[iam] Use account remote state to fetch sub account IDs (#63)

joshmyers · osterman · commit 3914d3b8b8be · 2018-12-20T14:46:32.000-08:00
* Use account remote state to fetch sub account IDs

So that we don’t need to hardcode these as vars in the top root
Dockerfile.

* avoid sprawl of variable names. upgrde org module.

* add accounts and enabled flag

* fix typo

* Fix descriptions
diff --git a/aws/iam/audit.auto.tfvars.example b/aws/iam/audit.auto.tfvars.example
diff --git a/aws/iam/audit.tf b/aws/iam/audit.tf
@@ -1,20 +1,17 @@
-variable "audit_account_id" {
-  type        = "string"
-  description = "Audit account ID"
-}
-
 variable "audit_account_user_names" {
   type        = "list"
-  description = "IAM user names to grant access to Audit account"
+  description = "IAM user names to grant access to the `audit` account"
+  default     = []
 }
 
 # Provision group access to audit account. Careful! Very few people, if any should have access to this account.
 module "organization_access_group_audit" {
-  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.3"
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.2.1"
+  enabled           = "${contains(var.accounts_enabled, "audit") == true ? "true" : "false"}"
   namespace         = "${var.namespace}"
   stage             = "audit"
   name              = "admin"
-  user_names        = ["${var.audit_account_user_names}"]
-  member_account_id = "${var.audit_account_id}"
+  user_names        = "${var.audit_account_user_names}"
+  member_account_id = "${data.terraform_remote_state.accounts.audit_account_id}"
   require_mfa       = "true"
 }
diff --git a/aws/iam/corp.tf b/aws/iam/corp.tf
@@ -0,0 +1,17 @@
+variable "corp_account_user_names" {
+  type        = "list"
+  description = "IAM user names to grant access to the `corp` account"
+  default     = []
+}
+
+# Provision group access to corp account
+module "organization_access_group_corp" {
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.2.1"
+  enabled           = "${contains(var.accounts_enabled, "corp") == true ? "true" : "false"}"
+  namespace         = "${var.namespace}"
+  stage             = "corp"
+  name              = "admin"
+  user_names        = "${var.corp_account_user_names}"
+  member_account_id = "${data.terraform_remote_state.accounts.corp_account_id}"
+  require_mfa       = "true"
+}
diff --git a/aws/iam/data.tf b/aws/iam/data.tf
@@ -0,0 +1,17 @@
+variable "data_account_user_names" {
+  type        = "list"
+  description = "IAM user names to grant access to the `data` account"
+  default     = []
+}
+
+# Provision group access to data account
+module "organization_access_group_data" {
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.2.1"
+  enabled           = "${contains(var.accounts_enabled, "data") == true ? "true" : "false"}"
+  namespace         = "${var.namespace}"
+  stage             = "data"
+  name              = "admin"
+  user_names        = "${var.data_account_user_names}"
+  member_account_id = "${data.terraform_remote_state.accounts.data_account_id}"
+  require_mfa       = "true"
+}
diff --git a/aws/iam/dev.auto.tfvars.example b/aws/iam/dev.auto.tfvars.example
diff --git a/aws/iam/dev.tf b/aws/iam/dev.tf
@@ -1,20 +1,17 @@
-variable "dev_account_id" {
-  type        = "string"
-  description = "Dev account ID"
-}
-
 variable "dev_account_user_names" {
   type        = "list"
-  description = "IAM user names to grant access to Dev account"
+  description = "IAM user names to grant access to the `dev` account"
+  default     = []
 }
 
 # Provision group access to dev account
 module "organization_access_group_dev" {
-  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.3"
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.2.1"
+  enabled           = "${contains(var.accounts_enabled, "dev") == true ? "true" : "false"}"
   namespace         = "${var.namespace}"
   stage             = "dev"
   name              = "admin"
-  user_names        = ["${var.dev_account_user_names}"]
-  member_account_id = "${var.dev_account_id}"
+  user_names        = "${var.dev_account_user_names}"
+  member_account_id = "${data.terraform_remote_state.accounts.dev_account_id}"
   require_mfa       = "true"
 }
diff --git a/aws/iam/identity.tf b/aws/iam/identity.tf
@@ -0,0 +1,17 @@
+variable "identity_account_user_names" {
+  type        = "list"
+  description = "IAM user names to grant access to the `identity` account"
+  default     = []
+}
+
+# Provision group access to identity account
+module "organization_access_group_identity" {
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.2.1"
+  enabled           = "${contains(var.accounts_enabled, "identity") == true ? "true" : "false"}"
+  namespace         = "${var.namespace}"
+  stage             = "identity"
+  name              = "admin"
+  user_names        = "${var.identity_account_user_names}"
+  member_account_id = "${data.terraform_remote_state.accounts.identity_account_id}"
+  require_mfa       = "true"
+}
diff --git a/aws/iam/main.tf b/aws/iam/main.tf
@@ -4,17 +4,19 @@ terraform {
   backend "s3" {}
 }
 
-variable "aws_assume_role_arn" {
-  type = "string"
-}
-
-variable "namespace" {
-  type        = "string"
-  description = "Namespace (e.g. `cp` or `cloudposse`)"
-}
-
 provider "aws" {
   assume_role {
     role_arn = "${var.aws_assume_role_arn}"
   }
 }
+
+data "terraform_remote_state" "accounts" {
+  backend = "s3"
+
+  config {
+    bucket = "${var.namespace}-${var.stage}-terraform-state"
+    key    = "accounts/terraform.tfstate"
+  }
+}
+
+locals {}
diff --git a/aws/iam/prod.auto.tfvars.example b/aws/iam/prod.auto.tfvars.example
diff --git a/aws/iam/prod.tf b/aws/iam/prod.tf
@@ -1,20 +1,17 @@
-variable "prod_account_id" {
-  type        = "string"
-  description = "Production account ID"
-}
-
 variable "prod_account_user_names" {
   type        = "list"
-  description = "IAM user names to grant access to Production account"
+  description = "IAM user names to grant access to the `prod` account"
+  default     = []
 }
 
 # Provision group access to production account
 module "organization_access_group_prod" {
-  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.3"
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.2.1"
+  enabled           = "${contains(var.accounts_enabled, "prod") == true ? "true" : "false"}"
   namespace         = "${var.namespace}"
   stage             = "prod"
   name              = "admin"
-  user_names        = ["${var.prod_account_user_names}"]
-  member_account_id = "${var.prod_account_id}"
+  user_names        = "${var.prod_account_user_names}"
+  member_account_id = "${data.terraform_remote_state.accounts.prod_account_id}"
   require_mfa       = "true"
 }
diff --git a/aws/iam/security.tf b/aws/iam/security.tf
@@ -0,0 +1,17 @@
+variable "security_account_user_names" {
+  type        = "list"
+  description = "IAM user names to grant access to the `security` account"
+  default     = []
+}
+
+# Provision group access to security account
+module "organization_access_group_security" {
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.2.1"
+  enabled           = "${contains(var.accounts_enabled, "security") == true ? "true" : "false"}"
+  namespace         = "${var.namespace}"
+  stage             = "security"
+  name              = "admin"
+  user_names        = "${var.security_account_user_names}"
+  member_account_id = "${data.terraform_remote_state.accounts.security_account_id}"
+  require_mfa       = "true"
+}
diff --git a/aws/iam/staging.auto.tfvars.example b/aws/iam/staging.auto.tfvars.example
diff --git a/aws/iam/staging.tf b/aws/iam/staging.tf
@@ -1,20 +1,17 @@
-variable "staging_account_id" {
-  type        = "string"
-  description = "Staging account ID"
-}
-
 variable "staging_account_user_names" {
   type        = "list"
-  description = "IAM user names to grant access to Staging account"
+  description = "IAM user names to grant access to the `staging` account"
+  default     = []
 }
 
 # Provision group access to staging account
 module "organization_access_group_staging" {
-  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.3"
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.2.1"
+  enabled           = "${contains(var.accounts_enabled, "staging") == true ? "true" : "false"}"
   namespace         = "${var.namespace}"
   stage             = "staging"
   name              = "admin"
-  user_names        = ["${var.staging_account_user_names}"]
-  member_account_id = "${var.staging_account_id}"
+  user_names        = "${var.staging_account_user_names}"
+  member_account_id = "${data.terraform_remote_state.accounts.staging_account_id}"
   require_mfa       = "true"
 }
diff --git a/aws/iam/testing.auto.tfvars.example b/aws/iam/testing.auto.tfvars.example
diff --git a/aws/iam/testing.tf b/aws/iam/testing.tf
@@ -1,20 +1,17 @@
-variable "testing_account_id" {
-  type        = "string"
-  description = "Testing account ID"
-}
-
 variable "testing_account_user_names" {
   type        = "list"
-  description = "IAM user names to grant access to Testing account"
+  description = "IAM user names to grant access to the `testing` account"
+  default     = []
 }
 
 # Provision group access to testing account
 module "organization_access_group_testing" {
-  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.1.3"
+  source            = "git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.2.1"
+  enabled           = "${contains(var.accounts_enabled, "testing") == true ? "true" : "false"}"
   namespace         = "${var.namespace}"
   stage             = "testing"
   name              = "admin"
-  user_names        = ["${var.testing_account_user_names}"]
-  member_account_id = "${var.testing_account_id}"
+  user_names        = "${var.testing_account_user_names}"
+  member_account_id = "${data.terraform_remote_state.accounts.testing_account_id}"
   require_mfa       = "true"
 }
diff --git a/aws/iam/variables.tf b/aws/iam/variables.tf
@@ -0,0 +1,19 @@
+variable "accounts_enabled" {
+  type        = "list"
+  description = "Accounts to enable"
+  default     = ["dev", "staging", "prod", "testing", "audit"]
+}
+
+variable "aws_assume_role_arn" {
+  type = "string"
+}
+
+variable "namespace" {
+  type        = "string"
+  description = "Namespace (e.g. `cp` or `cloudposse`)"
+}
+
+variable "stage" {
+  type        = "string"
+  description = "Stage, e.g. 'prod', 'staging', 'dev', or 'test'"
+}
