[aws/bootstrap] Implement Bootstrap User Account (#66)

* Implement comprehensive bootstrap user and role provisioning module

* Use wildcard target

* Apply suggestions from code review

Co-Authored-By: osterman <[email protected]>

Author: osterman

.editorconfig

@@ -22,3 +22,7 @@ indent_size = 4
 [*.sh]
 indent_style = tab
 indent_size = 4
+
+[*.{tf,tfvars,tpl}]
+indent_size = 2
+indent_style = space

aws/bootstrap/.gitignore

@@ -0,0 +1,2 @@
+.aws
+.envrc

aws/bootstrap/Makefile

@@ -1,22 +1,8 @@
-AWS_DEFAULT_REGION := us-east-1
-IAM_ROLE ?= bootstrap
-IAM_POLICY_ARN ?= arn:aws:iam::aws:policy/AdministratorAccess 
+init:
+	init-terraform
 
-export AWS_ROOT_ACCOUNT_ID=$(shell aws sts get-caller-identity --output text --query 'Account')
+%:
+	terraform $@
 
-export ASSUME_ROLE_POLICY=$(shell envsubst < assume-role.json > /tmp/assume-role.json; echo file:///tmp/assume-role.json)
-
-## Provision a temporary IAM role for bootstrapping
-create/iam-role:
-	@aws iam create-role --role-name "$(IAM_ROLE)" --assume-role-policy-document "$(ASSUME_ROLE_POLICY)" >/dev/null
-	@aws iam attach-role-policy --role-name "$(IAM_ROLE)" --policy-arn $(IAM_POLICY_ARN) >/dev/null
-	@echo "The '$(IAM_ROLE) role has been created. Use '$(IAM_ROLE)' anywhere an assumed role is required."
-
-## Destroy the temporary IAM role for bootstrapping
-delete/iam-role:
-	@aws iam detach-role-policy --role-name "$(IAM_ROLE)" --policy-arn $(IAM_POLICY_ARN) >/dev/null
-	@aws iam delete-role --role-name "$(IAM_ROLE)" > /dev/null
-	@echo "The '$(IAM_ROLE)' role has been deleted"
-
-list/iam-role:
-	@aws iam list-roles | jq -r '.Roles | .[] | .RoleName + " " + .Arn' | xargs -n 2 printf '%-40s %s\n'
+clean:
+	rm -rf .terraform

aws/bootstrap/README.md

@@ -0,0 +1,7 @@
+# bootstrap
+
+This module provisions an AWS user along with a bootstrap role suitable for bootstrapping an AWS multi-account architecture as found in our [reference architectures](https://github.com/cloudposse/reference-architecutres). 
+
+These user and role are intended to be used as a **temporary fixture** and should be deprovisioned after all accounts have been provisioned in order to maintain a secure environment.
+
+__WARNING:__ This module grants `AdministrativeAccess` in the current account along with the `OrganizationAccountAccessRole` to all `accounts_enabled` **without MFA**. We repeat, this module should *only* be used during the bootstrapping phase when provisioning your infrastructure for the first time.

aws/bootstrap/assume-role.json

@@ -0,0 +1,5 @@
+# Temporary configuration for AWS bootstrapping
+[profile ${profile_name}]
+region = ${region}
+role_arn = ${role_arn}
+source_profile = ${source_profile}

aws/bootstrap/config.tpl

@@ -0,0 +1,5 @@
+# Temporary credentials for AWS bootstrapping
+
+[${source_profile_name}]
+aws_access_key_id = ${aws_access_key_id}
+aws_secret_access_key = ${aws_secret_access_key}

aws/bootstrap/credentials.tpl

@@ -0,0 +1,5 @@
+#export AWS_ACCESS_KEY_ID=${aws_access_key_id}
+#export AWS_SECRET_ACCESS_KEY=${aws_secret_access_key}
+export AWS_ASSUME_ROLE_ARN=${aws_assume_role_arn}
+export AWS_CONFIG_FILE=${aws_config_file}
+export AWS_DATA_PATH=${aws_data_path}

