Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/infrablocks/terraform-aws-admin
A Terraform module for managing an admin user and group.
https://github.com/infrablocks/terraform-aws-admin
admin aws infrastructure terraform terraform-modules
Last synced: 3 months ago
JSON representation
A Terraform module for managing an admin user and group.
- Host: GitHub
- URL: https://github.com/infrablocks/terraform-aws-admin
- Owner: infrablocks
- License: mit
- Created: 2019-11-14T23:01:51.000Z (about 5 years ago)
- Default Branch: main
- Last Pushed: 2024-10-28T08:25:04.000Z (3 months ago)
- Last Synced: 2024-10-28T10:15:23.463Z (3 months ago)
- Topics: admin, aws, infrastructure, terraform, terraform-modules
- Language: Ruby
- Homepage:
- Size: 553 KB
- Stars: 2
- Watchers: 7
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE.txt
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
Terraform AWS Admin
===================
[](https://github.com/infrablocks/terraform-aws-admin/tags)
[](https://app.circleci.com/pipelines/github/infrablocks/terraform-aws-admin?filter=all)
[](https://go-atomic.io)
A Terraform module for managing an admin user and group.
The admin deployment has no requirements.
The admin deployment consists of:
* an admin user
* with an optional login profile
* with an optional access key
* an admins group
* with an associated policy allowing admin access
Usage
-----
To use the module, include something like the following in your Terraform
configuration:
```terraform
module "admin" {
source = "infrablocks/admin/aws"
version = "2.0.0"
admin_user_name = "administrator"
admin_group_name = "administrators"
admin_public_gpg_key = filebase64("${path.root}/keys/admin.gpg")
admin_user_password_length = 48
}
```
See the
[Terraform registry entry](https://registry.terraform.io/modules/infrablocks/admin/aws/latest)
for more details.
### Inputs
| Name | Description | Default | Required |
|-------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|:----------:|:----------------------------:|
| `admin_user_name` | The name of the admin user. | `"admin"` | No |
| `admin_group_name` | The name of the admins group. | `"admins"` | No |
| `admin_group_policy_contents` | The contents of the policy associated with the admins group. By default, full access is granted. | `""` | No |
| `admin_public_gpg_key` | The contents of the public GPG key for the admin, base 64 encoded. Only required if `include_login_profile` or `include_access_key` are `true`. | - | Yes, depending on other vars |
| `admin_user_password_length` | The length of the admin user password to create. Only relevant if `include_login_profile` is `true`. | `32` | No |
| `include_login_profile` | Whether or not to generate a login profile for the admin user. Uses the provided admin GPG key to encrypt the credentials. Defaults to `true`. | `true` | No |
| `include_access_key` | Whether or not to generate an access key for the admin user. Uses the provided admin GPG key to encrypt the credentials. Defaults to `true`. | `true` | No |
### Outputs
| Name | Description |
|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `admin_user_arn` | The ARN of the managed admin user. |
| `admin_user_name` | The name of the managed admin user. |
| `admin_user_password` | The password of the managed admin user, base64 encoded and encrypted using the provided admin public GPG key. When `include_login_profile` is `false`, this is an empty string. |
| `admin_user_access_key_id` | The access key ID of the managed admin user. When `include_access_key` is `false`, this is an empty string. |
| `admin_user_secret_access_key` | The secret access key of the managed admin user, base64 encoded and encrypted using the provided admin public GPG key. When `include_access_key` is `false`, this is an empty string. |
| `admin_group_arn` | The ARN of the managed admins group. |
| `admin_group_policy_name` | The name of the policy attached to the managed admins group. |
### Compatibility
This module is compatible with Terraform versions greater than or equal to
Terraform 1.0.
Development
-----------
### Machine Requirements
In order for the build to run correctly, a few tools will need to be installed
on your development machine:
* Ruby (3.1)
* Bundler
* git
* git-crypt
* gnupg
* direnv
* aws-vault
#### Mac OS X Setup
Installing the required tools is best managed by [homebrew](http://brew.sh).
To install homebrew:
```
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
```
Then, to install the required tools:
```
# ruby
brew install rbenv
brew install ruby-build
echo 'eval "$(rbenv init - bash)"' >> ~/.bash_profile
echo 'eval "$(rbenv init - zsh)"' >> ~/.zshrc
eval "$(rbenv init -)"
rbenv install 3.1.1
rbenv rehash
rbenv local 3.1.1
gem install bundler
# git, git-crypt, gnupg
brew install git
brew install git-crypt
brew install gnupg
# aws-vault
brew cask install
# direnv
brew install direnv
echo "$(direnv hook bash)" >> ~/.bash_profile
echo "$(direnv hook zsh)" >> ~/.zshrc
eval "$(direnv hook $SHELL)"
direnv allow
```
### Running the build
Running the build requires an AWS account and AWS credentials. You are free to
configure credentials however you like as long as an access key ID and secret
access key are available. These instructions utilise
[aws-vault](https://github.com/99designs/aws-vault) which makes credential
management easy and secure.
To run the full build, including unit and integration tests, execute:
```bash
aws-vault exec -- ./go
```
To run the unit tests, execute:
```bash
aws-vault exec -- ./go test:unit
```
To run the integration tests, execute:
```bash
aws-vault exec -- ./go test:integration
```
To provision the module prerequisites:
```bash
aws-vault exec -- ./go deployment:prerequisites:provision[]
```
To provision the module contents:
```bash
aws-vault exec -- ./go deployment:root:provision[]
```
To destroy the module contents:
```bash
aws-vault exec -- ./go deployment:root:destroy[]
```
To destroy the module prerequisites:
```bash
aws-vault exec -- ./go deployment:prerequisites:destroy[]
```
Configuration parameters can be overridden via environment variables. For
example, to run the unit tests with a seed of `"testing"`, execute:
```bash
SEED=testing aws-vault exec -- ./go test:unit
```
When a seed is provided via an environment variable, infrastructure will not be
destroyed at the end of test execution. This can be useful during development
to avoid lengthy provision and destroy cycles.
To subsequently destroy unit test infrastructure for a given seed:
```bash
FORCE_DESTROY=yes SEED=testing aws-vault exec -- ./go test:unit
```
### Common Tasks
#### Generating an SSH key pair
To generate an SSH key pair:
```
ssh-keygen -m PEM -t rsa -b 4096 -C [email protected] -N '' -f config/secrets/keys/bastion/ssh
```
#### Generating a self-signed certificate
To generate a self signed certificate:
```
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
```
To decrypt the resulting key:
```
openssl rsa -in key.pem -out ssl.key
```
#### Managing CircleCI keys
To encrypt a GPG key for use by CircleCI:
```bash
openssl aes-256-cbc \
-e \
-md sha1 \
-in ./config/secrets/ci/gpg.private \
-out ./.circleci/gpg.private.enc \
-k ""
```
To check decryption is working correctly:
```bash
openssl aes-256-cbc \
-d \
-md sha1 \
-in ./.circleci/gpg.private.enc \
-k ""
```
Contributing
------------
Bug reports and pull requests are welcome on GitHub at
https://github.com/infrablocks/terraform-aws-admin.
This project is intended to be a safe, welcoming space for collaboration, and
contributors are expected to adhere to
the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
License
-------
The library is available as open source under the terms of the
[MIT License](http://opensource.org/licenses/MIT).