Add projects from root stage. Add account project (#10)

aknysh · web-flow · commit a76b9634e2d1 · 2018-06-07T23:37:22.000-04:00
* Add projects from `root` stage. Add `account` project

* Rename to `accounts`

* Add `account-dns`

* Update `accounts` and `iam` projects
diff --git a/README.md b/README.md
@@ -11,9 +11,9 @@ This is a collection of reusable root modules for CloudPosse AWS accounts.
 Use the `terraform-root-modules` Docker image as the base image in the application `Dockerfile`, and copy the modules from `/aws` folder into `/conf` folder
 
 ```dockerfile
-FROM cloudposse/terraform-root-modules:0.1.6 as terraform-root-modules
+FROM cloudposse/terraform-root-modules:0.2.2 as terraform-root-modules
 
-FROM cloudposse/geodesic:0.9.16
+FROM cloudposse/geodesic:0.9.18
 
 # Copy root modules into /conf folder
 COPY --from=terraform-root-modules /aws/ /conf/
diff --git a/aws/account-dns/main.tf b/aws/account-dns/main.tf
@@ -0,0 +1,43 @@
+terraform {
+  required_version = ">= 0.11.2"
+
+  backend "s3" {}
+}
+
+variable "aws_assume_role_arn" {
+  type = "string"
+}
+
+variable "domain_name" {
+  type        = "string"
+  description = "Domain name"
+}
+
+provider "aws" {
+  assume_role {
+    role_arn = "${var.aws_assume_role_arn}"
+  }
+}
+
+resource "aws_route53_zone" "dns_zone" {
+  name = "${var.domain_name}"
+}
+
+resource "aws_route53_record" "dns_zone_soa" {
+  zone_id = "${aws_route53_zone.dns_zone.id}"
+  name    = "${aws_route53_zone.dns_zone.name}"
+  type    = "SOA"
+  ttl     = "60"
+
+  records = [
+    "${aws_route53_zone.dns_zone.name_servers.0}. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400",
+  ]
+}
+
+output "zone_id" {
+  value = "${aws_route53_zone.dns_zone.zone_id}"
+}
+
+output "name_servers" {
+  value = "${aws_route53_zone.dns_zone.name_servers}"
+}
diff --git a/aws/account-dns/terraform.tfvars.example b/aws/account-dns/terraform.tfvars.example
diff --git a/aws/accounts/audit.auto.tfvars.example b/aws/accounts/audit.auto.tfvars.example
@@ -0,0 +1,2 @@
+audit_account_name="audit"
+audit_account_email="info+audit@cloudposse.co"
diff --git a/aws/accounts/audit.tf b/aws/accounts/audit.tf
@@ -0,0 +1,21 @@
+variable "audit_account_name" {
+  type        = "string"
+  description = "Audit account name"
+  default     = "audit"
+}
+
+variable "audit_account_email" {
+  type        = "string"
+  description = "Audit account email"
+}
+
+resource "aws_organizations_account" "audit" {
+  name                       = "${var.audit_account_name}"
+  email                      = "${var.audit_account_email}"
+  iam_user_access_to_billing = "${var.account_iam_user_access_to_billing}"
+  role_name                  = "${var.account_role_name}"
+}
+
+output "audit_account_arn" {
+  value = "${aws_organizations_account.audit.arn}"
+}
diff --git a/aws/accounts/dev.auto.tfvars.example b/aws/accounts/dev.auto.tfvars.example
@@ -0,0 +1,2 @@
+dev_account_name="dev"
+dev_account_email="info+dev@cloudposse.co"
diff --git a/aws/accounts/dev.tf b/aws/accounts/dev.tf
@@ -0,0 +1,21 @@
+variable "dev_account_name" {
+  type        = "string"
+  description = "Dev account name"
+  default     = "dev"
+}
+
+variable "dev_account_email" {
+  type        = "string"
+  description = "Dev account email"
+}
+
+resource "aws_organizations_account" "dev" {
+  name                       = "${var.dev_account_name}"
+  email                      = "${var.dev_account_email}"
+  iam_user_access_to_billing = "${var.account_iam_user_access_to_billing}"
+  role_name                  = "${var.account_role_name}"
+}
+
+output "dev_account_arn" {
+  value = "${aws_organizations_account.dev.arn}"
+}
diff --git a/aws/accounts/main.tf b/aws/accounts/main.tf
@@ -0,0 +1,27 @@
+terraform {
+  required_version = ">= 0.11.2"
+
+  backend "s3" {}
+}
+
+variable "aws_assume_role_arn" {
+  type = "string"
+}
+
+variable "account_role_name" {
+  type        = "string"
+  description = "IAM role that Organization automatically preconfigures in the new member account"
+  default     = "OrganizationAccountAccessRole"
+}
+
+variable "account_iam_user_access_to_billing" {
+  type        = "string"
+  description = "If set to `ALLOW`, the new account enables IAM users to access account billing information if they have the required permissions. If set to `DENY`, then only the root user of the new account can access account billing information"
+  default     = "DENY"
+}
+
+provider "aws" {
+  assume_role {
+    role_arn = "${var.aws_assume_role_arn}"
+  }
+}
diff --git a/aws/accounts/prod.auto.tfvars.example b/aws/accounts/prod.auto.tfvars.example
@@ -0,0 +1,2 @@
+prod_account_name="prod"
+prod_account_email="info+prod@cloudposse.co"
diff --git a/aws/accounts/prod.tf b/aws/accounts/prod.tf
@@ -0,0 +1,21 @@
+variable "prod_account_name" {
+  type        = "string"
+  description = "Production account name"
+  default     = "prod"
+}
+
+variable "prod_account_email" {
+  type        = "string"
+  description = "Production account email"
+}
+
+resource "aws_organizations_account" "prod" {
+  name                       = "${var.prod_account_name}"
+  email                      = "${var.prod_account_email}"
+  iam_user_access_to_billing = "${var.account_iam_user_access_to_billing}"
+  role_name                  = "${var.account_role_name}"
+}
+
+output "prod_account_arn" {
+  value = "${aws_organizations_account.prod.arn}"
+}
diff --git a/aws/accounts/staging.auto.tfvars.example b/aws/accounts/staging.auto.tfvars.example
@@ -0,0 +1,2 @@
+staging_account_name="staging"
+staging_account_email="info+staging@cloudposse.co"
diff --git a/aws/accounts/staging.tf b/aws/accounts/staging.tf
@@ -0,0 +1,21 @@
+variable "staging_account_name" {
+  type        = "string"
+  description = "Staging account name"
+  default     = "staging"
+}
+
+variable "staging_account_email" {
+  type        = "string"
+  description = "Staging account email"
+}
+
+resource "aws_organizations_account" "staging" {
+  name                       = "${var.staging_account_name}"
+  email                      = "${var.staging_account_email}"
+  iam_user_access_to_billing = "${var.account_iam_user_access_to_billing}"
+  role_name                  = "${var.account_role_name}"
+}
+
+output "staging_account_arn" {
+  value = "${aws_organizations_account.staging.arn}"
+}
diff --git a/aws/acm-cloudfront/main.tf b/aws/acm-cloudfront/main.tf
@@ -4,7 +4,9 @@ terraform {
   backend "s3" {}
 }
 
-variable "aws_assume_role_arn" {}
+variable "aws_assume_role_arn" {
+  type = "string"
+}
 
 provider "aws" {
   #  CloudFront certs must be created in the `aws-east-1` region, even if your origin is in a different one
diff --git a/aws/dns/main.tf b/aws/dns/main.tf
diff --git a/aws/dns/outputs.tf b/aws/dns/outputs.tf
diff --git a/aws/iam/audit.auto.tfvars.example b/aws/iam/audit.auto.tfvars.example
@@ -0,0 +1,2 @@
+audit_account_id=""
+audit_account_user_names=["", "",]
diff --git a/aws/iam/audit.tf b/aws/iam/audit.tf
@@ -0,0 +1,19 @@
+variable "audit_account_id" {
+  type        = "string"
+  description = "Audit account ID"
+}
+
+variable "audit_account_user_names" {
+  type        = "list"
+  description = "IAM user names to grant access to Audit account"
+}
+
+# Provision group access to audit account. Careful! Very few people, if any should have access to this account.
+module "organization_access_group_audit" {
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.2"
+  namespace         = "${var.namespace}"
+  stage             = "audit"
+  name              = "admin"
+  user_names        = ["${var.audit_account_user_names}"]
+  member_account_id = "${var.audit_account_id}"
+}
diff --git a/aws/iam/dev.auto.tfvars.example b/aws/iam/dev.auto.tfvars.example
@@ -0,0 +1,2 @@
+dev_account_id=""
+dev_account_user_names=["", "",]
diff --git a/aws/iam/dev.tf b/aws/iam/dev.tf
@@ -0,0 +1,19 @@
+variable "dev_account_id" {
+  type        = "string"
+  description = "Dev account ID"
+}
+
+variable "dev_account_user_names" {
+  type        = "list"
+  description = "IAM user names to grant access to Dev account"
+}
+
+# Provision group access to dev account
+module "organization_access_group_dev" {
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.2"
+  namespace         = "${var.namespace}"
+  stage             = "dev"
+  name              = "admin"
+  user_names        = ["${var.dev_account_user_names}"]
+  member_account_id = "${var.dev_account_id}"
+}
diff --git a/aws/iam/main.tf b/aws/iam/main.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_version = ">= 0.11.2"
+
+  backend "s3" {}
+}
+
+variable "aws_assume_role_arn" {
+  type = "string"
+}
+
+variable "namespace" {
+  type        = "string"
+  description = "Namespace (e.g. `cp` or `cloudposse`)"
+}
+
+provider "aws" {
+  assume_role {
+    role_arn = "${var.aws_assume_role_arn}"
