Setup gha 107

.github/workflows/terraform-apply.yaml

@@ -0,0 +1,32 @@
+name: Apply Terraform changes on merge
+
+on:
+  push:
+    branches:
+      - main  # or any other branch you want to trigger the deployment
+
+jobs:
+  terraform-apply:
+    name: Terraform Apply
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: us-west-2 
+
+    - name: Terraform Apply
+      uses: dflook/terraform-apply@v1
+      with:
+        path: terraform

.github/terraform-plan.yaml → .github/workflows/terraform-plan.yaml

@@ -1,39 +1,32 @@
-name: Deploy IAM Resources to AWS with Terraform
+name: Write Terraform Plan to Pull Request
 
 on:
-  pull-request:
+  pull_request:
     branches:
       - main  # or any other branch you want to trigger the deployment
 
 jobs:
-  terraform:
-    name: Terraform
+  terraform-plan:
+    name: Terraform Plan
     runs-on: ubuntu-latest
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+    permissions:
+      contents: read
+      pull-requests: write
+
     steps:
     - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Set up Terraform
-      uses: hashicorp/setup-terraform@v1
-      with:
-        terraform_version: 1.0.0 # Specify the Terraform version
-
+      uses: actions/checkout@v4
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v1
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        aws-region: us-west-2 # Change to your AWS region
-
-    - name: Terraform Init
-      run: terraform init
+        aws-region: us-west-2 
 
     - name: Terraform Plan
       uses: dflook/terraform-plan@v1
       with:
         path: terraform
-
-

terraform/aws-custom-policies.tf

@@ -0,0 +1,9 @@
+module "aws_custom_policies" {
+  source = "./modules/aws-policies"
+  policies = {
+    "IAMServicesAdmin" = {
+      description = "Policy granting IAM services admins permissions to make changes to user accounts"
+      filename    = "level-4-iam-services-admin-policy.json"
+    }
+  }
+}

terraform/aws-custom-policies/level-4-iam-services-admin-policy.json

@@ -2,26 +2,23 @@
     "Version": "2012-10-17",
     "Statement": [
         {
-            "Sid": "",
-            "Effect": "",
+            "Effect": "Allow",
             "Action": [
-                "",
-                "",
-                "",
-                ""
+                "iam:CreateAccessKey"
             ],
-            "Resource": ""
+            "Resource": "arn:aws:iam::*:user/*"
         },
         {
-            "Sid": "",
-            "Effect": "",
+            "Effect": "Allow",
             "Action": [
-                "",
-                "",
-                "",
-                ""
+                "iam:UpdateLoginProfile"
             ],
-            "Resource": ""
+            "Resource": "arn:aws:iam::*:user/*",
+            "Condition": {
+                "StringEquals": {
+                    "iam:ResourceTag/Access Level": ["1", "2"]
+                }
+            }
         }
     ]
-}
+}

terraform/aws-groups.tf

@@ -3,5 +3,19 @@ module "iam_read_only_group" {
   source = "./modules/aws-groups"
 
   group_name = "read-only-group"
-  policy_arn = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
+  policy_arn = {
+    "ReadOnlyAccess"        = "arn:aws:iam::aws:policy/ReadOnlyAccess",
+    "IAMUserChangePassword" = "arn:aws:iam::aws:policy/IAMUserChangePassword"
+  }
 }
+
+// Create iam services admin group
+module "iam_services_admin_group" {
+  source = "./modules/aws-groups"
+
+  group_name = "iam-services-admin-group"
+  policy_arn = {
+    "IAMServicesAdmin" = module.aws_custom_policies.policy_arns["IAMServicesAdmin"]
+  }
+}
+

terraform/aws-users.tf

@@ -1,11 +1,87 @@
 // Create user and assign to group(s)
-module "iam_user_gwenstacy" {
+module "iam_user_JimmyJuarez10" {
   source = "./modules/aws-users"
 
-  user_name = "gwenstacy"
+  user_name = "JimmyJuarez10"
   user_tags = {
-    "Environment" = "Development"
-    "Project"     = "spiderverse"
+    "Project" = "civic-tech-jobs"
   }
   user_groups = ["read-only-group"]
 }
+
+module "iam_user_brittanyms" {
+  source = "./modules/aws-users"
+
+  user_name = "brittanyms"
+  user_tags = {
+    "Project"      = "devops-security"
+    "Access Level" = "1"
+  }
+  user_groups = ["read-only-group"]
+}
+
+module "iam_user_freaky4wrld" {
+  source = "./modules/aws-users"
+
+  user_name = "freaky4wrld"
+  user_tags = {
+    "Project"      = "devops-security"
+    "Access Level" = "1"
+  }
+  user_groups = ["read-only-group"]
+}
+
+module "iam_user_shikha0428" {
+  source = "./modules/aws-users"
+
+  user_name = "shikha0428"
+  user_tags = {
+    "Project"      = "devops-security"
+    "Access Level" = "1"
+  }
+  user_groups = ["read-only-group"]
+}
+
+module "iam_user_shinjonathan" {
+  source = "./modules/aws-users"
+
+  user_name = "shinjonathan"
+  user_tags = {
+    "Project"      = "devops-security"
+    "Access Level" = "1"
+  }
+  user_groups = ["read-only-group"]
+}
+
+module "iam_user_samuelusc" {
+  source = "./modules/aws-users"
+
+  user_name = "samuelusc"
+  user_tags = {
+    "Project"      = "devops-security"
+    "Access Level" = "1"
+  }
+  user_groups = ["read-only-group"]
+}
+
+module "iam_user_abbyz123" {
+  source = "./modules/aws-users"
+
+  user_name = "abbyz123"
+  user_tags = {
+    "Project"      = "devops-security"
+    "Access Level" = "1"
+  }
+  user_groups = ["read-only-group"]
+}
+
+module "iam_user_awlFCCamp" {
+  source = "./modules/aws-users"
+
+  user_name = "awlFCCamp"
+  user_tags = {
+    "Project"      = "devops-security"
+    "Access Level" = "1"
+  }
+  user_groups = ["read-only-group"]
+}

terraform/modules/aws-groups/main.tf

@@ -6,7 +6,7 @@ resource "aws_iam_group" "group" {
 }
 
 resource "aws_iam_group_policy_attachment" "group_policy_attachment" {
-  for_each   = toset(var.policy_arn)
+  for_each   = var.policy_arn
   group      = aws_iam_group.group.name
   policy_arn = each.value
 }

terraform/modules/aws-groups/variables.tf

@@ -12,6 +12,6 @@ variable "group_path" {
 }
 
 variable "policy_arn" {
-  description = "List of policy ARNs to attach to the group"
-  type        = list(string)
+  description = "Map of policy names to ARNs to attach to the group"
+  type        = map(string)
 }

terraform/modules/aws-policies/main.tf

@@ -5,5 +5,5 @@ resource "aws_iam_policy" "custom_policy" {
 
   name        = each.key
   description = each.value["description"]
-  policy      = file("${path.module}/policies-json/${each.value["filename"]}")
+  policy      = file("aws-custom-policies/${each.value["filename"]}")
 }