Skip to content

Commit 54df6b5

Browse files
ckdakeckdake
authored
Switch to admin role for terraform and access (#5)
* Switch to admin role for terraform and access * Adds more bits * More securityhub
1 parent ad26f04 commit 54df6b5

File tree

6 files changed

+155
-8
lines changed

6 files changed

+155
-8
lines changed

README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
## Terraform for AWS plaground
44

5-
This requires env vars with root credentials for the root account.
5+
This requires env vars with user credentials that can assume to adminstrator.
66

77
```
88
export AWS_ACCESS_KEY_ID=
@@ -19,4 +19,5 @@ Currently only works in tenants/management with `terraform apply`.
1919
- [] get some securityhub things passing
2020
- [] setup github actions for terraform plan, terraform apply
2121
- [] terraform plugin caching
22+
- [] Setup AWS Config
2223
- [] lots more

modules/s3-bucket/main.tf

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,5 +10,15 @@ terraform {
1010
}
1111

1212
provider "aws" {
13-
region = "us-east-1"
13+
region = "us-east-1"
14+
15+
assume_role {
16+
role_arn = "arn:aws:iam::053562908965:role/administrator"
17+
}
18+
19+
default_tags {
20+
tags = {
21+
ManagedBy = "terraform"
22+
}
23+
}
1424
}

tenants/management/iam.tf

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
resource "aws_iam_account_password_policy" "strict" {
2+
minimum_password_length = 32
3+
require_lowercase_characters = true
4+
require_numbers = true
5+
require_uppercase_characters = true
6+
require_symbols = true
7+
allow_users_to_change_password = true
8+
9+
password_reuse_prevention = 24
10+
max_password_age = 90
11+
}
12+
13+
# Role to be used for any administrative tasks
14+
data "aws_iam_policy_document" "administrator_assume_role_policy" {
15+
statement {
16+
actions = ["sts:AssumeRole"]
17+
18+
principals {
19+
type = "AWS"
20+
identifiers = [aws_iam_user.ckdake.arn]
21+
}
22+
}
23+
}
24+
25+
resource "aws_iam_role" "administrator" {
26+
name = "administrator"
27+
assume_role_policy = data.aws_iam_policy_document.administrator_assume_role_policy.json
28+
}
29+
30+
resource "aws_iam_role_policy_attachment" "administrator_gets_administrator" {
31+
role = aws_iam_role.administrator.id
32+
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
33+
}
34+
35+
# Group of users allowed to assume the administrator role
36+
# TODO(ckdake): figure out the right way to enforce MFA with auth pattern
37+
# tfsec:ignore:aws-iam-enforce-group-mfa
38+
resource "aws_iam_group" "administrators" {
39+
name = "administrators"
40+
}
41+
42+
resource "aws_iam_group_membership" "administrators" {
43+
name = "administrators"
44+
group = aws_iam_group.administrators.name
45+
46+
users = [
47+
aws_iam_user.ckdake.name,
48+
]
49+
}
50+
51+
resource "aws_iam_policy" "admin_assumption" {
52+
name = "admin-assumption"
53+
description = "allow assuming the admin role"
54+
policy = jsonencode({
55+
Version = "2012-10-17",
56+
Statement = [
57+
{
58+
Effect = "Allow",
59+
Action = "sts:AssumeRole",
60+
Resource = aws_iam_role.administrator.arn
61+
}]
62+
})
63+
}
64+
65+
resource "aws_iam_group_policy_attachment" "admin_assumption" {
66+
group = aws_iam_group.administrators.name
67+
policy_arn = aws_iam_policy.admin_assumption.arn
68+
}
69+
70+
# Single user that can only assume to the administrator role
71+
resource "aws_iam_user" "ckdake" {
72+
name = "ckdake"
73+
force_destroy = true
74+
depends_on = [aws_iam_group.administrators]
75+
}
76+
77+
resource "aws_iam_user_login_profile" "ckdake" {
78+
user = aws_iam_user.ckdake.name
79+
password_length = 32
80+
password_reset_required = true
81+
82+
lifecycle {
83+
ignore_changes = [
84+
password_length,
85+
password_reset_required,
86+
pgp_key,
87+
]
88+
}
89+
}

tenants/management/main.tf

Lines changed: 17 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,14 +9,25 @@ terraform {
99
required_version = ">= 1.2.0"
1010

1111
backend "s3" {
12-
bucket = "ithought-terraform"
13-
key = "management.tfstate"
14-
region = "us-east-1"
12+
bucket = "ithought-terraform"
13+
key = "management.tfstate"
14+
region = "us-east-1"
1515
dynamodb_table = "terraform-lock"
16-
encrypt = true
16+
role_arn = "arn:aws:iam::053562908965:role/administrator"
17+
encrypt = true
1718
}
1819
}
1920

2021
provider "aws" {
21-
region = "us-east-1"
22-
}
22+
region = "us-east-1"
23+
24+
assume_role {
25+
role_arn = "arn:aws:iam::053562908965:role/administrator"
26+
}
27+
28+
default_tags {
29+
tags = {
30+
ManagedBy = "terraform"
31+
}
32+
}
33+
}

tenants/management/security-controls.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
resource "aws_s3_account_public_access_block" "block" {
2+
block_public_acls = true
3+
block_public_policy = true
4+
ignore_public_acls = true
5+
restrict_public_buckets = true
6+
}

tenants/management/security-hub.tf

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
resource "aws_securityhub_account" "aws_securityhub" {
2+
control_finding_generator = "SECURITY_CONTROL"
3+
enable_default_standards = false
4+
}
5+
6+
resource "aws_securityhub_organization_admin_account" "aws_securityhub_admin_account" {
7+
depends_on = [aws_organizations_organization.root]
8+
9+
admin_account_id = aws_organizations_account.management.id
10+
}
11+
12+
resource "aws_securityhub_standards_subscription" "aws" {
13+
depends_on = [aws_securityhub_account.aws_securityhub]
14+
standards_arn = "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
15+
}
16+
17+
resource "aws_securityhub_standards_subscription" "cis12" {
18+
depends_on = [aws_securityhub_account.aws_securityhub]
19+
standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
20+
}
21+
22+
resource "aws_securityhub_standards_subscription" "cis14" {
23+
depends_on = [aws_securityhub_account.aws_securityhub]
24+
standards_arn = "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"
25+
}
26+
27+
resource "aws_securityhub_standards_subscription" "nist" {
28+
depends_on = [aws_securityhub_account.aws_securityhub]
29+
standards_arn = "arn:aws:securityhub:us-east-1::standards/nist-800-53/v/5.0.0"
30+
}

0 commit comments

Comments
 (0)