diff --git a/.github/workflows/terraform-apply.yaml b/.github/workflows/terraform-apply.yaml new file mode 100644 index 0000000..03077af --- /dev/null +++ b/.github/workflows/terraform-apply.yaml @@ -0,0 +1,32 @@ +name: Apply Terraform changes on merge + +on: + push: + branches: + - main # or any other branch you want to trigger the deployment + +jobs: + terraform-apply: + name: Terraform Apply + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + permissions: + contents: read + pull-requests: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + + - name: Terraform Apply + uses: dflook/terraform-apply@v1 + with: + path: terraform diff --git a/.github/terraform-plan.yaml b/.github/workflows/terraform-plan.yaml similarity index 52% rename from .github/terraform-plan.yaml rename to .github/workflows/terraform-plan.yaml index eaf1755..e83f125 100644 --- a/.github/terraform-plan.yaml +++ b/.github/workflows/terraform-plan.yaml @@ -1,39 +1,32 @@ -name: Deploy IAM Resources to AWS with Terraform +name: Write Terraform Plan to Pull Request on: - pull-request: + pull_request: branches: - main # or any other branch you want to trigger the deployment jobs: - terraform: - name: Terraform + terraform-plan: + name: Terraform Plan runs-on: ubuntu-latest env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + permissions: + contents: read + pull-requests: write + steps: - name: Checkout code - uses: actions/checkout@v3 - - - name: Set up Terraform - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 1.0.0 # Specify the Terraform version - + uses: actions/checkout@v4 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-2 # Change to your AWS region - - - name: Terraform Init - run: terraform init + aws-region: us-west-2 - name: Terraform Plan uses: dflook/terraform-plan@v1 with: path: terraform - - diff --git a/terraform/aws-custom-policies.tf b/terraform/aws-custom-policies.tf new file mode 100644 index 0000000..90696c5 --- /dev/null +++ b/terraform/aws-custom-policies.tf @@ -0,0 +1,9 @@ +module "aws_custom_policies" { + source = "./modules/aws-policies" + policies = { + "IAMServicesAdmin" = { + description = "Policy granting IAM services admins permissions to make changes to user accounts" + filename = "level-4-iam-services-admin-policy.json" + } + } +} diff --git a/terraform/aws-custom-policies/level-4-iam-services-admin-policy.json b/terraform/aws-custom-policies/level-4-iam-services-admin-policy.json index 878595a..2b455c8 100644 --- a/terraform/aws-custom-policies/level-4-iam-services-admin-policy.json +++ b/terraform/aws-custom-policies/level-4-iam-services-admin-policy.json @@ -2,26 +2,23 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "", - "Effect": "", + "Effect": "Allow", "Action": [ - "", - "", - "", - "" + "iam:CreateAccessKey" ], - "Resource": "" + "Resource": "arn:aws:iam::*:user/*" }, { - "Sid": "", - "Effect": "", + "Effect": "Allow", "Action": [ - "", - "", - "", - "" + "iam:UpdateLoginProfile" ], - "Resource": "" + "Resource": "arn:aws:iam::*:user/*", + "Condition": { + "StringEquals": { + "iam:ResourceTag/Access Level": ["1", "2"] + } + } } ] -} \ No newline at end of file +} diff --git a/terraform/aws-groups.tf b/terraform/aws-groups.tf index aaaabd8..aa4e31c 100644 --- a/terraform/aws-groups.tf +++ b/terraform/aws-groups.tf @@ -3,5 +3,19 @@ module "iam_read_only_group" { source = "./modules/aws-groups" group_name = "read-only-group" - policy_arn = ["arn:aws:iam::aws:policy/ReadOnlyAccess"] + policy_arn = { + "ReadOnlyAccess" = "arn:aws:iam::aws:policy/ReadOnlyAccess", + "IAMUserChangePassword" = "arn:aws:iam::aws:policy/IAMUserChangePassword" + } } + +// Create