Optionalrolenames (telia-oss#4)

* make role names optionally configurable

* move selfmanagement policy to submodule as it can't be called more than once

* add testing pipeline

Author: colincoleman

.ci/pipeline.yml

@@ -0,0 +1,39 @@
+jobs:
+  - name: test-default
+    plan:
+      - aggregate:
+        - get: this-module
+          trigger: true
+      - task: apply
+        params:
+          directory: default
+          AWS_ACCOUNT_ID: ((telia-divx-common-services-stage-account-id))
+          AWS_ACCESS_KEY_ID: ((telia-divx-common-services-stage-access-key))
+          AWS_SECRET_ACCESS_KEY: ((telia-divx-common-services-stage-secret-key))
+          AWS_SESSION_TOKEN: ((telia-divx-common-services-stage-session-token))
+          KMS_KEY_ID: ((telia-divx-common-services-stage-state-bucket-key))
+        file: this-module/.ci/tasks/apply/task.yml
+        input_mapping: {source: this-module}
+      - task: test
+        params:
+          directory: default
+          AWS_ACCESS_KEY_ID: ((telia-divx-common-services-stage-access-key))
+          AWS_SECRET_ACCESS_KEY: ((telia-divx-common-services-stage-secret-key))
+          AWS_SESSION_TOKEN: ((telia-divx-common-services-stage-session-token))
+        file: this-module/.ci/tasks/test/task.yml
+      - task: destroy
+        params:
+          directory: default
+          AWS_ACCESS_KEY_ID: ((telia-divx-common-services-stage-access-key))
+          AWS_SECRET_ACCESS_KEY: ((telia-divx-common-services-stage-secret-key))
+          AWS_SESSION_TOKEN: ((telia-divx-common-services-stage-session-token))
+        file: this-module/.ci/tasks/destroy/task.yml
+
+resources:
+  - name: this-module
+    type: git
+    source:
+      uri: [email protected]:telia-oss/terraform-aws-iam.git
+      branch: master
+      private_key: ((aws-common-services-deploy-key))
+

.ci/tasks/apply/task.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+export DIR="${PWD}"
+cp -a ${DIR}/source/. ${DIR}/secret-source/
+cd ${DIR}/secret-source/examples/${directory}
+sed -i 's#<test-account-id>#'${AWS_ACCOUNT_ID}'#g' main.tf
+sed -i 's#<kms-key-id>#'${KMS_KEY_ID}'#g' main.tf
+terraform init
+terraform apply --auto-approve
+terraform output -json > ${DIR}/terraform-out/terraform-out.json

.ci/tasks/apply/task.yml

@@ -0,0 +1,25 @@
+platform: linux
+
+image_resource:
+  type: docker-image
+  source:
+    repository: hashicorp/terraform
+    tag: "0.11.11"
+
+params:
+  AWS_ACCOUNT_ID:
+  directory:
+  AWS_ACCESS_KEY_ID:
+  AWS_SECRET_ACCESS_KEY:
+  AWS_SESSION_TOKEN:
+  KMS_KEY_ID:
+
+inputs:
+  - name: source
+
+outputs:
+  - name: secret-source
+  - name: terraform-out
+
+run:
+  path: source/.ci/tasks/apply/task.sh

.ci/tasks/destroy/task.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+export DIR="${PWD}"
+cd ${DIR}/secret-source/examples/${directory}
+rm -rf .terraform
+terraform init
+terraform destroy --auto-approve

.ci/tasks/destroy/task.yml

@@ -0,0 +1,19 @@
+platform: linux
+
+image_resource:
+  type: docker-image
+  source:
+    repository: hashicorp/terraform
+    tag: "0.11.11"
+
+params:
+  directory:
+  AWS_ACCESS_KEY_ID:
+  AWS_SECRET_ACCESS_KEY:
+  AWS_SESSION_TOKEN:
+
+inputs:
+  - name: secret-source
+
+run:
+  path: secret-source/.ci/tasks/destroy/task.sh

.ci/tasks/test/task.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+export DIR="${PWD}"
+${DIR}/secret-source/examples/${directory}/test.sh

.ci/tasks/test/task.yml

@@ -0,0 +1,19 @@
+platform: linux
+
+image_resource:
+  type: docker-image
+  source:
+    repository: teliaoss/concourse-awscli
+
+params:
+  directory:
+  AWS_ACCESS_KEY_ID:
+  AWS_SECRET_ACCESS_KEY:
+  AWS_SESSION_TOKEN:
+
+inputs:
+  - name: secret-source
+  - name: terraform-out
+
+run:
+  path: secret-source/.ci/tasks/test/task.sh

.gitignore

@@ -2,3 +2,5 @@
 **/.terraform
 **/*.tfstate*
 crash.log
+# InteliJ IDE
+.idea/

.travis.yml

@@ -2,7 +2,7 @@ dist: trusty
 sudo: true
 
 before_install:
-  - curl -fSL "https://releases.hashicorp.com/terraform/0.11.7/terraform_0.11.7_linux_amd64.zip" -o terraform.zip
+  - curl -fSL "https://releases.hashicorp.com/terraform/0.11.11/terraform_0.11.11_linux_amd64.zip" -o terraform.zip
   - sudo unzip terraform.zip -d /opt/terraform
   - sudo ln -s /opt/terraform/terraform /usr/bin/terraform
   - rm -f terraform.zip

README.md

@@ -7,7 +7,7 @@ A collection of modules for handling IAM setup.
 
