Skip to content
This repository has been archived by the owner on Feb 2, 2024. It is now read-only.
/ cool-accounts-pca Public archive

Terraform code to configure PCA accounts for the COOL.

License

CC0-1.0 license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cisagov/cool-accounts-pca

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

701 Commits

.github

.github

 
 

.ansible-lint

.ansible-lint

 
 

.bandit.yml

.bandit.yml

 
 

.flake8

.flake8

 
 

.gitignore

.gitignore

 
 

.isort.cfg

.isort.cfg

 
 

.mdl_config.yaml

.mdl_config.yaml

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

.prettierignore

.prettierignore

 
 

.terraform-docs.yml

.terraform-docs.yml

 
 

.yamllint

.yamllint

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

backend.tf

backend.tf

 
 

locals.tf

locals.tf

 
 

outputs.tf

outputs.tf

 
 

providers.tf

providers.tf

 
 

provisionaccount.tf

provisionaccount.tf

 
 

requirements-dev.txt

requirements-dev.txt

 
 

requirements-test.txt

requirements-test.txt

 
 

requirements.txt

requirements.txt

 
 

setup-env

setup-env

 
 

sns.tf

sns.tf

 
 

variables.tf

variables.tf

 
 

versions.tf

versions.tf

 
 

Repository files navigation

cool-accounts-pca

GitHub Build Status

This project contains Terraform code to perform the initial configuration of a COOL PCA account. This Terraform code creates and configures the most basic resources needed to build out services and environments.

It creates an IAM role that allows sufficient permissions to provision all AWS resources in this account. This role has a trust relationship with the COOL users account.

Bootstrapping this account

Note that the COOL PCA account must be bootstrapped. This is because initially there is no IAM role that can be assumed to build out these resources. Therefore you must first apply the Terraform code using programmatic credentials for AWSAdministratorAccess as obtained for the COOL PCA account from the COOL AWS SSO page.

After this initial apply your desired IAM role will exist, and it will be assumable from your IAM user that exists in the COOL users account. Therefore you can apply future changes using your IAM user credentials.

To do this bootstrapping, follow these steps:

  1. Comment out the profile = "cool-pca-provisionaccount" line for the "default" provider in providers.tf and directly below that uncomment the line profile = "cool-pca-account-admin".

  2. Create a new AWS profile called cool-pca-account-admin in your Boto3 configuration using the "AWSAdministratorAccess" credentials (access key ID, secret access key, and session token) as obtained from the COOL PCA account:

    [cool-pca-account-admin]
aws_access_key_id = <MY_ACCESS_KEY_ID>
aws_secret_access_key = <MY_SECRET_ACCESS_KEY>
aws_session_token = <MY_SESSION_TOKEN>

  3. Create a Terraform workspace (if you haven't already done so) by running terraform workspace new <workspace_name>

  4. Create a <workspace_name>.tfvars file with any optional variables that you wish to override (see Inputs below for details):

    tags = {
  Team        = "VM Fusion - Development"
  Application = "COOL - PCA"
  Workspace   = "production"
}

  5. Run the command terraform init.

  6. Run the command terraform apply -var-file=<workspace_name>.tfvars.

  7. Revert the changes you made to providers.tf in step 1.

  8. Run the command terraform apply -var-file=<workspace_name>.tfvars.

At this point the account has been bootstrapped, and you can apply future changes by simply running terraform apply -var-file=<workspace_name>.tfvars.

Requirements

Name Version
terraform ~> 1.0
aws ~> 4.9

Providers

Name Version
aws.organizationsreadonly ~> 4.9

Modules

Name Source Version
cw_alarm_sns github.com/cisagov/sns-send-to-account-email-tf-module n/a
provisionaccount github.com/cisagov/provisionaccount-role-tf-module n/a

Resources

Name Type
aws_organizations_organization.cool data source

Inputs

Name Description Type Default Required
aws_region The AWS region where the non-global resources for the PCA account are to be provisioned (e.g. "us-east-1"). string "us-east-1" no
provisionaccount_role_description The description to associate with the IAM role that allows sufficient permissions to provision all AWS resources in the PCA account. string "Allows sufficient permissions to provision all AWS resources in the PCA account." no
provisionaccount_role_name The name to assign the IAM role that allows sufficient permissions to provision all AWS resources in the PCA account. string "ProvisionAccount" no
tags Tags to apply to all AWS resources created. map(string) {} no

Outputs

Name Description
cw_alarm_sns_topic The SNS topic to which a message is sent when a CloudWatch alarm is triggered.
provisionaccount_role The IAM role that allows sufficient permissions to provision all AWS resources in the PCA account.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is just the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

About

Terraform code to configure PCA accounts for the COOL.

Resources

Readme

License

CC0-1.0 license

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

5 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 10

Languages