Terraform code to create roles related to the creation of and access to buckets to house assessment images in the Images (Production) and Images (Staging) accounts in the COOL.
- Terraform installed on your system.
- An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
- An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
- Access to all of the Terraform remote states specified in remote_states.tf.
- The following COOL accounts and roles must have been created:
- Images (Production and Staging):
cisagov/cool-accounts/images - Terraform:
cisagov/cool-accounts/terraform - Users:
cisagov/cool-accounts/users
- Images (Production and Staging):
| Name | Version |
|---|---|
| terraform | ~> 1.0 |
| aws | ~> 4.9 |
| Name | Version |
|---|---|
| aws | ~> 4.9 |
| aws.images_production | ~> 4.9 |
| aws.images_staging | ~> 4.9 |
| aws.users | ~> 4.9 |
| terraform | n/a |
| Name | Source | Version |
|---|---|---|
| read_terraform_state | github.com/cisagov/terraform-state-read-role-tf-module | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| assessment_images_bucket_base_name | The base name to use for the assessment images S3 buckets. This value will be appended with "-production" or "-staging" to create the appropriate full bucket name (e.g. With the default value "cisa-cool-assessment-images-production" will be used for the bucket in the Images (Production) account). | string |
"cisa-cool-assessment-images" |
no |
| assessmentimagesbucketfullaccess_role_description | The description to associate with the IAM role and attached policy that allows full access to the assessment images S3 bucket. | string |
"Allows full access to the S3 bucket where assessment images are stored." |
no |
| assessmentimagesbucketfullaccess_role_name | The name to associate with the IAM role and attached policy that allows full access to the assessment images S3 bucket. | string |
"AssessmentImagesBucketFullAccess" |
no |
| assessmentimagesbucketfullaccess_role_session_max_duration | The maximum duration in seconds to allow a session that assumes the IAM role that allows full access to the assessment images S3 bucket. The default is the maximum of 12 hours due to using the AWS console to upload objects to the bucket. | number |
43200 |
no |
| aws_region | The AWS region to use for the account provisioners (e.g. "us-east-1"). | string |
"us-east-1" |
no |
| provisionassessmentimagesbucket_policy_description | The description to associate with the IAM policy that allows provisioning of the assessment images S3 bucket in the Images account. | string |
"Allows provisioning of assessment images S3 resources in the Images account." |
no |
| provisionassessmentimagesbucket_policy_name | The name to associate with the IAM policy that allows provisioning of the assessment images S3 bucket in the Images account. | string |
"ProvisionAssessmentImagesBucket" |
no |
| read_terraform_state_role_name | The name to associate with the IAM role and attached policy that allows read-only access to the cool-images-assessment-images state in the S3 bucket where Terraform state is stored. | string |
"ReadImagesAssessmentImagesTerraformState" |
no |
| tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| assessment_images_bucket_production | The S3 bucket to store assessment images in the Images (Production) account. |
| assessment_images_bucket_staging | The S3 bucket to store assessment images in the Images (Staging) account. |
| assessmentimagesbucketfullaccess_role_production | The IAM role that allows full access to the assessment images bucket in the Images (Production) account. |
| assessmentimagesbucketfullaccess_role_staging | The IAM role that allows full access to the assessment images bucket in the Images (Staging) account. |
| read_terraform_state | The IAM policies and role that allow read-only access to the cool-images-assessment-images state in the Terraform state bucket. |
Running pre-commit requires running terraform init in every directory that
contains Terraform code. In this repository, this is only the main directory.
We welcome contributions! Please see CONTRIBUTING.md for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.