cool-images-assessment-images
Terraform code to create roles related to the creation of and access to buckets to house assessment images in the Images (Production) and Images (Staging) accounts in the COOL.
Pre-requisites
- Terraform installed on your system.
- An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
- An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
- Access to all of the Terraform remote states specified in remote_states.tf.
- The following COOL accounts and roles must have been created:
- Images (Production and Staging):
cisagov/cool-accounts/images
- Terraform:
cisagov/cool-accounts/terraform
- Users:
cisagov/cool-accounts/users
- Images (Production and Staging):
Requirements
Name | Version |
---|---|
terraform | ~> 1.0 |
aws | ~> 3.38 |
Providers
Name | Version |
---|---|
aws | ~> 3.38 |
aws.images_production | ~> 3.38 |
aws.images_staging | ~> 3.38 |
aws.users | ~> 3.38 |
terraform | n/a |
Modules
Name | Source | Version |
---|---|---|
read_terraform_state | github.com/cisagov/terraform-state-read-role-tf-module | n/a |
Resources
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
assessment_images_bucket_base_name | The base name to use for the assessment images S3 buckets. This value will be appended with "-production" or "-staging" to create the appropriate full bucket name (e.g. With the default value "cisa-cool-assessment-images-production" will be used for the bucket in the Images (Production) account). | string |
"cisa-cool-assessment-images" |
no |
assessmentimagesbucketfullaccess_role_description | The description to associate with the IAM role and attached policy that allows full access to the assessment images S3 bucket. | string |
"Allows full access to the S3 bucket where assessment images are stored." |
no |
assessmentimagesbucketfullaccess_role_name | The name to associate with the IAM role and attached policy that allows full access to the assessment images S3 bucket. | string |
"AssessmentImagesBucketFullAccess" |
no |
assume_assessmentimagesbucketfullaccess_roles_policy_description | The description to associate with the IAM policy that allows a user to assume the IAM roles that allow access to the assessment images S3 bucket in the Images (Production) and Images (Staging) accounts. | string |
"Allows assumption of the roles in the Images (Production) and Images (Staging) accounts that allow full access to the assessment images S3 bucket." |
no |
aws_region | The AWS region to use for the account provisioners (e.g. "us-east-1"). | string |
"us-east-1" |
no |
provisionassessmentimagesbucket_policy_description | The description to associate with the IAM policy that allows provisioning of the assessment images S3 bucket in the Images account. | string |
"Allows provisioning of assessment images S3 resources in the Images account." |
no |
provisionassessmentimagesbucket_policy_name | The name to associate with the IAM policy that allows provisioning of the assessment images S3 bucket in the Images account. | string |
"ProvisionAssessmentImagesBucket" |
no |
read_terraform_state_role_name | The name to associate with the IAM role and attached policy that allows read-only access to the cool-images-assessment-images state in the S3 bucket where Terraform state is stored. | string |
"ReadImagesAssessmentImagesTerraformState" |
no |
tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
user_name | The name of the user to create in the Users account that can assume the roles allowing access to the assessment images S3 buckets in the Images (Production) and Images (Staging) accounts. | string |
"assessment-images-bucket-full-access" |
no |
Outputs
Name | Description |
---|---|
assessment_images_bucket_production | The S3 bucket to store assessment images in the Images (Production) account. |
assessment_images_bucket_staging | The S3 bucket to store assessment images in the Images (Staging) account. |
assessmentimagesbucketfullaccess_role_production | The IAM role that allows full access to the assessment images bucket in the Images (Production) account. |
assessmentimagesbucketfullaccess_role_staging | The IAM role that allows full access to the assessment images bucket in the Images (Staging) account. |
assume_bucket_fullaccess_roles_policy | The IAM policy that allows assumption of the IAM roles that allow full access to the assessment images bucket in the Images (Production) and Images (Staging) accounts. |
bucket_user | The user in the Users account with full access permissions to the assessment images buckets in the Images (Production) and Images (Staging) accounts. |
bucket_user_access_key | The access key associated with the assessment images user. |
read_terraform_state | The IAM policies and role that allow read-only access to the cool-images-assessment-images state in the Terraform state bucket. |
Notes
Running pre-commit
requires running terraform init
in every directory that
contains Terraform code. In this repository, this is only the main directory.
Contributing
We welcome contributions! Please see CONTRIBUTING.md
for
details.
License
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.