Skip to content
/ cool-was-db-iam Public

Terraform to manage IAM permissions for COOL users that are allowed to read from and write to the COOL WAS database

License

CC0-1.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cisagov/cool-was-db-iam

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

781 Commits
.github
.github
 
 
.ansible-lint
.ansible-lint
 
 
.bandit.yml
.bandit.yml
 
 
.flake8
.flake8
 
 
.gitignore
.gitignore
 
 
.isort.cfg
.isort.cfg
 
 
.mdl_config.yaml
.mdl_config.yaml
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.prettierignore
.prettierignore
 
 
.terraform-docs.yml
.terraform-docs.yml
 
 
.yamllint
.yamllint
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
backend.tf
backend.tf
 
 
group_membership.tf
group_membership.tf
 
 
groups.tf
groups.tf
 
 
locals.tf
locals.tf
 
 
outputs.tf
outputs.tf
 
 
policy_assume_read_only_role.tf
policy_assume_read_only_role.tf
 
 
policy_assume_read_write_role.tf
policy_assume_read_write_role.tf
 
 
providers.tf
providers.tf
 
 
remote_states.tf
remote_states.tf
 
 
requirements-dev.txt
requirements-dev.txt
 
 
requirements-test.txt
requirements-test.txt
 
 
requirements.txt
requirements.txt
 
 
setup-env
setup-env
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

cool-was-db-iam

GitHub Build Status

This project is used to manage IAM permissions for COOL users that are allowed to read from and write to the COOL WAS database.

Pre-requisites

  • Terraform installed on your system.
  • An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
  • An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
  • Access to all of the Terraform remote states specified in remote_states.tf.
  • User accounts for all users must have been created previously. We recommend using the cisagov/cool-users-non-admin repository to create users.
  • The WAS database and related access roles must have been created previously via the cisagov/cool-userservices-was-db repository.

Usage

  1. Create a Terraform workspace (if you haven't already done so) by running terraform workspace new <workspace_name>
  2. Create a <workspace_name>.tfvars file with all of the required variables (see Inputs below for details):
users = {
"firstname1.lastname1" = { "role" = "read_only" },
"firstname2.lastname2" = { "role" = "read_write" },
}
  1. Run the command terraform init.
  2. Run the command terraform apply -var-file=<workspace_name>.tfvars.

Requirements

Name Version
terraform ~> 1.0
aws ~> 4.9

Providers

Name Version
aws ~> 4.9
aws.users ~> 4.9
terraform n/a

Modules

No modules.

Resources

Name Type
aws_iam_group.read_only_users resource
aws_iam_group.read_write_users resource
aws_iam_group_policy_attachment.assume_userservices_was_db_read_only_role_attachment resource
aws_iam_group_policy_attachment.assume_userservices_was_db_read_write_role_attachment resource
aws_iam_policy.assume_userservices_was_db_read_only_role resource
aws_iam_policy.assume_userservices_was_db_read_write_role resource
aws_iam_user_group_membership.read_only_users resource
aws_iam_user_group_membership.read_write_users resource
aws_caller_identity.current data source
aws_iam_policy_document.assume_userservices_was_db_read_only_role_doc data source
aws_iam_policy_document.assume_userservices_was_db_read_write_role_doc data source
terraform_remote_state.master data source
terraform_remote_state.users data source
terraform_remote_state.userservices_was_db_production data source
terraform_remote_state.userservices_was_db_staging data source

Inputs

Name Description Type Default Required
assume_userservices_was_db_read_only_policy_description The description of the IAM policy that allows assumption of the WAS DB read-only role in the User Services staging and production accounts. string "Allows assumption of the WAS DB read-only role in the User Services staging and production accounts." no
assume_userservices_was_db_read_only_policy_name The name of the IAM policy that allows assumption of the WAS DB read-only role in the User Services staging and production accounts. string "AssumeUserServicesWASDBReadOnlyRole" no
assume_userservices_was_db_read_write_policy_description The description of the IAM policy that allows assumption of the WAS DB read-write role in the User Services staging and production accounts. string "Allows assumption of the WAS DB read-write role in the User Services staging and production accounts." no
assume_userservices_was_db_read_write_policy_name The name of the IAM policy that allows assumption of the WAS DB read-write role in the User Services staging and production accounts. string "AssumeUserServicesWASDBReadWriteRole" no
aws_region The AWS region to deploy into (e.g. us-east-1). string "us-east-1" no
read_only_users_group_name The name of the IAM group for WAS database users with read-only access. string "was_db_read_only_users" no
read_write_users_group_name The name of the IAM group for WAS database users with read-write access. string "was_db_read_write_users" no
tags Tags to apply to all AWS resources created. map(string) {} no
users A map whose keys are the usernames of each database user and whose values are a map containing supported user attributes. The only currently-supported attribute is "role" (string). The only currently-supported roles are "read_only" and "read_write". Example: { "firstname1.lastname1" = { "role" = "read_only" }, "firstname2.lastname2" = { "role" = "read_write" } } map(object({ role = string })) n/a yes

Outputs

Name Description
read_only_users_group The IAM group for WAS database users with read-only access.
read_write_users_group The IAM group for WAS database users with read-write access.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is just the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

About

Terraform to manage IAM permissions for COOL users that are allowed to read from and write to the COOL WAS database

Resources

Readme

License

CC0-1.0 license

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

4 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 11

Languages