+  }
+}
diff --git a/aws/iam/prod.auto.tfvars.example b/aws/iam/prod.auto.tfvars.example
@@ -0,0 +1,2 @@
+prod_account_id=""
+prod_account_user_names=["", "",]
diff --git a/aws/iam/prod.tf b/aws/iam/prod.tf
@@ -0,0 +1,19 @@
+variable "prod_account_id" {
+  type        = "string"
+  description = "Production account ID"
+}
+
+variable "prod_account_user_names" {
+  type        = "list"
+  description = "IAM user names to grant access to Production account"
+}
+
+# Provision group access to production account
+module "organization_access_group_prod" {
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.2"
+  namespace         = "${var.namespace}"
+  stage             = "prod"
+  name              = "admin"
+  user_names        = ["${var.prod_account_user_names}"]
+  member_account_id = "${var.prod_account_id}"
+}
diff --git a/aws/iam/root.auto.tfvars.example b/aws/iam/root.auto.tfvars.example
@@ -0,0 +1,2 @@
+root_account_admin_user_names=["", "",]
+root_account_readonly_user_names=["", "",]
diff --git a/aws/iam/root.tf b/aws/iam/root.tf
@@ -0,0 +1,21 @@
+variable "root_account_admin_user_names" {
+  type        = "list"
+  description = "IAM user names to grant admin access to Root account"
+}
+
+variable "root_account_readonly_user_names" {
+  type        = "list"
+  description = "IAM user names to grant readonly access to Root account"
+  default     = []
+}
+
+# Provision group access to root account with MFA
+module "organization_access_group_root" {
+  source              = "git::https://github.com/cloudposse/terraform-aws-iam-assumed-roles.git?ref=tags/0.2.0"
+  namespace           = "${var.namespace}"
+  stage               = "root"
+  admin_name          = "admin"
+  readonly_name       = "readonly"
+  admin_user_names    = ["${var.root_account_admin_user_names}"]
+  readonly_user_names = ["${var.root_account_readonly_user_names}"]
+}
diff --git a/aws/iam/staging.auto.tfvars.example b/aws/iam/staging.auto.tfvars.example
@@ -0,0 +1,2 @@
+staging_account_id=""
+staging_account_user_names=["", "",]
diff --git a/aws/iam/staging.tf b/aws/iam/staging.tf
@@ -0,0 +1,19 @@
+variable "staging_account_id" {
+  type        = "string"
+  description = "Staging account ID"
+}
+
+variable "staging_account_user_names" {
+  type        = "list"
+  description = "IAM user names to grant access to Staging account"
+}
+
+# Provision group access to staging account
+module "organization_access_group_staging" {
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.2"
+  namespace         = "${var.namespace}"
+  stage             = "staging"
+  name              = "admin"
+  user_names        = ["${var.staging_account_user_names}"]
+  member_account_id = "${var.staging_account_id}"
+}
diff --git a/aws/kops-aws-platform/terraform.tfvars.example b/aws/kops-aws-platform/terraform.tfvars.example
@@ -1,4 +1,4 @@
 namespace="cp"
 stage="staging"
 region="us-west-2"
-zone_name="us-west-2.cloudposse.co"
+zone_name="us-west-2.staging.cloudposse.co"
diff --git a/aws/organization/main.tf b/aws/organization/main.tf
@@ -14,7 +14,7 @@ variable "aws_assume_role_arn" {
 variable "organization_feature_set" {
   type        = "string"
   default     = "ALL"
-  description = "Specify `ALL` (default) or `CONSOLIDATED_BILLING`"
+  description = "`ALL` (default) or `CONSOLIDATED_BILLING`"
 }
 
 provider "aws" {
diff --git a/aws/root-dns/main.tf b/aws/root-dns/main.tf
diff --git a/aws/root-dns/parent-audit-ns.tf b/aws/root-dns/parent-audit-ns.tf
diff --git a/aws/root-dns/parent-dev-ns.tf b/aws/root-dns/parent-dev-ns.tf
diff --git a/aws/root-dns/parent-local-ns.tf b/aws/root-dns/parent-local-ns.tf
diff --git a/aws/root-dns/parent-prod-ns.tf b/aws/root-dns/parent-prod-ns.tf
diff --git a/aws/root-dns/parent-staging-ns.tf b/aws/root-dns/parent-staging-ns.tf
diff --git a/aws/root-dns/parent.tf b/aws/root-dns/parent.tf
diff --git a/aws/root-dns/root.tf b/aws/root-dns/root.tf
diff --git a/aws/root-dns/terraform.tfvars.example b/aws/root-dns/terraform.tfvars.example

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+audit_account_name="audit"`
	`2`	`+audit_account_email="[email protected]"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+dev_account_name="dev"`
	`2`	`+dev_account_email="[email protected]"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+prod_account_name="prod"`
	`2`	`+prod_account_email="[email protected]"`