[aws/users,aws/account-settings] new modules (#45)

* add iam settings and scaffolding for user account creation

* add signin url local

* Add email template

* Fix formatting

* use data provider output for account alias

* remove redundant group

Author: osterman

aws/account-settings/main.tf

@@ -0,0 +1,19 @@
+terraform {
+  required_version = ">= 0.11.2"
+
+  backend "s3" {}
+}
+
+provider "aws" {
+  assume_role {
+    role_arn = "${var.aws_assume_role_arn}"
+  }
+}
+
+module "account_settings" {
+  source    = "git::https://github.com/cloudposse/terraform-aws-iam-account-settings.git?ref=tags/0.1.0"
+  namespace = "${var.namespace}"
+  stage     = "${var.stage}"
+  name      = "${var.name}"
+  enabled   = "${var.enabled}"
+}

aws/account-settings/outputs.tf

@@ -0,0 +1,7 @@
+output "account_alias" {
+  value = "${module.account_settings.account_alias}"
+}
+
+output "signin_url" {
+  value = "${module.account_settings.signin_url}"
+}

aws/account-settings/variables.tf

@@ -0,0 +1,24 @@
+variable "aws_assume_role_arn" {
+  type = "string"
+}
+
+variable "namespace" {
+  type        = "string"
+  description = "Namespace (e.g. `cp` or `cloudposse`)"
+}
+
+variable "stage" {
+  type        = "string"
+  description = "Stage (e.g. `prod`, `dev`, `staging`)"
+}
+
+variable "name" {
+  type        = "string"
+  description = "Application or solution name (e.g. `app`)"
+  default     = "account"
+}
+
+variable "enabled" {
+  description = "Whether or not to create the IAM account alias"
+  default     = "true"
+}

aws/root-iam/root.tf

@@ -19,3 +19,11 @@ module "organization_access_group_root" {
   admin_user_names    = ["${var.root_account_admin_user_names}"]
   readonly_user_names = ["${var.root_account_readonly_user_names}"]
 }
+
+output "admin_group" {
+  value = "${module.organization_access_group_root.group_admin_name}"
+}
+
+output "readonly_group" {
+  value = "${module.organization_access_group_root.group_readonly_name}"
+}

aws/users/main.tf

@@ -0,0 +1,40 @@
+terraform {
+  required_version = ">= 0.11.2"
+
+  backend "s3" {}
+}
+
+provider "aws" {
+  assume_role {
+    role_arn = "${var.aws_assume_role_arn}"
+  }
+}
+
+data "terraform_remote_state" "account_settings" {
+  backend = "s3"
+
+  config {
+    bucket = "${var.namespace}-${var.stage}-terraform-state"
+    key    = "account-settings/terraform.tfstate"
+  }
+}
+
+data "terraform_remote_state" "root_iam" {
+  backend = "s3"
+
+  config {
+    bucket = "${var.namespace}-${var.stage}-terraform-state"
+    key    = "root-iam/terraform.tfstate"
+  }
+}
+
+locals {
+  account_alias   = "${data.terraform_remote_state.account_settings.account_alias}"
+  signin_url      = "${data.terraform_remote_state.account_settings.signin_url}"
+  admin_groups    = ["${data.terraform_remote_state.root_iam.admin_group}"]
+  readonly_groups = ["${data.terraform_remote_state.root_iam.readonly_group}"]
+}
+
+output "account_alias" {
+  value = "${local.account_alias}"
+}

aws/users/variables.tf

@@ -0,0 +1,37 @@
+variable "aws_assume_role_arn" {}
+
+variable "namespace" {
+  type        = "string"
+  description = "Namespace (e.g. `cp` or `cloudposse`)"
+}
+
+variable "stage" {
+  type        = "string"
+  description = "Stage (e.g. `prod`, `dev`, `staging`)"
+}
+
+variable "name" {
+  type        = "string"
+  description = "Application or solution name (e.g. `app`)"
+  default     = "terraform"
+}
+
+variable "smtp_username" {
+  description = "Username to authenticate with the SMTP server"
+  type        = "string"
+}
+
+variable "smtp_password" {
+  description = "Password to authenticate with the SMTP server"
+  type        = "string"
+}
+
+variable "smtp_host" {
+  description = "SMTP Host"
+  default     = "smtp.mailgun.org"
+}
+
+variable "smtp_port" {
+  description = "SMTP Port"
+  default     = "587"
+}

aws/users/welcome.txt

@@ -0,0 +1,11 @@
+Welcome! Here are your AWS login credentials. They've been encrypted using your Keybase public key for safety.
+
+Sign-in URL: ${signin_url}
+
+Username: ${username}
+
+To retrieve your password, run the following command:
+
+```
+${password_decrypt_command}
+```