Merge pull request #2 from appvia/create-role

feat: implementation

Author: m13t

.terraform.lock.hcl

@@ -34,22 +34,37 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.7 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.12.0 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0.0 |
+| <a name="provider_time"></a> [time](#provider\_time) | >= 0.12.0 |
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_cloudformation_stack.management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource |
+| [aws_cloudformation_stack_set.member_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
+| [aws_cloudformation_stack_set_instance.member_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
+| [time_offset.expiry](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/offset) | resource |
+| [aws_organizations_organization.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_deployment_account_ids"></a> [deployment\_account\_ids](#input\_deployment\_account\_ids) | List of account IDs in which to deploy the remote audit access role | `list(string)` | n/a | yes |
+| <a name="input_external_id"></a> [external\_id](#input\_external\_id) | External ID should be a string of cryptographically safe random characters | `string` | n/a | yes |
+| <a name="input_appvia_role_arn"></a> [appvia\_role\_arn](#input\_appvia\_role\_arn) | Allows specifying a non-standard IAM role. Only set this if asked to do so by Appvia | `string` | `"arn:aws:iam::730335310409:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_WAFSupport_19c9bc61106389c3"` | no |
+| <a name="input_expiry_days"></a> [expiry\_days](#input\_expiry\_days) | The number of days the role is available before access will be denied | `number` | `14` | no |
 
 ## Outputs
 

README.md

@@ -0,0 +1,45 @@
+AWSTemplateFormatVersion: '2010-09-09'
+
+Parameters:
+  AppviaRoleARN:
+    Type: String
+    Description: Fully-qualified ARN of the remote role
+    Default: arn:aws:iam::730335310409:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_WAFSupport_19c9bc61106389c3
+  ExternalID:
+    Type: String
+    Description: External ID shared between consumer and Appvia
+  ExpiryDate:
+    Type: String
+
+Resources:
+  Role:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: AppviaAuditRole
+      Path: /
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS:
+                - !Ref AppviaRoleARN
+            Action:
+              - sts:AssumeRole
+            Condition:
+              StringEquals:
+                "sts:ExternalId": !Ref ExternalID
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/SecurityAudit
+        - arn:aws:iam::aws:policy/ReadOnlyAccess
+      Policies:
+        - PolicyName: PermissionDeadline
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Deny
+                Action: '*'
+                Resource: '*'
+                Condition:
+                  DateGreaterThan:
+                    "aws:CurrentTime": !Ref ExpiryDate

cloud_formation/role.yaml

@@ -0,0 +1 @@
+data "aws_organizations_organization" "current" {}

data.tf

@@ -0,0 +1,15 @@
+locals {
+  # CloudFormation template
+  template_body = file("${path.module}/cloud_formation/role.yaml")
+
+  # Lookup the management account ID from org data
+  management_account_id = data.aws_organizations_organization.current.master_account_id
+
+  # Member accounts are any provided accounts that are not the management account
+  member_account_ids = [
+    for v in var.deployment_account_ids : v if v != local.management_account_id
+  ]
+
+  # If the management account is in the list, this evaluates to true
+  deploy_to_management = contains(var.deployment_account_ids, local.management_account_id)
+}

locals.tf

@@ -0,0 +1,75 @@
+resource "time_offset" "expiry" {
+  offset_days = var.expiry_days
+}
+
+resource "aws_cloudformation_stack" "management" {
+  count = local.deploy_to_management ? 1 : 0
+
+  name          = "AppviaAuditRole"
+  template_body = local.template_body
+  on_failure    = "ROLLBACK"
+
+  capabilities = [
+    "CAPABILITY_NAMED_IAM",
+    "CAPABILITY_AUTO_EXPAND",
+    "CAPABILITY_IAM",
+  ]
+
+  parameters = {
+    AppviaRoleARN = var.appvia_role_arn
+    ExternalID    = var.external_id
+    ExpiryDate    = time_offset.expiry.rfc3339
+  }
+
+  lifecycle {
+    ignore_changes = [
+      capabilities,
+    ]
+  }
+}
+
+resource "aws_cloudformation_stack_set" "member_accounts" {
+  name             = "AppviaAuditRole"
+  description      = "Provisions federated IAM role allowing Appvia remote audit access"
+  template_body    = local.template_body
+  permission_model = "SERVICE_MANAGED"
+
+  capabilities = [
+    "CAPABILITY_NAMED_IAM",
+    "CAPABILITY_AUTO_EXPAND",
+    "CAPABILITY_IAM",
+  ]
+
+  parameters = {
+    AppviaRoleARN = var.appvia_role_arn
+    ExternalID    = var.external_id
+    ExpiryDate    = time_offset.expiry.rfc3339
+  }
+
+  auto_deployment {
+    enabled                          = true
+    retain_stacks_on_account_removal = false
+  }
+
+  lifecycle {
+    ignore_changes = [
+      administration_role_arn,
+      capabilities,
+    ]
+  }
+}
+
+resource "aws_cloudformation_stack_set_instance" "member_accounts" {
+  count = length(var.deployment_account_ids) > 0 ? 1 : 0
+
+  stack_set_name = aws_cloudformation_stack_set.member_accounts.name
+
+  deployment_targets {
+    account_filter_type = "INTERSECTION"
+    accounts            = local.member_account_ids
+
+    organizational_unit_ids = [
+      data.aws_organizations_organization.current.roots[0].id,
+    ]
+  }
+}

main.tf

@@ -1,4 +1,3 @@
-
 terraform {
   required_version = ">= 1.0.7"
 
@@ -8,5 +7,10 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.0.0"
     }
+
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.12.0"
+    }
   }
 }

terraform.tf

@@ -0,0 +1,21 @@
+variable "appvia_role_arn" {
+  type        = string
+  default     = "arn:aws:iam::730335310409:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_WAFSupport_19c9bc61106389c3"
+  description = "Allows specifying a non-standard IAM role. Only set this if asked to do so by Appvia"
+}
+
+variable "deployment_account_ids" {
+  type        = list(string)
+  description = "List of account IDs in which to deploy the remote audit access role"
+}
+
+variable "external_id" {
+  type        = string
+  description = "External ID should be a string of cryptographically safe random characters"
+}
+
+variable "expiry_days" {
+  type        = number
+  default     = 14
+  description = "The number of days the role is available before access will be denied"
+}