This repository contains Terraform code for configuring AWS accounts for use in the COOL.
-
A valid AWS profile that has permissions to administer Single Sign-On (SSO) resources, similar to this policy.
-
A valid AWS profile that has permissions to manage service quotas, similar to the AWS
ServiceQuotasFullAccesspolicy (see here for more information). If you usedcisagov/provisionaccount-role-tf-moduleto create your account-provisioning role, then that policy is already attached to your account-provisioning role. -
Terraform installed on your system.
-
The AWS CLI installed on your system.
-
jq installed on your system.
-
An accessible AWS S3 bucket to store Terraform state (specified in
backend.tf). -
An accessible AWS DynamoDB database to store the Terraform state lock (specified in
backend.tf). -
A Terraform variables file customized for the AWS account(s) that you want to configure, for example:
account_name_regex = "^[[:alnum:]]-production$" groups_to_add_access_to = [ { group = "Admins", permission_sets = ["AWSAdministratorAccess"] } ] sso_admin_profile = "AdministerSSO" users_to_remove_access_from = [ { username = "john.doe@example.com", permission_sets = ["AWSAdministratorAccess"] } ]
-
Create a Terraform workspace (if you haven't already done so) by running
terraform workspace new <workspace_name>. -
Create a
<workspace_name>.tfvarsfile with all of the required variables (see Inputs below for details). -
Run the command
terraform init. -
Provision the new AWS account(s) by running the command:
terraform apply -var-file=<workspace_name>.tfvars
| Name | Version |
|---|---|
| terraform | ~> 1.0 |
| aws | ~> 4.9 |
| Name | Version |
|---|---|
| aws | ~> 4.9 |
| aws.organizationsreadonly | ~> 4.9 |
| aws.quotas | ~> 4.9 |
| null | n/a |
| terraform | n/a |
No modules.
| Name | Type |
|---|---|
| aws_servicequotas_service_quota.all | resource |
| aws_ssoadmin_account_assignment.group | resource |
| aws_ssoadmin_account_assignment.user | resource |
| null_resource.remove_group | resource |
| null_resource.remove_user | resource |
| aws_caller_identity.current | data source |
| aws_identitystore_group.all | data source |
| aws_identitystore_user.all | data source |
| aws_organizations_organization.org | data source |
| aws_ssoadmin_instances.current | data source |
| aws_ssoadmin_permission_set.all | data source |
| terraform_remote_state.master | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_name_regex | The Terraform regular expression matching the name of the account(s) that you want to configure (e.g. "^[[:alnum:]]-production$"). See [https://www.terraform.io/language/functions/regex] for details on Terraform regular expression syntax. | string |
n/a | yes |
| account_quota_profile | The name of the AWS profile (typically found in your .aws/credentials file) whose role has permissions to manage service quotas for the account to configure. For an example, look at the AWS "ServiceQuotasFullAccess" policy: [https://docs.aws.amazon.com/servicequotas/latest/userguide/identity-access-management.html]. | string |
n/a | yes |
| aws_region | The AWS region to deploy into (e.g. us-east-1). | string |
"us-east-1" |
no |
| groups_to_add_access_to | A list of objects specifying Single Sign-On (SSO) groups to add permissions to. Each object contains the SSO group name and the list of permission sets to add access to. Example: [{ group = "Admins", permission_sets = ["AWSAdministratorAccess"] }] | list(object({ group = string, permission_sets = list(string) })) |
[] |
no |
| groups_to_remove_access_from | A list of objects specifying Single Sign-On (SSO) groups to remove permissions from. Each object contains the SSO group name and the list of permission sets to remove access from. Example: [{ group = "NonAdmins", permission_sets = ["AWSAdministratorAccess"] }] | list(object({ group = string, permission_sets = list(string) })) |
[] |
no |
| service_quotas | A list of objects specifying service quotas to request. Each object contains a name, quota code, service code, and value for the quota. Example: [{ name = "Elastic IPs", quota_code = "L-0263D0A3", service_code = "ec2", value = 10 }] | list(object({ name = string, quota_code = string, service_code = string, value = number })) |
[] |
no |
| sso_admin_profile | The name of the AWS profile (typically found in your .aws/credentials file) to use for the default Terraform provider. This profile's role must include permissions to administer Single Sign-On (SSO) resources. For an example of a role like this, look at [cisagov/cool-accounts#95]. | string |
n/a | yes |
| tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
| users_to_add_access_to | A list of objects specifying Single Sign-On (SSO) users to add permissions to. Each object contains the SSO username and the list of permission sets to add access to. Example: [{ username = "john.doe@example.com", permission_sets = ["AWSAdministratorAccess"] }] | list(object({ username = string, permission_sets = list(string) })) |
[] |
no |
| users_to_remove_access_from | A list of objects specifying Single Sign-On (SSO) users to remove permissions from. Each object contains the SSO username and the list of permission sets to remove access from. Example: [{ username = "john.doe@example.com", permission_sets = ["AWSAdministratorAccess"] }] | list(object({ username = string, permission_sets = list(string) })) |
[] |
no |
| Name | Description |
|---|---|
| service_quotas | All requested service quotas. |
| sso_group_assignments | The permission set assignments of each SSO group in each AWS account. |
| sso_user_assignments | The permission set assignments of each SSO user in each AWS account. |
Running pre-commit requires running terraform init in every directory that
contains Terraform code. In this repository, this is only the main directory.
We welcome contributions! Please see CONTRIBUTING.md for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.