policy_document.assume_role.json
tags = var.tags
}
resource "aws_iam_group" "this" {
name = var.name
}
resource "aws_iam_group_policy_attachment" "this" {
group = aws_iam_group.this.id
policy_arn = aws_iam_policy.this.id
}
resource "aws_iam_group_membership" "this" {
count = length(var.group_users) > 0 ? 1 : 0
group = aws_iam_group.this.id
name = var.name
users = var.group_users
}
output "group_users" {
description = "List of IAM users in IAM group"
value = flatten(aws_iam_group_membership.this.*.users)
}
output "assumable_roles" {
description = "List of ARNs of IAM roles which members of IAM group can assume"
value = var.assumable_roles
}
output "policy_arn" {
description = "Assume role policy ARN of IAM group"
value = aws_iam_policy.this.arn
}
output "group_name" {
description = "IAM group name"
value = aws_iam_group.this.name
}
output "group_arn" {
description = "IAM group arn"
value = aws_iam_group.this.arn
}
#Testing for IAM group with policies
name = "production-admin"
assumable_roles = ["arn:aws:iam:::role/AWSCloudFormationStackSetExecutionRole"]
group_users = ["lislema"]
variable "name" {
description = "Name of IAM policy and IAM group"
type = string
}
variable "assumable_roles" {
description = "List of IAM roles ARNs which can be assumed by the group"
type = list(string)
default = []
}
variable "group_users" {
description = "List of IAM users to have in an IAM group which can assume the role"
type = list(string)
default = []
}
variable "tags" {
description = "A map of tags to add to all resources."
type = map(string)
default = {}
}
terraform {
required_version = ">= 0.12.6"
required_providers {
aws = ">= 2.23"
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment