cool-images-assessment-images

Terraform code to create roles related to the creation of and access to buckets to house assessment images in the Images (Production) and Images (Staging) accounts in the COOL.

Pre-requisites

Terraform installed on your system.
An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
Access to all of the Terraform remote states specified in remote_states.tf.
The following COOL accounts and roles must have been created:
- Images (Production and Staging): cisagov/cool-accounts/images
- Terraform: cisagov/cool-accounts/terraform
- Users: cisagov/cool-accounts/users

Requirements

Name	Version
terraform	~> 1.0
aws	~> 3.38

Providers

Name	Version
aws	~> 3.38
aws.images_production	~> 3.38
aws.images_staging	~> 3.38
aws.users	~> 3.38
terraform	n/a

Modules

Name	Source	Version
read_terraform_state	github.com/cisagov/terraform-state-read-role-tf-module	n/a

Resources

Name	Type
aws_iam_access_key.key	resource
aws_iam_policy.assume_bucket_fullaccess_roles	resource
aws_iam_policy.fullaccess_policy_production	resource
aws_iam_policy.fullaccess_policy_staging	resource
aws_iam_policy.provision_bucket_production	resource
aws_iam_policy.provision_bucket_staging	resource
aws_iam_role.fullaccess_role_production	resource
aws_iam_role.fullaccess_role_staging	resource
aws_iam_role_policy_attachment.fullaccess_role_production	resource
aws_iam_role_policy_attachment.fullaccess_role_staging	resource
aws_iam_role_policy_attachment.provision_bucket_production	resource
aws_iam_role_policy_attachment.provision_bucket_staging	resource
aws_iam_user.user	resource
aws_iam_user_policy_attachment.assume_bucket_fullaccess_roles	resource
aws_s3_bucket.production	resource
aws_s3_bucket.staging	resource
aws_s3_bucket_policy.vpcreadaccess_policy_production	resource
aws_s3_bucket_policy.vpcreadaccess_policy_staging	resource
aws_s3_bucket_public_access_block.production	resource
aws_s3_bucket_public_access_block.staging	resource
aws_caller_identity.current	data source
aws_caller_identity.users	data source
aws_iam_policy_document.assume_bucket_fullaccess_roles	data source
aws_iam_policy_document.assume_role	data source
aws_iam_policy_document.fullaccess_policy_production	data source
aws_iam_policy_document.fullaccess_policy_staging	data source
aws_iam_policy_document.provision_bucket_production	data source
aws_iam_policy_document.provision_bucket_staging	data source
aws_iam_policy_document.vpcreadaccess_policy_production	data source
aws_iam_policy_document.vpcreadaccess_policy_staging	data source
terraform_remote_state.images_production	data source
terraform_remote_state.images_staging	data source
terraform_remote_state.sharedservices_networking_production	data source
terraform_remote_state.sharedservices_networking_staging	data source
terraform_remote_state.terraform	data source
terraform_remote_state.users	data source

Inputs

Name	Description	Type	Default	Required
assessment_images_bucket_base_name	The base name to use for the assessment images S3 buckets. This value will be appended with "-production" or "-staging" to create the appropriate full bucket name (e.g. With the default value "cisa-cool-assessment-images-production" will be used for the bucket in the Images (Production) account).	`string`	`"cisa-cool-assessment-images"`	no
assessmentimagesbucketfullaccess_role_description	The description to associate with the IAM role and attached policy that allows full access to the assessment images S3 bucket.	`string`	`"Allows full access to the S3 bucket where assessment images are stored."`	no
assessmentimagesbucketfullaccess_role_name	The name to associate with the IAM role and attached policy that allows full access to the assessment images S3 bucket.	`string`	`"AssessmentImagesBucketFullAccess"`	no
assume_assessmentimagesbucketfullaccess_roles_policy_description	The description to associate with the IAM policy that allows a user to assume the IAM roles that allow access to the assessment images S3 bucket in the Images (Production) and Images (Staging) accounts.	`string`	`"Allows assumption of the roles in the Images (Production) and Images (Staging) accounts that allow full access to the assessment images S3 bucket."`	no
aws_region	The AWS region to use for the account provisioners (e.g. "us-east-1").	`string`	`"us-east-1"`	no
provisionassessmentimagesbucket_policy_description	The description to associate with the IAM policy that allows provisioning of the assessment images S3 bucket in the Images account.	`string`	`"Allows provisioning of assessment images S3 resources in the Images account."`	no
provisionassessmentimagesbucket_policy_name	The name to associate with the IAM policy that allows provisioning of the assessment images S3 bucket in the Images account.	`string`	`"ProvisionAssessmentImagesBucket"`	no
read_terraform_state_role_name	The name to associate with the IAM role and attached policy that allows read-only access to the cool-images-assessment-images state in the S3 bucket where Terraform state is stored.	`string`	`"ReadImagesAssessmentImagesTerraformState"`	no
tags	Tags to apply to all AWS resources created.	`map(string)`	`{}`	no
user_name	The name of the user to create in the Users account that can assume the roles allowing access to the assessment images S3 buckets in the Images (Production) and Images (Staging) accounts.	`string`	`"assessment-images-bucket-full-access"`	no

Outputs

Name	Description
assessment_images_bucket_production	The S3 bucket to store assessment images in the Images (Production) account.
assessment_images_bucket_staging	The S3 bucket to store assessment images in the Images (Staging) account.
assessmentimagesbucketfullaccess_role_production	The IAM role that allows full access to the assessment images bucket in the Images (Production) account.
assessmentimagesbucketfullaccess_role_staging	The IAM role that allows full access to the assessment images bucket in the Images (Staging) account.
assume_bucket_fullaccess_roles_policy	The IAM policy that allows assumption of the IAM roles that allow full access to the assessment images bucket in the Images (Production) and Images (Staging) accounts.
bucket_user	The user in the Users account with full access permissions to the assessment images buckets in the Images (Production) and Images (Staging) accounts.
bucket_user_access_key	The access key associated with the assessment images user.
read_terraform_state	The IAM policies and role that allow read-only access to the cool-images-assessment-images state in the Terraform state bucket.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is only the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

shogunlab / cool-images-assessment-images