diff --git a/README.md b/README.md index ae622b6e3..5fd7cd09d 100644 --- a/README.md +++ b/README.md @@ -11,9 +11,9 @@ This is a collection of reusable root modules for CloudPosse AWS accounts. Use the `terraform-root-modules` Docker image as the base image in the application `Dockerfile`, and copy the modules from `/aws` folder into `/conf` folder ```dockerfile -FROM cloudposse/terraform-root-modules:0.1.6 as terraform-root-modules +FROM cloudposse/terraform-root-modules:0.2.2 as terraform-root-modules -FROM cloudposse/geodesic:0.9.16 +FROM cloudposse/geodesic:0.9.18 # Copy root modules into /conf folder COPY --from=terraform-root-modules /aws/ /conf/ diff --git a/aws/account-dns/main.tf b/aws/account-dns/main.tf new file mode 100644 index 000000000..df67b6f95 --- /dev/null +++ b/aws/account-dns/main.tf @@ -0,0 +1,43 @@ +terraform { + required_version = ">= 0.11.2" + + backend "s3" {} +} + +variable "aws_assume_role_arn" { + type = "string" +} + +variable "domain_name" { + type = "string" + description = "Domain name" +} + +provider "aws" { + assume_role { + role_arn = "${var.aws_assume_role_arn}" + } +} + +resource "aws_route53_zone" "dns_zone" { + name = "${var.domain_name}" +} + +resource "aws_route53_record" "dns_zone_soa" { + zone_id = "${aws_route53_zone.dns_zone.id}" + name = "${aws_route53_zone.dns_zone.name}" + type = "SOA" + ttl = "60" + + records = [ + "${aws_route53_zone.dns_zone.name_servers.0}. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400", + ] +} + +output "zone_id" { + value = "${aws_route53_zone.dns_zone.zone_id}" +} + +output "name_servers" { + value = "${aws_route53_zone.dns_zone.name_servers}" +} diff --git a/aws/dns/terraform.tfvars.example b/aws/account-dns/terraform.tfvars.example similarity index 100% rename from aws/dns/terraform.tfvars.example rename to aws/account-dns/terraform.tfvars.example diff --git a/aws/accounts/audit.auto.tfvars.example b/aws/accounts/audit.auto.tfvars.example new file mode 100644 index 000000000..260762d0a --- /dev/null +++ b/aws/accounts/audit.auto.tfvars.example @@ -0,0 +1,2 @@ +audit_account_name="audit" +audit_account_email="info+audit@cloudposse.co" diff --git a/aws/accounts/audit.tf b/aws/accounts/audit.tf new file mode 100644 index 000000000..e36aec236 --- /dev/null +++ b/aws/accounts/audit.tf @@ -0,0 +1,21 @@ +variable "audit_account_name" { + type = "string" + description = "Audit account name" + default = "audit" +} + +variable "audit_account_email" { + type = "string" + description = "Audit account email" +} + +resource "aws_organizations_account" "audit" { + name = "${var.audit_account_name}" + email = "${var.audit_account_email}" + iam_user_access_to_billing = "${var.account_iam_user_access_to_billing}" + role_name = "${var.account_role_name}" +} + +output "audit_account_arn" { + value = "${aws_organizations_account.audit.arn}" +} diff --git a/aws/accounts/dev.auto.tfvars.example b/aws/accounts/dev.auto.tfvars.example new file mode 100644 index 000000000..eb0f55a71 --- /dev/null +++ b/aws/accounts/dev.auto.tfvars.example @@ -0,0 +1,2 @@ +dev_account_name="dev" +dev_account_email="info+dev@cloudposse.co" diff --git a/aws/accounts/dev.tf b/aws/accounts/dev.tf new file mode 100644 index 000000000..879778ca2 --- /dev/null +++ b/aws/accounts/dev.tf @@ -0,0 +1,21 @@ +variable "dev_account_name" { + type = "string" + description = "Dev account name" + default = "dev" +} + +variable "dev_account_email" { + type = "string" + description = "Dev account email" +} + +resource "aws_organizations_account" "dev" { + name = "${var.dev_account_name}" + email = "${var.dev_account_email}" + iam_user_access_to_billing = "${var.account_iam_user_access_to_billing}" + role_name = "${var.account_role_name}" +} + +output "dev_account_arn" { + value = "${aws_organizations_account.dev.arn}" +} diff --git a/aws/accounts/main.tf b/aws/accounts/main.tf new file mode 100644 index 000000000..b463c4bbd --- /dev/null +++ b/aws/accounts/main.tf @@ -0,0 +1,27 @@ +terraform { + required_version = ">= 0.11.2" + + backend "s3" {} +} + +variable "aws_assume_role_arn" { + type = "string" +} + +variable "account_role_name" { + type = "string" + description = "IAM role that Organization automatically preconfigures in the new member account" + default = "OrganizationAccountAccessRole" +} + +variable "account_iam_user_access_to_billing" { + type = "string" + description = "If set to `ALLOW`, the new account enables IAM users to access account billing information if they have the required permissions. If set to `DENY`, then only the root user of the new account can access account billing information" + default = "DENY" +} + +provider "aws" { + assume_role { + role_arn = "${var.aws_assume_role_arn}" + } +} diff --git a/aws/accounts/prod.auto.tfvars.example b/aws/accounts/prod.auto.tfvars.example new file mode 100644 index 000000000..46545faec --- /dev/null +++ b/aws/accounts/prod.auto.tfvars.example @@ -0,0 +1,2 @@ +prod_account_name="prod" +prod_account_email="info+prod@cloudposse.co" diff --git a/aws/accounts/prod.tf b/aws/accounts/prod.tf new file mode 100644 index 000000000..d3c8fa34f --- /dev/null +++ b/aws/accounts/prod.tf @@ -0,0 +1,21 @@ +variable "prod_account_name" { + type = "string" + description = "Production account name" + default = "prod" +} + +variable "prod_account_email" { + type = "string" + description = "Production account email" +} + +resource "aws_organizations_account" "prod" { + name = "${var.prod_account_name}" + email = "${var.prod_account_email}" + iam_user_access_to_billing = "${var.account_iam_user_access_to_billing}" + role_name = "${var.account_role_name}" +} + +output "prod_account_arn" { + value = "${aws_organizations_account.prod.arn}" +} diff --git a/aws/accounts/staging.auto.tfvars.example b/aws/accounts/staging.auto.tfvars.example new file mode 100644 index 000000000..d5edac191 --- /dev/null +++ b/aws/accounts/staging.auto.tfvars.example @@ -0,0 +1,2 @@ +staging_account_name="staging" +staging_account_email="info+staging@cloudposse.co" diff --git a/aws/accounts/staging.tf b/aws/accounts/staging.tf new file mode 100644 index 000000000..d20e0a2a2 --- /dev/null +++ b/aws/accounts/staging.tf @@ -0,0 +1,21 @@ +variable "staging_account_name" { + type = "string" + description = "Staging account name" + default = "staging" +} + +variable "staging_account_email" { + type = "string" + description = "Staging account email" +} + +resource "aws_organizations_account" "staging" { + name = "${var.staging_account_name}" + email = "${var.staging_account_email}" + iam_user_access_to_billing = "${var.account_iam_user_access_to_billing}" + role_name = "${var.account_role_name}" +} + +output "staging_account_arn" { + value = "${aws_organizations_account.staging.arn}" +} diff --git a/aws/acm-cloudfront/main.tf b/aws/acm-cloudfront/main.tf index c50eae7b5..ca9a32b5f 100644 --- a/aws/acm-cloudfront/main.tf +++ b/aws/acm-cloudfront/main.tf @@ -4,7 +4,9 @@ terraform { backend "s3" {} } -variable "aws_assume_role_arn" {} +variable "aws_assume_role_arn" { + type = "string" +} provider "aws" { # CloudFront certs must be created in the `aws-east-1` region, even if your origin is in a different one diff --git a/aws/dns/main.tf b/aws/dns/main.tf deleted file mode 100644 index e6b7ca3bc..000000000 --- a/aws/dns/main.tf +++ /dev/null @@ -1,32 +0,0 @@ -terraform { - required_version = ">= 0.11.2" - - backend "s3" {} -} - -variable "aws_assume_role_arn" {} - -provider "aws" { - assume_role { - role_arn = "${var.aws_assume_role_arn}" - } -} - -variable "domain_name" { - description = "domain name for zone" -} - -resource "aws_route53_zone" "default" { - name = "${var.domain_name}" -} - -resource "aws_route53_record" "default" { - zone_id = "${aws_route53_zone.default.id}" - name = "${aws_route53_zone.default.name}" - type = "SOA" - ttl = "60" - - records = [ - "${aws_route53_zone.default.name_servers.0}. