This project contains Terraform code to perform the initial configuration of a COOL PCA account. This Terraform code creates and configures the most basic resources needed to build out services and environments.
It creates an IAM role that allows sufficient permissions to provision all AWS resources in this account. This role has a trust relationship with the COOL users account.
Note that the COOL PCA account must be bootstrapped. This is because initially there is no IAM role that can be assumed to build out these resources. Therefore you must first apply the Terraform code using programmatic credentials for AWSAdministratorAccess as obtained for the COOL PCA account from the COOL AWS SSO page.
After this initial apply your desired IAM role will exist, and it will be assumable from your IAM user that exists in the COOL users account. Therefore you can apply future changes using your IAM user credentials.
To do this bootstrapping, follow these steps:
-
Comment out the
profile = "cool-pca-provisionaccount"
line for the "default" provider inproviders.tf
and directly below that uncomment the lineprofile = "cool-pca-account-admin"
. -
Create a new AWS profile called
cool-pca-account-admin
in your Boto3 configuration using the "AWSAdministratorAccess" credentials (access key ID, secret access key, and session token) as obtained from the COOL PCA account:[cool-pca-account-admin] aws_access_key_id = <MY_ACCESS_KEY_ID> aws_secret_access_key = <MY_SECRET_ACCESS_KEY> aws_session_token = <MY_SESSION_TOKEN>
-
Create a Terraform workspace (if you haven't already done so) by running
terraform workspace new <workspace_name>
-
Create a
<workspace_name>.tfvars
file with any optional variables that you wish to override (see Inputs below for details):tags = { Team = "VM Fusion - Development" Application = "COOL - PCA" Workspace = "production" }
-
Run the command
terraform init
. -
Run the command
terraform apply -var-file=<workspace_name>.tfvars
. -
Revert the changes you made to
providers.tf
in step 1. -
Run the command
terraform apply -var-file=<workspace_name>.tfvars
.
At this point the account has been bootstrapped, and you can apply
future changes by simply running terraform apply -var-file=<workspace_name>.tfvars
.
Name | Version |
---|---|
terraform | ~> 1.0 |
aws | ~> 4.9 |
Name | Version |
---|---|
aws.organizationsreadonly | ~> 4.9 |
Name | Source | Version |
---|---|---|
cw_alarm_sns | github.com/cisagov/sns-send-to-account-email-tf-module | n/a |
provisionaccount | github.com/cisagov/provisionaccount-role-tf-module | n/a |
Name | Type |
---|---|
aws_organizations_organization.cool | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_region | The AWS region where the non-global resources for the PCA account are to be provisioned (e.g. "us-east-1"). | string |
"us-east-1" |
no |
provisionaccount_role_description | The description to associate with the IAM role that allows sufficient permissions to provision all AWS resources in the PCA account. | string |
"Allows sufficient permissions to provision all AWS resources in the PCA account." |
no |
provisionaccount_role_name | The name to assign the IAM role that allows sufficient permissions to provision all AWS resources in the PCA account. | string |
"ProvisionAccount" |
no |
tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
Name | Description |
---|---|
cw_alarm_sns_topic | The SNS topic to which a message is sent when a CloudWatch alarm is triggered. |
provisionaccount_role | The IAM role that allows sufficient permissions to provision all AWS resources in the PCA account. |
Running pre-commit
requires running terraform init
in every directory that
contains Terraform code. In this repository, this is just the main directory.
We welcome contributions! Please see CONTRIBUTING.md
for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.