 ## Examples
 
-* [Simple Example](examples/default/example.tf)
+* [Simple Example](examples/default/main.tf)
 
 ## Authors
 

examples/default/example.tf

@@ -0,0 +1,3 @@
+exports.handler = function (event, context) {
+	context.succeed('hello world');
+};

examples/default/lambda.js

@@ -0,0 +1,96 @@
+terraform {
+  required_version = "0.11.11"
+
+  backend "s3" {
+    key            = "terraform-modules/development/terraform-module-template/default.tfstate"
+    bucket         = "<test-account-id>-terraform-state"
+    dynamodb_table = "<test-account-id>-terraform-state"
+    acl            = "bucket-owner-full-control"
+    encrypt        = "true"
+    kms_key_id     = "<kms-key-id>"
+    region         = "eu-west-1"
+  }
+}
+
+provider "aws" {
+  version             = "1.60.0"
+  region              = "eu-west-1"
+  allowed_account_ids = ["<test-account-id>"]
+}
+
+data "aws_caller_identity" "current" {}
+
+module "admin" {
+  source  = "../../modules/user"
+  name    = "first.last.admin"
+  path    = "/admins/"
+  keybase = "itsdalmo"
+}
+
+module "user_policy" {
+  source = "../../modules/user-policies"
+}
+
+module "developer" {
+  source = "../../modules/user"
+
+  name    = "first.last.developer"
+  path    = "/developer/"
+  keybase = "itsdalmo"
+}
+
+module "user_roles" {
+  source                = "../../modules/user-roles"
+  trusted_account       = "${data.aws_caller_identity.current.account_id}"
+  view_only_role_suffix = "read-only"
+  admin_role_suffix     = "administrator"
+
+  admin_users = [
+    "admins/first.last.admin",
+  ]
+
+  view_only_users = [
+    "developer/first.last.developer",
+  ]
+}
+
+module "machine_role" {
+  source = "../../modules/machine-role"
+  name   = "machine-user-role"
+
+  trusted_principals = [
+    "${aws_iam_role.example-lambda-role.arn}",
+  ]
+}
+
+resource "aws_iam_role" "example-lambda-role" {
+  name = "example-lambda-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "basic-exec" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = "${aws_iam_role.example-lambda-role.name}"
+}
+
+resource "aws_lambda_function" "example" {
+  function_name = "example-lambda-function"
+  handler       = "lambda.handler"
+  role          = "${aws_iam_role.example-lambda-role.arn}"
+  runtime       = "nodejs8.10"
+  filename      = "lambda.zip"
+}

examples/default/lambda.zip

@@ -0,0 +1,23 @@
+#!/bin/sh
+set -euo pipefail
+
+# for integer comparisons: check_counts <testValue> <expectedValue> <testName>
+check_counts() {
+ if [ $1 -eq $2 ]
+ then
+   echo "√ $3"
+ else
+   echo "✗ $3"
+   tests_failed=$((tests_failed+1))
+fi
+}
+
+export AWS_DEFAULT_REGION=eu-west-1
+tests_failed=0
+# Add tests here e.g.
+
+#VPC_ID=`cat terraform-out/terraform-out.json | jq -r '.vpc_id.value'`
+#subnet_count=`aws ec2 describe-subnets | jq --arg VPC_ID "$VPC_ID" '.Subnets[]| select (.VpcId==$VPC_ID)' | jq -s length`
+#check_counts $subnet_count 3 "Expected # of Subnets"
+
+exit $tests_failed

examples/default/main.tf

@@ -0,0 +1,11 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  name_prefix = "${var.name_prefix == "" ? "" : "${var.name_prefix}-"}"
+}
+
+resource "aws_iam_policy" "iam_self_management" {
+  name        = "${local.name_prefix}iam-self-management"
+  description = "Allow users to manage their own IAM credentials"
+  policy      = "${data.aws_iam_policy_document.iam_self_management.json}"
+}

examples/default/test.sh

@@ -0,0 +1,4 @@
+variable "name_prefix" {
+  description = "Optional prefix to add to policy name"
+  default     = ""
+}

modules/user-policies/main.tf

@@ -9,7 +9,7 @@ locals {
 }
 
 resource "aws_iam_role" "admin" {
-  name                  = "${local.name_prefix}admin"
+  name                  = "${local.name_prefix}${var.admin_role_suffix}"
   description           = "Admin role assumable from a trusted account"
   assume_role_policy    = "${data.aws_iam_policy_document.admin_assume.json}"
   force_detach_policies = "true"
@@ -48,7 +48,7 @@ data "aws_iam_policy_document" "admin_assume" {
 }
 
 resource "aws_iam_role" "view_only" {
-  name                  = "${local.name_prefix}view-only"
+  name                  = "${local.name_prefix}${var.view_only_role_suffix}"
   description           = "View-only role assumable from a trusted account"
   assume_role_policy    = "${data.aws_iam_policy_document.view_only_assume.json}"
   force_detach_policies = "true"

modules/user/policies.tf renamed to modules/user-policies/policies.tf

@@ -6,6 +6,16 @@ variable "name_prefix" {
   default     = ""
 }
 
+variable "admin_role_suffix" {
+  description = "The suffix appended to the name_prefix for the name of the admin role"
+  default     = "admin"
+}
+
+variable "view_only_role_suffix" {
+  description = "The suffix appended to the name_prefix for the name of the view-only role"
+  default     = "view-only"
+}
+
 variable "trusted_account" {
   description = "ID of the account which is trusted with access to assume this role."
 }

modules/user-policies/variables.tf

@@ -17,9 +17,3 @@ resource "aws_iam_user_login_profile" "main" {
   password_reset_required = "false"
   password_length         = "20"
 }
-
-resource "aws_iam_policy" "iam_self_management" {
-  name        = "iam-self-management"
-  description = "Allow users to manage their own IAM credentials"
-  policy      = "${data.aws_iam_policy_document.iam_self_management.json}"
-}