This project is used to manage IAM permissions for COOL users that are allowed to read from and write to the COOL WAS database.
- Terraform installed on your system.
- An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
- An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
- Access to all of the Terraform remote states specified in remote_states.tf.
- User accounts for all users must have been created previously. We
recommend using the
cisagov/cool-users-non-admin
repository to create users. - The WAS database and related access roles must have been created previously
via the
cisagov/cool-userservices-was-db
repository.
- Create a Terraform workspace (if you haven't already done so) by running
terraform workspace new <workspace_name>
- Create a
<workspace_name>.tfvars
file with all of the required variables (see Inputs below for details):
users = {
"firstname1.lastname1" = { "role" = "read_only" },
"firstname2.lastname2" = { "role" = "read_write" },
}
- Run the command
terraform init
. - Run the command
terraform apply -var-file=<workspace_name>.tfvars
.
Name | Version |
---|---|
terraform | ~> 1.0 |
aws | ~> 4.9 |
Name | Version |
---|---|
aws | ~> 4.9 |
aws.users | ~> 4.9 |
terraform | n/a |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
assume_userservices_was_db_read_only_policy_description | The description of the IAM policy that allows assumption of the WAS DB read-only role in the User Services staging and production accounts. | string |
"Allows assumption of the WAS DB read-only role in the User Services staging and production accounts." |
no |
assume_userservices_was_db_read_only_policy_name | The name of the IAM policy that allows assumption of the WAS DB read-only role in the User Services staging and production accounts. | string |
"AssumeUserServicesWASDBReadOnlyRole" |
no |
assume_userservices_was_db_read_write_policy_description | The description of the IAM policy that allows assumption of the WAS DB read-write role in the User Services staging and production accounts. | string |
"Allows assumption of the WAS DB read-write role in the User Services staging and production accounts." |
no |
assume_userservices_was_db_read_write_policy_name | The name of the IAM policy that allows assumption of the WAS DB read-write role in the User Services staging and production accounts. | string |
"AssumeUserServicesWASDBReadWriteRole" |
no |
aws_region | The AWS region to deploy into (e.g. us-east-1). | string |
"us-east-1" |
no |
read_only_users_group_name | The name of the IAM group for WAS database users with read-only access. | string |
"was_db_read_only_users" |
no |
read_write_users_group_name | The name of the IAM group for WAS database users with read-write access. | string |
"was_db_read_write_users" |
no |
tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
users | A map whose keys are the usernames of each database user and whose values are a map containing supported user attributes. The only currently-supported attribute is "role" (string). The only currently-supported roles are "read_only" and "read_write". Example: { "firstname1.lastname1" = { "role" = "read_only" }, "firstname2.lastname2" = { "role" = "read_write" } } | map(object({ role = string })) |
n/a | yes |
Name | Description |
---|---|
read_only_users_group | The IAM group for WAS database users with read-only access. |
read_write_users_group | The IAM group for WAS database users with read-write access. |
Running pre-commit
requires running terraform init
in every directory that
contains Terraform code. In this repository, this is just the main directory.
We welcome contributions! Please see CONTRIBUTING.md
for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.