Skip to content
44 changes: 2 additions & 42 deletions src/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@ locals {

# module.account_map.outputs provides values from either remote state (when enabled)
# or from the static var.account_map defaults (when bypassed)
account_map = module.account_map.outputs.full_account_map
root_account = local.account_map[module.account_map.outputs.root_account_account_name]
account_map = module.account_map.outputs.full_account_map

account_assignments_groups = flatten([
for account_key, account in var.account_assignments : [
Expand All @@ -20,17 +19,6 @@ locals {
]
] if lookup(account, "groups", null) != null
])
# Remove root because the identity org role cannot provision root assignments
account_assignments_groups_no_root = [
for val in local.account_assignments_groups :
val
if val.account != local.root_account
]
account_assignments_groups_only_root = [
for val in local.account_assignments_groups :
val
if val.account == local.root_account
]
account_assignments_users = flatten([
for account_key, account in var.account_assignments : [
for principal_key, principal in account.users : [
Expand All @@ -45,19 +33,8 @@ locals {
]
] if lookup(account, "users", null) != null
])
account_assignments_users_no_root = [
for val in local.account_assignments_users :
val
if val.account != local.root_account
]
account_assignments_users_only_root = [
for val in local.account_assignments_users :
val
if val.account == local.root_account
]

account_assignments = concat(local.account_assignments_groups_no_root, local.account_assignments_users_no_root)
account_assignments_root = concat(local.account_assignments_groups_only_root, local.account_assignments_users_only_root)
account_assignments = concat(local.account_assignments_groups, local.account_assignments_users)

aws_partition = data.aws_partition.current.partition
}
Expand Down Expand Up @@ -99,13 +76,11 @@ module "permission_sets" {
local.billing_administrator_access_permission_set,
local.billing_read_only_access_permission_set,
local.dns_administrator_access_permission_set,
local.identity_access_permission_sets,
local.poweruser_access_permission_set,
local.read_only_access_permission_set,
local.root_access_permission_set,
local.terraform_plan_access_permission_set,
local.terraform_apply_access_permission_set,
local.terraform_update_access_permission_set,
local.terraform_state_access_permission_set,
)

Expand All @@ -128,18 +103,3 @@ module "sso_account_assignments" {
]
}

module "sso_account_assignments_root" {
source = "cloudposse/sso/aws//modules/account-assignments"
version = "1.2.0"

providers = {
aws = aws.root
}

account_assignments = local.account_assignments_root
context = module.this.context

depends_on = [
aws_identitystore_group.manual
]
}
62 changes: 0 additions & 62 deletions src/policy-Identity-role-TeamAccess.tf

This file was deleted.

61 changes: 0 additions & 61 deletions src/policy-TerraformUpdateAccess.tf

This file was deleted.

103 changes: 19 additions & 84 deletions src/providers.tf
Original file line number Diff line number Diff line change
@@ -1,102 +1,37 @@
# This is the default providers.tf when account map is disabled.

variable "account_map_enabled" {
type = bool
description = <<-EOT
When true, uses the account-map component to look up account IDs dynamically.
When false, uses the static account_map variable instead. Set to false when
using Atmos Auth profiles and static account mappings.
EOT
default = true
description = "Enable the account map component"
default = false
}

variable "account_map" {
type = object({
full_account_map = map(string)
audit_account_account_name = optional(string, "")
root_account_account_name = optional(string, "")
full_account_map = map(string)
audit_account_account_name = optional(string, "")
root_account_account_name = optional(string, "")
identity_account_account_name = optional(string, "")
aws_partition = optional(string, "aws")
iam_role_arn_templates = optional(map(string), {})
})
description = <<-EOT
Static account map used when account_map_enabled is false.
Provides account name to account ID mapping without requiring the account-map component.
EOT
description = "Map of account names (tenant-stage format) to account IDs. Used to verify we're targeting the correct AWS account. Optional attributes support component-specific functionality (e.g., audit_account_account_name for cloudtrail, root_account_account_name for aws-sso)."
default = {
full_account_map = {}
audit_account_account_name = ""
root_account_account_name = ""
full_account_map = {}
audit_account_account_name = ""
root_account_account_name = ""
identity_account_account_name = ""
aws_partition = "aws"
iam_role_arn_templates = {}
}
}

# This component is unusual in that part of it must be deployed to the `root`
# account. You have the option of where to deploy the remaining part, and
# Cloud Posse recommends you deploy it also to the `root` account, however
# it can be deployed to the `identity` account instead. In the discussion
# below, when we talk about where this module is being deployed, we are
# referring to the part of the module that is not deployed to the `root`
# account and is configured by setting `stage` etc..

