Compare commits
No commits in common. "main" and "1.0.0" have entirely different histories.
9 changed files with 40 additions and 159 deletions
|
|
@ -1,16 +0,0 @@
|
||||||
---
|
|
||||||
name: 'main'
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
test:
|
|
||||||
runs-on: 'self-hosted'
|
|
||||||
steps:
|
|
||||||
- uses: 'actions/checkout@v4'
|
|
||||||
- uses: "https://git.adyxax.org/adyxax/action-tofu-aws-test@1.0.0"
|
|
||||||
with:
|
|
||||||
aws-access-key-id: "${{ vars.AWS_ACCESS_KEY_ID }}"
|
|
||||||
aws-access-key-secret: "${{ secrets.AWS_ACCESS_KEY_SECRET }}"
|
|
||||||
|
|
@ -2,14 +2,8 @@
|
||||||
|
|
||||||
All notable changes to this project will be documented in this file.
|
All notable changes to this project will be documented in this file.
|
||||||
|
|
||||||
## 1.1.0 - 2025-04-12
|
|
||||||
|
|
||||||
### Added
|
|
||||||
|
|
||||||
- Added default value `[]` to input variable `assume_role_account_names`.
|
|
||||||
|
|
||||||
## 1.0.0 - 2025-04-11
|
## 1.0.0 - 2025-04-11
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
- Initial import.
|
- initial import
|
||||||
|
|
|
||||||
1
infrastructure/tofu/.gitignore
vendored
1
infrastructure/tofu/.gitignore
vendored
|
|
@ -1 +0,0 @@
|
||||||
!.terraform.lock.hcl
|
|
||||||
21
infrastructure/tofu/.terraform.lock.hcl
generated
21
infrastructure/tofu/.terraform.lock.hcl
generated
|
|
@ -1,21 +0,0 @@
|
||||||
# This file is maintained automatically by "tofu init".
|
|
||||||
# Manual edits may be lost in future updates.
|
|
||||||
|
|
||||||
provider "registry.opentofu.org/hashicorp/aws" {
|
|
||||||
version = "5.91.0"
|
|
||||||
constraints = "5.91.0"
|
|
||||||
hashes = [
|
|
||||||
"h1:g+uDHz6bZ36QaxoKWmJEYGh7OP5RAE5MPbxLohzcU18=",
|
|
||||||
"h1:qw1Sp5py+7rRwzHgHNJvgYTeTkBnPHY7WercO1BsOh0=",
|
|
||||||
"zh:057e6cb85e3efe2c30ef5ca47cc47abc8217e2e0dddce2e92a8d2d6f18b6cee6",
|
|
||||||
"zh:0f15d3f599e07307ac9771c602dcaaf0c46dd259649da985cb3cb80a7a647cea",
|
|
||||||
"zh:187086070cc878ab0a27163939516983e3efae65ebff78dc3466619cdf978dee",
|
|
||||||
"zh:67a58fc85c630bcc6c772f573813caabe6c9af291c71c7207590fc4792e4d94e",
|
|
||||||
"zh:68abb9382928ce29c0f3dd9a75b41ad2a453f3a46330f484d1ea858589146c1b",
|
|
||||||
"zh:772134ba713e879e5b70d614d08a6650f156e7a3fa724d538bfa85632b1ed639",
|
|
||||||
"zh:bf67439e47cf6720dcec7a1e2988d6c10c56d7eea69bb1ecff1b22d6bb63a36d",
|
|
||||||
"zh:bfd0b91dc4ae338eb79ec41bede5eed7a0740380bffbdfbda362f7ed08e0e2ad",
|
|
||||||
"zh:ca3c3313cd4971850da45ce4337b027a804389db740c310ba637bc0a86775eef",
|
|
||||||
"zh:d75a8ec54a4783c25cb806b887f0d3c67cded08db8c496fd9cf831791e4c8482",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
@ -1,30 +0,0 @@
|
||||||
locals {
|
|
||||||
name = "tofu-module-aws-iam-user"
|
|
||||||
}
|
|
||||||
|
|
||||||
module "aws_iam_ci_user" {
|
|
||||||
providers = {
|
|
||||||
aws.core = aws.all["core"]
|
|
||||||
aws.root = aws.all["root"]
|
|
||||||
aws.tests = aws.all["tests"]
|
|
||||||
}
|
|
||||||
source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.1"
|
|
||||||
|
|
||||||
name = local.name
|
|
||||||
tests_policy_statements = jsonencode([
|
|
||||||
{
|
|
||||||
Action = "iam:*"
|
|
||||||
Effect = "Allow"
|
|
||||||
Resource = [
|
|
||||||
"arn:aws:iam::*:user/tftest-user",
|
|
||||||
"arn:aws:iam::*:policy/${local.name}-tftest",
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
# Necessary for removing an IAM user
|
|
||||||
Action = "iam:ListVirtualMFADevices",
|
|
||||||
Effect = "Allow"
|
|
||||||
Resource = "*"
|
|
||||||
}
|
|
||||||
])
|
|
||||||
}
|
|
||||||
|
|
@ -1,24 +0,0 @@
|
||||||
terraform {
|
|
||||||
backend "s3" {
|
|
||||||
bucket = "adyxax-tofu-states"
|
|
||||||
dynamodb_table = "tofu-states"
|
|
||||||
key = "repositories/${local.name}"
|
|
||||||
profile = "core"
|
|
||||||
region = "eu-west-3"
|
|
||||||
}
|
|
||||||
required_providers {
|
|
||||||
aws = {
|
|
||||||
source = "hashicorp/aws"
|
|
||||||
version = "5.91.0"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
provider "aws" {
|
|
||||||
for_each = toset(["core", "root", "tests"])
|
|
||||||
|
|
||||||
alias = "all"
|
|
||||||
default_tags { tags = { "managed-by" = "tofu" } }
|
|
||||||
profile = each.key
|
|
||||||
region = "eu-west-3"
|
|
||||||
}
|
|
||||||
83
main.tf
83
main.tf
|
|
@ -1,10 +1,9 @@
|
||||||
data "aws_organizations_organization" "main" {}
|
data "aws_organizations_organization" "main" {}
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
aws_account_ids = length(var.assume_role_account_names) > 0 ? {
|
aws_account_ids = { for info in data.aws_organizations_organization.main.accounts :
|
||||||
for info in data.aws_organizations_organization.main.accounts :
|
|
||||||
info.name => info.id
|
info.name => info.id
|
||||||
} : {}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "aws_iam_user" "main" {
|
resource "aws_iam_user" "main" {
|
||||||
|
|
@ -15,47 +14,43 @@ resource "aws_iam_user" "main" {
|
||||||
resource "aws_iam_user_policy" "main" {
|
resource "aws_iam_user_policy" "main" {
|
||||||
name = var.name
|
name = var.name
|
||||||
policy = jsonencode({
|
policy = jsonencode({
|
||||||
Statement = concat(
|
Statement = concat([
|
||||||
length(var.assume_role_account_names) > 0 ? [
|
{ # Assume roles in AWS sub-accounts
|
||||||
{ # Assume roles in AWS sub-accounts
|
Action = "sts:AssumeRole"
|
||||||
Action = "sts:AssumeRole"
|
Effect = "Allow"
|
||||||
Effect = "Allow"
|
Resource = [for name in var.assume_role_account_names :
|
||||||
Resource = [for name in var.assume_role_account_names :
|
format(
|
||||||
format(
|
"arn:aws:iam::%s:role/%s",
|
||||||
"arn:aws:iam::%s:role/%s",
|
local.aws_account_ids[name],
|
||||||
local.aws_account_ids[name],
|
var.name,
|
||||||
var.name,
|
)
|
||||||
)
|
]
|
||||||
]
|
},
|
||||||
}
|
{
|
||||||
] : [],
|
Action = [
|
||||||
[
|
# Manage the user's own IAM access key
|
||||||
{
|
"iam:CreateAccessKey",
|
||||||
Action = [
|
"iam:DeleteAccessKey",
|
||||||
# Manage the user's own IAM access key
|
"iam:UpdateAccessKey",
|
||||||
"iam:CreateAccessKey",
|
# Read only access to the user's IAM object
|
||||||
"iam:DeleteAccessKey",
|
"iam:Get*",
|
||||||
"iam:UpdateAccessKey",
|
"iam:List*",
|
||||||
# Read only access to the user's IAM object
|
]
|
||||||
"iam:Get*",
|
Effect = "Allow"
|
||||||
"iam:List*",
|
Resource = aws_iam_user.main.arn
|
||||||
]
|
},
|
||||||
Effect = "Allow"
|
{
|
||||||
Resource = aws_iam_user.main.arn
|
Action = [
|
||||||
},
|
# Necessary for removing an IAM user
|
||||||
{
|
"iam:ListVirtualMFADevices",
|
||||||
Action = [
|
# Describe and list the organization accounts
|
||||||
# Necessary for removing an IAM user
|
"organizations:DescribeOrganization",
|
||||||
"iam:ListVirtualMFADevices",
|
"organizations:List*",
|
||||||
# Describe and list the organization accounts
|
]
|
||||||
"organizations:DescribeOrganization",
|
Effect = "Allow"
|
||||||
"organizations:List*",
|
Resource = "*"
|
||||||
]
|
},
|
||||||
Effect = "Allow"
|
])
|
||||||
Resource = "*"
|
|
||||||
},
|
|
||||||
]
|
|
||||||
)
|
|
||||||
Version = "2012-10-17"
|
Version = "2012-10-17"
|
||||||
})
|
})
|
||||||
user = aws_iam_user.main.name
|
user = aws_iam_user.main.name
|
||||||
|
|
|
||||||
|
|
@ -1,15 +0,0 @@
|
||||||
provider "aws" {
|
|
||||||
profile = "tests"
|
|
||||||
region = "eu-west-3"
|
|
||||||
}
|
|
||||||
|
|
||||||
run "main" {
|
|
||||||
assert {
|
|
||||||
condition = output.access_key_id != null
|
|
||||||
error_message = "invalid IAM access key ID"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variables {
|
|
||||||
name = "tftest-user"
|
|
||||||
}
|
|
||||||
|
|
@ -1,5 +1,4 @@
|
||||||
variable "assume_role_account_names" {
|
variable "assume_role_account_names" {
|
||||||
default = []
|
|
||||||
description = "The names of the AWS sub-accounts this IAM user can assume roles in."
|
description = "The names of the AWS sub-accounts this IAM user can assume roles in."
|
||||||
nullable = false
|
nullable = false
|
||||||
type = list(string)
|
type = list(string)
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue