Merge pull request #1 from SPHTech-Platform/setup-aws-verified-module

[PFMENG-1278] Setup AWS Verified Access Terraform module

Author: niroz89

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022-present SPH Media
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1 +1,51 @@
 # Terraform Modules Template
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.24 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_verifiedaccess_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/verifiedaccess_group) | resource |
+| [aws_verifiedaccess_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/verifiedaccess_instance) | resource |
+| [aws_verifiedaccess_instance_trust_provider_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/verifiedaccess_instance_trust_provider_attachment) | resource |
+| [aws_verifiedaccess_trust_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/verifiedaccess_trust_provider) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_authorization_endpoint"></a> [authorization\_endpoint](#input\_authorization\_endpoint) | The OIDC authorization endpoint. | `string` | `null` | no |
+| <a name="input_client_id"></a> [client\_id](#input\_client\_id) | The client identifier. | `string` | `null` | no |
+| <a name="input_client_secret"></a> [client\_secret](#input\_client\_secret) | The client secret. | `string` | `null` | no |
+| <a name="input_group_policy_document"></a> [group\_policy\_document](#input\_group\_policy\_document) | he policy document that is associated with this resource. | `string` | `null` | no |
+| <a name="input_issuer"></a> [issuer](#input\_issuer) | The OIDC issuer. | `string` | `null` | no |
+| <a name="input_policy_reference_name"></a> [policy\_reference\_name](#input\_policy\_reference\_name) | The type of trust provider can be either user or device-based. | `string` | n/a | yes |
+| <a name="input_scope"></a> [scope](#input\_scope) | OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to details of a user. | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Key-value mapping of resource tags. | `map(string)` | `{}` | no |
+| <a name="input_token_endpoint"></a> [token\_endpoint](#input\_token\_endpoint) | The OIDC token endpoint. | `string` | `null` | no |
+| <a name="input_trust_provider_type"></a> [trust\_provider\_type](#input\_trust\_provider\_type) | The type of trust provider can be either user or device-based. | `string` | n/a | yes |
+| <a name="input_user_info_endpoint"></a> [user\_info\_endpoint](#input\_user\_info\_endpoint) | The OIDC user info endpoint. | `string` | `null` | no |
+| <a name="input_user_trust_provider_type"></a> [user\_trust\_provider\_type](#input\_user\_trust\_provider\_type) | The type of user-based trust provider. | `string` | `"iam-identity-center"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_verifiedaccess_group_id"></a> [verifiedaccess\_group\_id](#output\_verifiedaccess\_group\_id) | The ID of the Verified Access group to associate the endpoint with. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/main.tf

