forked from cisagov/cool-assessment-provisioner-iam
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlocals.tf
69 lines (60 loc) · 4 KB
/
locals.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# ------------------------------------------------------------------------------
# Retrieve the effective Account ID, User ID, and ARN in which Terraform is
# authorized. This is used to calculate the session names for assumed roles.
# ------------------------------------------------------------------------------
data "aws_caller_identity" "default" {}
# ------------------------------------------------------------------------------
# Retrieve the information for all accounts in the organization.
# ------------------------------------------------------------------------------
data "aws_organizations_organization" "cool" {
provider = aws.organizationsreadonly
}
# ------------------------------------------------------------------------------
# Retrieve the caller identity for the Users provider in order to get
# the associated Account ID.
# ------------------------------------------------------------------------------
data "aws_caller_identity" "users" {
provider = aws.users
}
# ------------------------------------------------------------------------------
# Evaluate expressions for use throughout this configuration.
# ------------------------------------------------------------------------------
locals {
# Extract the user name of the current caller for use
# as assume role session names.
caller_user_name = split("/", data.aws_caller_identity.default.arn)[1]
# Get IDs of all non-assessment accounts in the organization, i.e. those
# that don't have account names like: "env[:digit:] (.*)"
all_non_assessment_account_ids = [
for account in data.aws_organizations_organization.cool.accounts :
account.id
if length(regexall("^env[[:digit:]]+ \\(.*\\)$", account.name)) == 0
]
# Create a list of all provision roles in non-assessment accounts.
all_non_assessment_provision_roles = formatlist("arn:aws:iam::%s:role/%s", local.all_non_assessment_account_ids, var.provision_assessment_role_name)
# Create a list of all startstopssmsession roles in non-assessment accounts.
all_non_assessment_startstopssmsession_roles = formatlist("arn:aws:iam::%s:role/%s", local.all_non_assessment_account_ids, var.startstopssmsession_role_name)
# Assumption of the following non-assessment account roles is required
# to successfully provision assessment environments.
# TODO: Determine if it is possible/worthwhile to replace any
# "provision account" roles below with something less powerful. New roles
# would need to be created in appropriate repositories, then used in
# cisagov/cool-assessment-terraform and also included below.
# See https://github.com/cisagov/cool-assessment-terraform/issues/133.
required_non_assessment_roles = [
data.terraform_remote_state.dns_certboto.outputs.provisioncertificatereadroles_role.arn,
data.terraform_remote_state.images_parameterstore-production.outputs.parameterstorereadonly_role.arn,
data.terraform_remote_state.images_parameterstore-production.outputs.provisionparameterstorereadroles_role.arn,
data.terraform_remote_state.images_parameterstore-staging.outputs.parameterstorereadonly_role.arn,
data.terraform_remote_state.images_parameterstore-staging.outputs.provisionparameterstorereadroles_role.arn,
data.terraform_remote_state.master.outputs.organizationsreadonly_role.arn,
data.terraform_remote_state.sharedservices-production.outputs.provisionaccount_role.arn,
data.terraform_remote_state.sharedservices-staging.outputs.provisionaccount_role.arn,
data.terraform_remote_state.terraform.outputs.access_terraform_backend_role.arn,
data.terraform_remote_state.terraform.outputs.provisionaccount_role.arn,
]
# Create set of prohibited non-assessment account provision roles.
prohibited_non_assessment_provision_roles = setsubtract(local.all_non_assessment_provision_roles, local.required_non_assessment_roles)
# Create comprehensive set of prohibited non-assessment account roles.
prohibited_non_assessment_roles = setunion(local.prohibited_non_assessment_provision_roles, local.all_non_assessment_startstopssmsession_roles)
}