aws/bootstrap/env.tpl

@@ -0,0 +1,147 @@
+terraform {
+  required_version = ">= 0.11.2"
+
+  backend "s3" {}
+}
+
+provider "aws" {
+  assume_role {
+    role_arn = "${var.aws_assume_role_arn}"
+  }
+}
+
+# User account that will be used for provisioning
+module "user" {
+  source = "git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/0.3.2"
+
+  namespace = "${var.namespace}"
+  stage     = "${var.stage}"
+  name      = "bootstrap"
+}
+
+# Allow the user to assume role
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    effect = "Allow"
+
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${module.user.user_arn}"]
+    }
+  }
+}
+
+# Fetch the OrganizationAccountAccessRole ARNs from SSM
+module "organization_account_access_role_arns" {
+  source         = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store?ref=tags/0.1.5"
+  parameter_read = "${formatlist("/${var.namespace}/%s/organization_account_access_role", var.accounts_enabled)}"
+}
+
+# IAM role for bootstrapping; allow user to assume it
+resource "aws_iam_role" "bootstrap" {
+  name               = "${module.user.user_name}"
+  assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
+}
+
+# Grant Administrator Access to the current "root" account to the role
+resource "aws_iam_role_policy_attachment" "administrator_access" {
+  role       = "${aws_iam_role.bootstrap.name}"
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+# Generate a policy for assuming role into all child accounts
+data "aws_iam_policy_document" "organization_account_access_role" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    effect    = "Allow"
+    resources = ["${module.organization_account_access_role_arns.values}"]
+  }
+}
+
+# Create an IAM policy from the generated document
+resource "aws_iam_policy" "organization_account_access_role" {
+  name   = "${aws_iam_role.bootstrap.name}"
+  policy = "${data.aws_iam_policy_document.organization_account_access_role.json}"
+}
+
+# Assign the policy to the user
+resource "aws_iam_user_policy_attachment" "organization_account_access_role" {
+  user       = "${aws_iam_role.bootstrap.name}"
+  policy_arn = "${aws_iam_policy.organization_account_access_role.arn}"
+}
+
+# Render the env file with IAM credentials
+data "template_file" "env" {
+  template = "${file("${path.module}/env.tpl")}"
+
+  vars {
+    aws_access_key_id     = "${module.user.access_key_id}"
+    aws_secret_access_key = "${module.user.secret_access_key}"
+    aws_assume_role_arn   = "${aws_iam_role.bootstrap.arn}"
+    aws_data_path         = "${dirname(local_file.config_file.filename)}"
+    aws_config_file       = "${local_file.config_file.filename}"
+  }
+}
+
+# Write the env file to disk
+resource "local_file" "env_file" {
+  content  = "${data.template_file.env.rendered}"
+  filename = "${var.output_path}/${var.env_file}"
+}
+
+# Render the credentials file with IAM credentials
+data "template_file" "credentials" {
+  template = "${file("${path.module}/credentials.tpl")}"
+
+  vars {
+    source_profile_name   = "${var.namespace}"
+    aws_access_key_id     = "${module.user.access_key_id}"
+    aws_secret_access_key = "${module.user.secret_access_key}"
+    aws_assume_role_arn   = "${aws_iam_role.bootstrap.arn}"
+  }
+}
+
+# Write the credentials file to disk
+resource "local_file" "credentials_file" {
+  content  = "${data.template_file.credentials.rendered}"
+  filename = "${var.output_path}/${var.credentials_file}"
+}
+
+# Render the config file with IAM credentials
+data "template_file" "config_root" {
+  template = "${file("${path.module}/config.tpl")}"
+
+  vars {
+    profile_name   = "${var.namespace}-${var.stage}-admin"
+    source_profile = "${var.namespace}"
+    region         = "${var.aws_region}"
+    role_arn       = "${aws_iam_role.bootstrap.arn}"
+  }
+}
+
+# Render the config file with IAM credentials
+data "template_file" "config" {
+  count    = "${length(module.organization_account_access_role_arns.values)}"
+  template = "${file("${path.module}/config.tpl")}"
+
+  vars {
+    profile_name   = "${var.namespace}-${var.accounts_enabled[count.index]}-admin"
+    source_profile = "${var.namespace}"
+    region         = "${var.aws_region}"
+    role_arn       = "${module.organization_account_access_role_arns.values[count.index]}"
+  }
+}
+
+# Write the config file to disk
+resource "local_file" "config_file" {
+  content = "${join("\n\n", 
+    concat(list("[profile ${var.namespace}]"),
+       list(data.template_file.config_root.rendered), data.template_file.config.*.rendered))}"
+
+  filename = "${var.output_path}/${var.config_file}"
+}

aws/bootstrap/main.tf

@@ -0,0 +1,4 @@
+output "env_file" {
+  description = "Env file with IAM bootstrap credentials"
+  value       = "${var.env_file}"
+}