@@ -0,0 +1,180 @@
+#Setup AWS Verified Access with IAM Identity Center provider
+module "verified_access_iam_identity_center" {
+  source = "../"
+
+  policy_reference_name    = "IAM"
+  trust_provider_type      = "user"
+  user_trust_provider_type = "iam-identity-center"
+
+  group_policy_document = <<EOT
+    permit(principal, action, resource)
+      when {
+       context.IAM.user.email.address like "*@abc.com"
+      };
+  EOT
+
+  tags = {
+    Name = "IAM-Identity-Center"
+  }
+}
+
+#Setup AWS Verified Access with OIDC provider
+module "verified_access_oidc" {
+  source = "../"
+
+  policy_reference_name    = "OKTA"
+  trust_provider_type      = "user"
+  user_trust_provider_type = "oidc"
+
+  authorization_endpoint = "https://dev-12345678.okta.com/oauth2/v1/authorize"
+  client_id              = "test-client-id"
+  client_secret          = "sdfdf333000000"
+  issuer                 = "https://dev-12345678.okta.com"
+  scope                  = "openid profile groups"
+  token_endpoint         = "https://dev-12345678.okta.com/oauth2/v1/token"
+  user_info_endpoint     = "https://dev-12345678.okta.com/oauth2/v1/userinfo"
+
+  group_policy_document = <<EOT
+    permit(principal, action, resource)
+      when {
+      context.http_request.http_method != "INVALID_METHOD"
+      };
+  EOT
+
+  tags = {
+    Name = "OIDC"
+  }
+}
+
+#AWS Verified Access Endpoints
+
+#Network Interface Endpoint Type
+module "verified_access_eni_endpoint" {
+  source = "../modules/endpoint"
+
+  verified_access_group_id = module.verified_access_iam_identity_center.verifiedaccess_group_id
+
+  description            = "example"
+  application_domain     = "example.my-domain.com"
+  domain_certificate_arn = module.acm.acm_certificate_arn
+  endpoint_domain_prefix = "example"
+  security_group_ids     = [module.verified_access_sg.security_group_id]
+
+  endpoint_type        = "network-interface"
+  network_interface_id = "eni-xys3d2c29ad06"
+  port                 = 443
+  protocol             = "https"
+
+  tags = {
+    Name = "User manager endpoint"
+  }
+}
+
+#Internal Load Balancer Endpoint Type
+module "verified_access_elb_endpoint" {
+  source = "../modules/endpoint"
+
+  verified_access_group_id = module.verified_access_oidc.verifiedaccess_group_id
+
+  description = "student-portal"
+
+  application_domain     = "example.my-domain.com"
+  domain_certificate_arn = module.acm.acm_certificate_arn
+  endpoint_domain_prefix = "example"
+  security_group_ids     = [module.verified_access_sg.security_group_id]
+
+  endpoint_type     = "load-balancer"
+  load_balancer_arn = module.alb.arn
+  port              = 443
+  protocol          = "https"
+  subnet_ids        = module.vpc.private_subnets
+
+  tags = {
+    Name = "student-portal"
+  }
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.1"
+
+  name = "test-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs             = ["ap-southeast-1a", "ap-southeast-1b", "ap-southeast-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  enable_nat_gateway = true
+  enable_vpn_gateway = true
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
+
+module "verified_access_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.1"
+
+  name   = "verified-access-sg"
+  vpc_id = module.vpc.vpc_id
+
+  ingress_cidr_blocks = ["0.0.0.0/0"]
+
+  ingress_rules = [
+    "https-443-tcp"
+  ]
+
+  egress_rules = ["all-all"]
+}
+
+module "acm" {
+  source  = "terraform-aws-modules/acm/aws"
+  version = "~> 4.0"
+
+  domain_name = "my-domain.com"
+  zone_id     = "xyz1234B9AZ6SHAE"
+
+  validation_method = "DNS"
+
+  subject_alternative_names = [
+    "*.my-domain.com"
+  ]
+
+  wait_for_validation = true
+
+  tags = {
+    Name = "my-domain.com"
+  }
+}
+
+module "alb" {
+  source  = "terraform-aws-modules/alb/aws"
+  version = "~> 9.1"
+
+  name     = "my-alb"
+  vpc_id   = module.vpc.vpc_id
+  subnets  = module.vpc.private_subnets
+  internal = true
+
+  # Allow traffic from Verified Access security group
+  security_groups = [module.verified_access_sg.security_group_id]
+
+  listeners = {
+    https = {
+      port            = 443
+      protocol        = "HTTPS"
+      certificate_arn = module.acm.acm_certificate_arn
+      forward = {
+        target_group_key = "ex-instance"
+      }
+    }
+  }
+
+  tags = {
+    Environment = "Development"
+    Project     = "Example"
+  }
+}

examples/providers.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = "ap-southeast-1"
+}

examples/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.24"
+    }
+  }
+}

main.tf

@@ -0,0 +1,42 @@
+resource "aws_verifiedaccess_trust_provider" "this" {
+  description              = "${var.trust_provider_type} based trust provider"
+  policy_reference_name    = var.policy_reference_name
+  trust_provider_type      = var.trust_provider_type
+  user_trust_provider_type = var.user_trust_provider_type
+
+  dynamic "oidc_options" {
+    for_each = var.user_trust_provider_type == "oidc" ? [1] : []
+    content {
+      authorization_endpoint = var.authorization_endpoint
+      client_id              = var.client_id
+      client_secret          = var.client_secret
+      issuer                 = var.issuer
+      scope                  = var.scope
+      token_endpoint         = var.token_endpoint
+      user_info_endpoint     = var.user_info_endpoint
+    }
+  }
+
+  tags = var.tags
+}
+
+resource "aws_verifiedaccess_instance" "this" {
+  description = "Verified access instance"
+  tags        = var.tags
+}
+
+resource "aws_verifiedaccess_instance_trust_provider_attachment" "this" {
+  verifiedaccess_instance_id       = aws_verifiedaccess_instance.this.id
+  verifiedaccess_trust_provider_id = aws_verifiedaccess_trust_provider.this.id
+}
+
+resource "aws_verifiedaccess_group" "this" {
+  verifiedaccess_instance_id = aws_verifiedaccess_instance.this.id
+  policy_document            = var.group_policy_document != null ? var.group_policy_document : null
+  tags                       = var.tags
+
+  # Must attach a TrustProvider to Instance before you can create a Group
+  depends_on = [
+    aws_verifiedaccess_instance_trust_provider_attachment.this
+  ]
+}

modules/.gitkeep

@@ -0,0 +1,50 @@
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.24 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_verifiedaccess_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/verifiedaccess_endpoint) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_application_domain"></a> [application\_domain](#input\_application\_domain) | The DNS name for users to reach your application. | `string` | n/a | yes |
+| <a name="input_attachment_type"></a> [attachment\_type](#input\_attachment\_type) | The type of attachment. Currently, only vpc is supported. | `string` | `"vpc"` | no |
+| <a name="input_description"></a> [description](#input\_description) | The description for verified application | `string` | `null` | no |
+| <a name="input_domain_certificate_arn"></a> [domain\_certificate\_arn](#input\_domain\_certificate\_arn) | The ARN of the public TLS/SSL certificate in AWS Certificate Manager to associate with the endpoint | `string` | n/a | yes |
+| <a name="input_endpoint_domain_prefix"></a> [endpoint\_domain\_prefix](#input\_endpoint\_domain\_prefix) | A custom identifier that is prepended to the DNS name that is generated for the endpoint | `string` | n/a | yes |
+| <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The type of Verified Access endpoint to create. Currently load-balancer or network-interface are supported. | `string` | n/a | yes |
+| <a name="input_load_balancer_arn"></a> [load\_balancer\_arn](#input\_load\_balancer\_arn) | The ARN of the internal load balancer. | `string` | `null` | no |
+| <a name="input_network_interface_id"></a> [network\_interface\_id](#input\_network\_interface\_id) | The ID of the network interface | `string` | `null` | no |
+| <a name="input_port"></a> [port](#input\_port) | The IP port number. | `number` | `null` | no |
+| <a name="input_protocol"></a> [protocol](#input\_protocol) | The IP protocol. | `string` | `null` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | List of the the security groups IDs to associate with the Verified Access endpoint. | `list(string)` | n/a | yes |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | The IDs of the subnets. | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Key-value mapping of resource tags. | `map(string)` | `{}` | no |
+| <a name="input_verified_access_group_id"></a> [verified\_access\_group\_id](#input\_verified\_access\_group\_id) | The ID of the Verified Access group to associate the endpoint with. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_endpoint_domain"></a> [endpoint\_domain](#output\_endpoint\_domain) | A DNS name that is generated for the endpoint. |
+| <a name="output_endpoint_id"></a> [endpoint\_id](#output\_endpoint\_id) | The ID of the AWS Verified Access endpoint. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/endpoint/README.md

@@ -0,0 +1,33 @@
+resource "aws_verifiedaccess_endpoint" "this" {
+  description            = var.description
+  application_domain     = var.application_domain
+  domain_certificate_arn = var.domain_certificate_arn
+
+  verified_access_group_id = var.verified_access_group_id
+
+  attachment_type        = var.attachment_type
+  endpoint_domain_prefix = var.endpoint_domain_prefix
+  security_group_ids     = var.security_group_ids
+  endpoint_type          = var.endpoint_type
+
+  dynamic "network_interface_options" {
+    for_each = var.endpoint_type == "network-interface" ? [1] : []
+    content {
+      network_interface_id = var.network_interface_id
+      port                 = var.port
+      protocol             = var.protocol
+    }
+  }
+
+  dynamic "load_balancer_options" {
+    for_each = var.endpoint_type == "load-balancer" ? [1] : []
+    content {
+      load_balancer_arn = var.load_balancer_arn
+      port              = var.port
+      protocol          = var.protocol
+      subnet_ids        = var.subnet_ids
+    }
+  }
+
+  tags = var.tags
+}