iam services admin group +module "iam_services_admin_group" { + source = "./modules/aws-groups" + + group_name = "iam-services-admin-group" + policy_arn = { + "IAMServicesAdmin" = module.aws_custom_policies.policy_arns["IAMServicesAdmin"] + } +} + diff --git a/terraform/aws-users.tf b/terraform/aws-users.tf index 4238550..0e38ef5 100644 --- a/terraform/aws-users.tf +++ b/terraform/aws-users.tf @@ -1,11 +1,87 @@ // Create user and assign to group(s) -module "iam_user_gwenstacy" { +module "iam_user_JimmyJuarez10" { source = "./modules/aws-users" - user_name = "gwenstacy" + user_name = "JimmyJuarez10" user_tags = { - "Environment" = "Development" - "Project" = "spiderverse" + "Project" = "civic-tech-jobs" } user_groups = ["read-only-group"] } + +module "iam_user_brittanyms" { + source = "./modules/aws-users" + + user_name = "brittanyms" + user_tags = { + "Project" = "devops-security" + "Access Level" = "1" + } + user_groups = ["read-only-group"] +} + +module "iam_user_freaky4wrld" { + source = "./modules/aws-users" + + user_name = "freaky4wrld" + user_tags = { + "Project" = "devops-security" + "Access Level" = "1" + } + user_groups = ["read-only-group"] +} + +module "iam_user_shikha0428" { + source = "./modules/aws-users" + + user_name = "shikha0428" + user_tags = { + "Project" = "devops-security" + "Access Level" = "1" + } + user_groups = ["read-only-group"] +} + +module "iam_user_shinjonathan" { + source = "./modules/aws-users" + + user_name = "shinjonathan" + user_tags = { + "Project" = "devops-security" + "Access Level" = "1" + } + user_groups = ["read-only-group"] +} + +module "iam_user_samuelusc" { + source = "./modules/aws-users" + + user_name = "samuelusc" + user_tags = { + "Project" = "devops-security" + "Access Level" = "1" + } + user_groups = ["read-only-group"] +} + +module "iam_user_abbyz123" { + source = "./modules/aws-users" + + user_name = "abbyz123" + user_tags = { + "Project" = "devops-security" + "Access Level" = "1" + } + user_groups = ["read-only-group"] +} + +module "iam_user_awlFCCamp" { + source = "./modules/aws-users" + + user_name = "awlFCCamp" + user_tags = { + "Project" = "devops-security" + "Access Level" = "1" + } + user_groups = ["read-only-group"] +} \ No newline at end of file diff --git a/terraform/modules/aws-groups/main.tf b/terraform/modules/aws-groups/main.tf index 4294bf2..f26259e 100644 --- a/terraform/modules/aws-groups/main.tf +++ b/terraform/modules/aws-groups/main.tf @@ -6,7 +6,7 @@ resource "aws_iam_group" "group" { } resource "aws_iam_group_policy_attachment" "group_policy_attachment" { - for_each = toset(var.policy_arn) + for_each = var.policy_arn group = aws_iam_group.group.name policy_arn = each.value } diff --git a/terraform/modules/aws-groups/variables.tf b/terraform/modules/aws-groups/variables.tf index c61f31d..02d579d 100644 --- a/terraform/modules/aws-groups/variables.tf +++ b/terraform/modules/aws-groups/variables.tf @@ -12,6 +12,6 @@ variable "group_path" { } variable "policy_arn" { - description = "List of policy ARNs to attach to the group" - type = list(string) + description = "Map of policy names to ARNs to attach to the group" + type = map(string) } diff --git a/terraform/modules/aws-policies/main.tf b/terraform/modules/aws-policies/main.tf index 8217b68..c0e2dd9 100644 --- a/terraform/modules/aws-policies/main.tf +++ b/terraform/modules/aws-policies/main.tf @@ -5,5 +5,5 @@ resource "aws_iam_policy" "custom_policy" { name = each.key description = each.value["description"] - policy = file("${path.module}/policies-json/${each.value["filename"]}") + policy = file("aws-custom-policies/${each.value["filename"]}") }