Accueil Explorer Aide
S'inscrire Connexion
AFS
/
xdr-terraform-modules
2
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: c55624a814
Branches Tags
xdr-terraform-m...
/
submodules
/
iam
/
common_services_roles
Fred Damstra [afs macbook] d6aca48293 Minor Fixes for Terraform Update il y a 4 ans
..
modules d6aca48293 Minor Fixes for Terraform Update il y a 4 ans
README.md ffc81e90b9 Decouples IAM terraform from the `live` repository il y a 5 ans
account_alias.tf ffc81e90b9 Decouples IAM terraform from the `live` repository il y a 5 ans
assume_role_policy-non_saml.tf dbe7c4d98b Adds an S3 bucket for distributing trumpet in govcloud il y a 4 ans
assume_role_policy-okta_saml.tf ffc81e90b9 Decouples IAM terraform from the `live` repository il y a 5 ans
datasources.tf ffc81e90b9 Decouples IAM terraform from the `live` repository il y a 5 ans
locals.tf ffc81e90b9 Decouples IAM terraform from the `live` repository il y a 5 ans
module-policies.tf ffc81e90b9 Decouples IAM terraform from the `live` repository il y a 5 ans
role-mdr_developer.tf dbe7c4d98b Adds an S3 bucket for distributing trumpet in govcloud il y a 4 ans
role-mdr_developer_readonly.tf 44d01b5fff [MSOCI-1388] increase some roles to 8hrs to avoid packer issues il y a 5 ans
role-mdr_engineer_readonly.tf 17b18c592e Increases session duration to 8 hours to accomodate transfer of ISOs il y a 5 ans
role-mdr_terraformer.tf 65bf317038 Adds 'AWSSupportAccess' Policy to mdr_terraformer il y a 5 ans
saml_provider.tf ffc81e90b9 Decouples IAM terraform from the `live` repository il y a 5 ans
variables.tf ffc81e90b9 Decouples IAM terraform from the `live` repository il y a 5 ans
versions.tf d6aca48293 Minor Fixes for Terraform Update il y a 4 ans

README.md

common_services_roles module

Creates "standard" IAM policies and roles in an account being treated like an AWS organizations hierarchy root.

Picture our collection of AWS accounts with the "common-services" account being the root of an Organizations hierarchy, where all of the users exist there and AssumeRole to the correct role in the child account

common-services
    prod-c2
    test-c2
    prod-customer-1
    prod-customer-2
    ...

This module makes one SAML-linked role mdr_engineer_readonly that we access via OKTA. From there you AssumeRole into mdr_terraformer to make changes - either in this account or in others. Or, you AssumeRole into mdr_engineer_readonly in the other accounts for "just browsing".

Make sure you have an OKTA_API_TOKEN enviornment variable set with an Okta API token.

Providers

Name Version
aws ~2.0?
okta ?

Inputs

Name Description Type Required
okta_app The (friendly) name of the Okta app. In our environment either "AWS - Commercial" or "AWS - GovCloud" string Yes
account_alias The account alias that should be set for the AWS account. This is an AWS global value string yes

Roles created

Role Name Attached Policies Description
/user/mdr_engineer_readonly ReadOnlyAccess
mdr_engineer_readonly_assumerole		 Read only access to AWS console with ability to escalate to Terraformer role
/user/mdr_terraformer mdr_terraformer Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole

Modules referenced

Module name purpose
standard_iam_policies defines the policies used by the roles
saml_linked_role submodule that defines the okta group and role