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400", - ] -} diff --git a/aws/dns/outputs.tf b/aws/dns/outputs.tf deleted file mode 100644 index b4f46ed55..000000000 --- a/aws/dns/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "zone_id" { - value = "${aws_route53_zone.default.zone_id}" -} - -output "name_servers" { - value = "${aws_route53_zone.default.name_servers}" -} diff --git a/aws/iam/audit.auto.tfvars.example b/aws/iam/audit.auto.tfvars.example new file mode 100644 index 000000000..84582d47a --- /dev/null +++ b/aws/iam/audit.auto.tfvars.example @@ -0,0 +1,2 @@ +audit_account_id="" +audit_account_user_names=["", "",] diff --git a/aws/iam/audit.tf b/aws/iam/audit.tf new file mode 100644 index 000000000..f455fa792 --- /dev/null +++ b/aws/iam/audit.tf @@ -0,0 +1,19 @@ +variable "audit_account_id" { + type = "string" + description = "Audit account ID" +} + +variable "audit_account_user_names" { + type = "list" + description = "IAM user names to grant access to Audit account" +} + +# Provision group access to audit account. Careful! Very few people, if any should have access to this account. +module "organization_access_group_audit" { + source = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.2" + namespace = "${var.namespace}" + stage = "audit" + name = "admin" + user_names = ["${var.audit_account_user_names}"] + member_account_id = "${var.audit_account_id}" +} diff --git a/aws/iam/dev.auto.tfvars.example b/aws/iam/dev.auto.tfvars.example new file mode 100644 index 000000000..334b68c32 --- /dev/null +++ b/aws/iam/dev.auto.tfvars.example @@ -0,0 +1,2 @@ +dev_account_id="" +dev_account_user_names=["", "",] diff --git a/aws/iam/dev.tf b/aws/iam/dev.tf new file mode 100644 index 000000000..beebcbfe2 --- /dev/null +++ b/aws/iam/dev.tf @@ -0,0 +1,19 @@ +variable "dev_account_id" { + type = "string" + description = "Dev account ID" +} + +variable "dev_account_user_names" { + type = "list" + description = "IAM user names to grant access to Dev account" +} + +# Provision group access to dev account +module "organization_access_group_dev" { + source = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.2" + namespace = "${var.namespace}" + stage = "dev" + name = "admin" + user_names = ["${var.dev_account_user_names}"] + member_account_id = "${var.dev_account_id}" +} diff --git a/aws/iam/main.tf b/aws/iam/main.tf new file mode 100644 index 000000000..ea7f40f3f --- /dev/null +++ b/aws/iam/main.tf @@ -0,0 +1,20 @@ +terraform { + required_version = ">= 0.11.2" + + backend "s3" {} +} + +variable "aws_assume_role_arn" { + type = "string" +} + +variable "namespace" { + type = "string" + description = "Namespace (e.g. `cp` or `cloudposse`)" +} + +provider "aws" { + assume_role { + role_arn = "${var.aws_assume_role_arn}" + } +} diff --git a/aws/iam/prod.auto.tfvars.example b/aws/iam/prod.auto.tfvars.example new file mode 100644 index 000000000..ef3d54b85 --- /dev/null +++ b/aws/iam/prod.auto.tfvars.example @@ -0,0 +1,2 @@ +prod_account_id="" +prod_account_user_names=["", "",] diff --git a/aws/iam/prod.tf b/aws/iam/prod.tf new file mode 100644 index 000000000..ec58c301c --- /dev/null +++ b/aws/iam/prod.tf @@ -0,0 +1,19 @@ +variable "prod_account_id" { + type = "string" + description = "Production account ID" +} + +variable "prod_account_user_names" { + type = "list" + description = "IAM user names to grant access to Production account" +} + +# Provision group access to production account +module "organization_access_group_prod" { + source = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.2" + namespace = "${var.namespace}" + stage = "prod" + name = "admin" + user_names = ["${var.prod_account_user_names}"] + member_account_id = "${var.prod_account_id}" +} diff --git a/aws/iam/root.auto.tfvars.example b/aws/iam/root.auto.tfvars.example new file mode 100644 index 000000000..632ca165a --- /dev/null +++ b/aws/iam/root.auto.tfvars.example @@ -0,0 +1,2 @@ +root_account_admin_user_names=["", "",] +root_account_readonly_user_names=["", "",] diff --git a/aws/iam/root.tf b/aws/iam/root.tf new file mode 100644 index 000000000..79a1bfbee --- /dev/null +++ b/aws/iam/root.tf @@ -0,0 +1,21 @@ +variable "root_account_admin_user_names" { + type = "list" + description = "IAM user names to grant admin access to Root account" +} + +variable "root_account_readonly_user_names" { + type = "list" + description = "IAM user names to grant readonly access to Root account" + default = [] +} + +# Provision group access to root account with MFA +module "organization_access_group_root" { + source = "git::https://github.com/cloudposse/terraform-aws-iam-assumed-roles.git?ref=tags/0.2.0" + namespace = "${var.namespace}" + stage = "root" + admin_name = "admin" + readonly_name = "readonly" + admin_user_names = ["${var.root_account_admin_user_names}"] + readonly_user_names = ["${var.root_account_readonly_user_names}"] +} diff --git a/aws/iam/staging.auto.tfvars.example b/aws/iam/staging.auto.tfvars.example new file mode 100644 index 000000000..7c81f75f6 --- /dev/null +++ b/aws/iam/staging.auto.tfvars.example @@ -0,0 +1,2 @@ +staging_account_id="" +staging_account_user_names=["", "",] diff --git a/aws/iam/staging.tf b/aws/iam/staging.tf new file mode 100644 index 000000000..9c292ce5a --- /dev/null +++ b/aws/iam/staging.tf @@ -0,0 +1,19 @@ +variable "staging_account_id" { + type = "string" + description = "Staging account ID" +} + +variable "staging_account_user_names" { + type = "list" + description = "IAM user names to grant access to Staging account" +} + +# Provision group access to staging account +module "organization_access_group_staging" { + source = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.2" + namespace = "${var.namespace}" + stage = "staging" + name = "admin" + user_names = ["${var.staging_account_user_names}"] + member_account_id = "${var.staging_account_id}" +} diff --git a/aws/kops-aws-platform/terraform.tfvars.example b/aws/kops-aws-platform/terraform.tfvars.example index 16db64d2b..0322c1a61 100644 --- a/aws/kops-aws-platform/terraform.tfvars.example +++ b/aws/kops-aws-platform/terraform.tfvars.example @@ -1,4 +1,4 @@ namespace="cp" stage="staging" region="us-west-2" -zone_name="us-west-2.cloudposse.co" +zone_name="us-west-2.staging.cloudposse.co" diff --git a/aws/organization/main.tf b/aws/organization/main.tf index 0dd7c9738..d02f4cbcd 100644 --- a/aws/organization/main.tf +++ b/aws/organization/main.tf @@ -14,7 +14,7 @@ variable "aws_assume_role_arn" { variable "organization_feature_set" { type = "string" default = "ALL" - description = "Specify `ALL` (default) or `CONSOLIDATED_BILLING`" + description = "`ALL` (default) or `CONSOLIDATED_BILLING`" } provider "aws" { diff --git a/aws/root-dns/main.tf b/aws/root-dns/main.tf new file mode 100644 index 000000000..ba39349f9 --- /dev/null +++ b/aws/root-dns/main.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.11.2" + + backend "s3" {} +} + +variable "aws_assume_role_arn" { + type = "string" +} + +provider "aws" { + assume_role { + role_arn = "${var.aws_assume_role_arn}" + } +} diff --git a/aws/root-dns/parent-audit-ns.tf b/aws/root-dns/parent-audit-ns.tf new file mode 100644 index 000000000..b43254d31 --- /dev/null +++ b/aws/root-dns/parent-audit-ns.tf @@ -0,0 +1,11 @@ +variable "audit_name_servers" { + type = "list" +} + +resource "aws_route53_record" "audit_dns_zone_ns" { + zone_id = "${aws_route53_zone.parent_dns_zone.zone_id}" + name = "audit" + type = "NS" + ttl = "30" + records = ["${var.audit_name_servers}"] +} diff --git a/aws/root-dns/parent-dev-ns.tf b/aws/root-dns/parent-dev-ns.tf new file mode 100644 index 000000000..bc411413d --- /dev/null +++ b/aws/root-dns/parent-dev-ns.tf @@ -0,0 +1,11 @@ +variable "dev_name_servers" { + type = "list" +} + +resource "aws_route53_record" "dev_dns_zone_ns" { + zone_id = "${aws_route53_zone.parent_dns_zone.zone_id}" + name = "dev" + type = "NS" + ttl = "30" + records = ["${var.dev_name_servers}"] +} diff --git a/aws/root-dns/parent-local-ns.tf b/aws/root-dns/parent-local-ns.tf new file mode 100644 index 000000000..f861fdb93 --- /dev/null +++ b/aws/root-dns/parent-local-ns.tf @@ -0,0 +1,11 @@ +variable "local_name_servers" { + type = "list" +} + +resource "aws_route53_record" "local_dns_zone_ns" { + zone_id = "${aws_route53_zone.parent_dns_zone.zone_id}" + name = "local" + type = "NS" + ttl = "30" + records = ["${var.local_name_servers}"] +} diff --git a/aws/root-dns/parent-prod-ns.tf b/aws/root-dns/parent-prod-ns.tf new file mode 100644 index 000000000..50b2e43fc --- /dev/null +++ b/aws/root-dns/parent-prod-ns.tf @@ -0,0 +1,11 @@ +variable "prod_name_servers" { + type = "list" +} + +resource "aws_route53_record" "prod_dns_zone_ns" { + zone_id = "${aws_route53_zone.parent_dns_zone.zone_id}" + name = "prod" + type = "NS" + ttl = "30" + records = ["${var.prod_name_servers}"] +} diff --git a/aws/root-dns/parent-staging-ns.tf b/aws/root-dns/parent-staging-ns.tf new file mode 100644 index 000000000..2036232b5 --- /dev/null +++ b/aws/root-dns/parent-staging-ns.tf @@ -0,0 +1,11 @@ +variable "staging_name_servers" { + type = "list" +} + +resource "aws_route53_record" "staging_dns_zone_ns" { + zone_id = "${aws_route53_zone.parent_dns_zone.zone_id}" + name = "staging" + type = "NS" + ttl = "30" + records = ["${var.staging_name_servers}"] +} diff --git a/aws/root-dns/parent.tf b/aws/root-dns/parent.tf new file mode 100644 index 000000000..822a5a667 --- /dev/null +++ b/aws/root-dns/parent.tf @@ -0,0 +1,28 @@ +variable "parent_domain_name" { + type = "string" + description = "Parent domain name" +} + +resource "aws_route53_zone" "parent_dns_zone" { + name = "${var.parent_domain_name}" + comment = "Parent domain name" +} + +resource "aws_route53_record" "parent_dns_zone_soa" { + zone_id = "${aws_route53_zone.parent_dns_zone.id}" + name = "${aws_route53_zone.parent_dns_zone.name}" + type = "SOA" + ttl = "60" + + records = [ + "${aws_route53_zone.parent_dns_zone.name_servers.0}. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400", + ] +} + +output "parent_zone_id" { + value = "${aws_route53_zone.parent_dns_zone.zone_id}" +} + +output "parent_name_servers" { + value = "${aws_route53_zone.parent_dns_zone.name_servers}" +} diff --git a/aws/root-dns/root.tf b/aws/root-dns/root.tf new file mode 100644 index 000000000..147584141 --- /dev/null +++ b/aws/root-dns/root.tf @@ -0,0 +1,36 @@ +variable "root_domain_name" { + type = "string" + description = "Root domain name" +} + +resource "aws_route53_zone" "root_dns_zone" { + name = "${var.root_domain_name}" + comment = "DNS Zone for Root Account" +} + +resource "aws_route53_record" "root_dns_zone_soa" { + zone_id = "${aws_route53_zone.root_dns_zone.id}" + name = "${aws_route53_zone.root_dns_zone.name}" + type = "SOA" + ttl = "60" + + records = [ + "${aws_route53_zone.root_dns_zone.name_servers.0}. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400", + ] +} + +resource "aws_route53_record" "root_dns_zone_ns" { + zone_id = "${aws_route53_zone.parent_dns_zone.zone_id}" + name = "root" + type = "NS" + ttl = "30" + records = ["${aws_route53_zone.root_dns_zone.name_servers}"] +} + +output "root_zone_id" { + value = "${aws_route53_zone.root_dns_zone.zone_id}" +} + +output "root_name_servers" { + value = "${aws_route53_zone.root_dns_zone.name_servers}" +} diff --git a/aws/root-dns/terraform.tfvars.example b/aws/root-dns/terraform.tfvars.example new file mode 100644 index 000000000..94dd6a1d7 --- /dev/null +++ b/aws/root-dns/terraform.tfvars.example @@ -0,0 +1,7 @@ +parent_domain_name="cloudposse.co" +domain_name="root.cloudposse.co" +prod_name_servers = ["", "", "", "",] +staging_name_servers = ["", "", "", "",] +audit_name_servers = ["", "", "", "",] +dev_name_servers = ["", "", "", "",] +local_name_servers = ["", "", "", "",]