# If you have Dynamic Terraform Roles enabled, leave the backend `role_arn` at
# its default value. If deploying only to the `root` account, leave `privileged: false`
# and use either SuperAdmin or an appropriate `aws-team` (such as `managers`).
# If deploying to the `identity` account, set `privileged: true`
# and use SuperAdmin or any other role in the `root` account with Admin access.
#
# For those not using dynamic Terraform roles:
#
# Set the stack configuration for this component to set `privileged: true`
# and backend `role_arn` to `null`, and deploy it using either the SuperAdmin
# role or any other role in the `root` account with Admin access.
#
# If you are deploying this to the "identity" account and have a team empowered
# to deploy to both the "identity" and "root" accounts, then you have the option to set
# `privileged: false` and leave the backend `role_arn` at its default value, but
# then SuperAdmin will not be able to deploy this component,
# only the team with access to both accounts will be able to deploy it.
#

provider "aws" {
region = var.region

profile = !var.privileged && module.iam_roles.profiles_enabled ? module.iam_roles.terraform_profile_name : null
dynamic "assume_role" {
for_each = !var.privileged && module.iam_roles.profiles_enabled ? [] : (
var.privileged ? compact([module.iam_roles.org_role_arn]) : compact([module.iam_roles.terraform_role_arn])
)
content {
role_arn = assume_role.value
}
}
}


# dummy module to satisfy the module dependency
module "iam_roles" {
source = "../account-map/modules/iam-roles"
privileged = var.privileged

context = module.this.context
}

provider "aws" {
alias = "root"
region = var.region

profile = !var.privileged && module.iam_roles_root.profiles_enabled ? module.iam_roles_root.terraform_profile_name : null
dynamic "assume_role" {
for_each = !var.privileged && module.iam_roles_root.profiles_enabled ? [] : (
var.privileged ? compact([module.iam_roles_root.org_role_arn]) : compact([module.iam_roles_root.terraform_role_arn])
)
content {
role_arn = assume_role.value
}
}
}


module "iam_roles_root" {
source = "../account-map/modules/iam-roles"

privileged = var.privileged
tenant = module.iam_roles.global_tenant_name
stage = module.iam_roles.global_stage_name
environment = module.iam_roles.global_environment_name

source = "cloudposse/label/null"
context = module.this.context
}
28 changes: 0 additions & 28 deletions src/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,6 @@ variable "region" {
description = "AWS Region"
}

variable "privileged" {
type = bool
description = "True if the user running the Terraform command already has access to the Terraform backend"
default = false
}

variable "account_assignments" {
type = map(map(map(object({
permission_sets = list(string)
Expand All @@ -33,16 +27,6 @@ variable "account_assignments" {
default = {}
}

variable "aws_teams_accessible" {
type = set(string)
description = <<-EOT
List of IAM roles (e.g. ["admin", "terraform"]) for which to create permission
sets that allow the user to assume that role. Named like
admin -> IdentityAdminTeamAccess
EOT
default = []
}

variable "groups" {
type = list(string)
description = <<-EOT
Expand All @@ -59,24 +43,12 @@ variable "session_duration" {
default = ""
}

variable "tfstate_backend_component_name" {
type = string
description = "The name of the tfstate-backend component"
default = "tfstate-backend"
}

variable "account_map_component_name" {
type = string
description = "The name of the account-map component"
default = "account-map"
}

variable "overridable_team_permission_set_name_pattern" {
type = string
description = "The pattern used to generate the AWS SSO PermissionSet name for each team"
default = "Identity%sTeamAccess"
}

variable "idp_groups" {
type = list(string)
description = <<-EOT
Expand Down
Loading