Switch to admin role for terraform and access (#5)

* Switch to admin role for terraform and access * Adds more bits * More securityhub
ckdake · Aug 3, 2023 · 54df6b5 · 54df6b5
1 parent ad26f04
commit 54df6b5
Show file tree

Hide file tree

Showing 6 changed files with 155 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 ## Terraform for AWS plaground
 
-This requires env vars with root credentials for the root account.
+This requires env vars with user credentials that can assume to adminstrator.
 
 ```
 export AWS_ACCESS_KEY_ID=
@@ -19,4 +19,5 @@ Currently only works in tenants/management with `terraform apply`.
 - [] get some securityhub things passing
 - [] setup github actions for terraform plan, terraform apply
 - [] terraform plugin caching
+- [] Setup AWS Config
 - [] lots more
diff --git a/modules/s3-bucket/main.tf b/modules/s3-bucket/main.tf
@@ -10,5 +10,15 @@ terraform {
 }
 
 provider "aws" {
-  region  = "us-east-1"
+  region = "us-east-1"
+
+  assume_role {
+    role_arn = "arn:aws:iam::053562908965:role/administrator"
+  }
+
+  default_tags {
+    tags = {
+      ManagedBy = "terraform"
+    }
+  }
 }
diff --git a/tenants/management/iam.tf b/tenants/management/iam.tf
@@ -0,0 +1,89 @@
+resource "aws_iam_account_password_policy" "strict" {
+  minimum_password_length        = 32
+  require_lowercase_characters   = true
+  require_numbers                = true
+  require_uppercase_characters   = true
+  require_symbols                = true
+  allow_users_to_change_password = true
+
+  password_reuse_prevention = 24
+  max_password_age          = 90
+}
+
+# Role to be used for any administrative tasks
+data "aws_iam_policy_document" "administrator_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_user.ckdake.arn]
+    }
+  }
+}
+
+resource "aws_iam_role" "administrator" {
+  name               = "administrator"
+  assume_role_policy = data.aws_iam_policy_document.administrator_assume_role_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "administrator_gets_administrator" {
+  role       = aws_iam_role.administrator.id
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+# Group of users allowed to assume the administrator role
+# TODO(ckdake): figure out the right way to enforce MFA with auth pattern
+# tfsec:ignore:aws-iam-enforce-group-mfa
+resource "aws_iam_group" "administrators" {
+  name = "administrators"
+}
+
+resource "aws_iam_group_membership" "administrators" {
+  name  = "administrators"
+  group = aws_iam_group.administrators.name
+
+  users = [
+    aws_iam_user.ckdake.name,
+  ]
+}
+
+resource "aws_iam_policy" "admin_assumption" {
+  name        = "admin-assumption"
+  description = "allow assuming the admin role"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Allow",
+        Action   = "sts:AssumeRole",
+        Resource = aws_iam_role.administrator.arn
+    }]
+  })
+}
+
+resource "aws_iam_group_policy_attachment" "admin_assumption" {
+  group      = aws_iam_group.administrators.name
+  policy_arn = aws_iam_policy.admin_assumption.arn
+}
+
+# Single user that can only assume to the administrator role
+resource "aws_iam_user" "ckdake" {
+  name          = "ckdake"
+  force_destroy = true
+  depends_on    = [aws_iam_group.administrators]
+}
+
+resource "aws_iam_user_login_profile" "ckdake" {
+  user                    = aws_iam_user.ckdake.name
+  password_length         = 32
+  password_reset_required = true
+
+  lifecycle {
+    ignore_changes = [
+      password_length,
+      password_reset_required,
+      pgp_key,
+    ]
+  }
+}
diff --git a/tenants/management/main.tf b/tenants/management/main.tf
@@ -9,14 +9,25 @@ terraform {
   required_version = ">= 1.2.0"
 
   backend "s3" {
-    bucket = "ithought-terraform"
-    key = "management.tfstate"
-    region = "us-east-1"
+    bucket         = "ithought-terraform"
+    key            = "management.tfstate"
+    region         = "us-east-1"
     dynamodb_table = "terraform-lock"
-    encrypt = true
+    role_arn       = "arn:aws:iam::053562908965:role/administrator"
+    encrypt        = true
   }
 }
 
 provider "aws" {
-  region  = "us-east-1"
-}
+  region = "us-east-1"
+
+  assume_role {
+    role_arn = "arn:aws:iam::053562908965:role/administrator"
+  }
+
+  default_tags {
+    tags = {
+      ManagedBy = "terraform"
+    }
+  }
+}
diff --git a/tenants/management/security-controls.tf b/tenants/management/security-controls.tf
@@ -0,0 +1,6 @@
+resource "aws_s3_account_public_access_block" "block" {
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
diff --git a/tenants/management/security-hub.tf b/tenants/management/security-hub.tf
@@ -0,0 +1,30 @@
+resource "aws_securityhub_account" "aws_securityhub" {
+  control_finding_generator = "SECURITY_CONTROL"
+  enable_default_standards  = false
+}
+
+resource "aws_securityhub_organization_admin_account" "aws_securityhub_admin_account" {
+  depends_on = [aws_organizations_organization.root]
+
+  admin_account_id = aws_organizations_account.management.id
+}
+
+resource "aws_securityhub_standards_subscription" "aws" {
+  depends_on    = [aws_securityhub_account.aws_securityhub]
+  standards_arn = "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
+}
+
+resource "aws_securityhub_standards_subscription" "cis12" {
+  depends_on    = [aws_securityhub_account.aws_securityhub]
+  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
+}
+
+resource "aws_securityhub_standards_subscription" "cis14" {
+  depends_on    = [aws_securityhub_account.aws_securityhub]
+  standards_arn = "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"
+}
+
+resource "aws_securityhub_standards_subscription" "nist" {
+  depends_on    = [aws_securityhub_account.aws_securityhub]
+  standards_arn = "arn:aws:securityhub:us-east-1::standards/nist-800-53/v/5.0.0"
+}