More Reference Architecture Fixes (#69)

* Add makefiles

* Use data provider for aws account id

* Use aws_region data provider

* Fix typo

* Use `aws_region` as standard name

* Use `aws_region` as standard name

* Use `region` as standard name

* Use SSM parameters for dynamic enablement of DNS

* triage

* Support enabled/disabled

* fmt

* Update aws/root-dns/ns/main.tf

Co-Authored-By: osterman <[email protected]>

* Update aws/root-dns/ns/main.tf

Co-Authored-By: osterman <[email protected]>

Author: osterman

aws/account-dns/Makefile

@@ -0,0 +1,8 @@
+init:
+	init-terraform
+
+clean:
+	rm -rf .terraform
+
+%:
+	terraform $@

aws/audit-cloudtrail/Makefile

@@ -0,0 +1,8 @@
+init:
+	init-terraform
+
+clean:
+	rm -rf .terraform
+
+%:
+	terraform $@

aws/audit-cloudtrail/main.tf

@@ -34,6 +34,13 @@ variable "name" {
 variable "region" {
   type        = "string"
   description = "AWS region"
+  default     = ""
+}
+
+data "aws_region" "default" {}
+
+locals {
+  region = "${length(var.region) > 0 ? var.region : data.aws_region.default.name}"
 }
 
 module "cloudtrail" {
@@ -53,7 +60,7 @@ module "cloudtrail_s3_bucket" {
   namespace = "${var.namespace}"
   stage     = "${var.stage}"
   name      = "${var.name}"
-  region    = "${var.region}"
+  region    = "${local.region}"
 }
 
 output "cloudtrail_bucket_domain_name" {

aws/chamber/main.tf

@@ -18,16 +18,6 @@ variable "stage" {
   description = "Stage (e.g. `prod`, `dev`, `staging`)"
 }
 
-variable "region" {
-  type        = "string"
-  description = "AWS region"
-}
-
-variable "account_id" {
-  type        = "string"
-  description = "AWS account ID"
-}
-
 variable "parameter_groups" {
   type        = "list"
   description = "Parameter group names"

aws/chamber/user.tf

@@ -1,3 +1,6 @@
+data "aws_caller_identity" "default" {}
+data "aws_region" "default" {}
+
 # Chamber user for CI/CD systems that cannot leverage IAM instance profiles
 # https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html
 module "chamber_user" {
@@ -9,7 +12,7 @@ module "chamber_user" {
   kms_key_arn = "${module.chamber_kms_key.key_arn}"
 
   ssm_resources = [
-    "${formatlist("arn:aws:ssm:%s:%s:parameter/%s/*", var.region, var.account_id, var.parameter_groups)}",
+    "${formatlist("arn:aws:ssm:%s:%s:parameter/%s/*", data.aws_region.default.name, data.aws_caller_identity.default.account_id, var.parameter_groups)}",
   ]
 }
 

aws/cloudtrail/Makefile

@@ -1,11 +1,8 @@
 init:
 	init-terraform
 
-plan:
-	terraform $@
-
-apply:
-	terraform $@
-
 clean:
 	rm -rf .terraform
+
+%:
+	terraform $@

aws/root-dns/main.tf

@@ -10,17 +10,14 @@ variable "aws_assume_role_arn" {
 
 variable "namespace" {}
 
+variable "accounts_enabled" {
+  type        = "list"
+  description = "Accounts to enable"
+  default     = ["dev", "staging", "prod", "testing", "audit"]
+}
+
 provider "aws" {
   assume_role {
     role_arn = "${var.aws_assume_role_arn}"
   }
 }
-
-data "terraform_remote_state" "root" {
-  backend = "s3"
-
-  config {
-    bucket = "${var.namespace}-root-terraform-state"
-    key    = "accounts/terraform.tfstate"
-  }
-}

aws/root-dns/ns/main.tf

@@ -1,5 +1,10 @@
+locals {
+  enabled = "${contains(var.accounts_enabled, var.stage) == true}"
+}
+
 module "label" {
-  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3"
+  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.5.4"
+  enabled    = "${local.enabled ? "true" : "false"}"
   namespace  = "${var.namespace}"
   stage      = "${var.stage}"
   name       = "${var.name}"
@@ -8,24 +13,36 @@ module "label" {
   tags       = "${var.tags}"
 }
 
+# Fetch the OrganizationAccountAccessRole ARNs from SSM
+module "organization_account_access_role_arn" {
+  enabled        = "${local.enabled ? "true" : "false"}"
+  source         = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store?ref=tags/0.1.5"
+  parameter_read = ["/${var.namespace}/${var.stage}/organization_account_access_role"]
+}
+
+locals {
+  role_arn_values = "${module.organization_account_access_role_arn.values}"
+}
+
 data "terraform_remote_state" "stage" {
+  count   = "${local.enabled ? 1 : 0}"
   backend = "s3"
 
   # This assumes stage is using a `terraform-aws-tfstate-backend`
   #   https://github.com/cloudposse/terraform-aws-tfstate-backend
   config {
-    role_arn = "${var.role_arn}"
+    role_arn = "${local.role_arn_values[0]}"
     bucket   = "${module.label.id}"
     key      = "${var.key}"
   }
 }
 
 locals {
-  name_servers = "${data.terraform_remote_state.stage.name_servers}"
+  name_servers = "${flatten(data.terraform_remote_state.stage.*.name_servers)}"
 }
 
 resource "aws_route53_record" "dns_zone_ns" {
-  count   = "${signum(length(local.name_servers))}"
+  count   = "${local.enabled ? 1 : 0}"
   zone_id = "${var.zone_id}"
   name    = "${var.stage}"
   type    = "NS"

aws/root-dns/ns/variables.tf

@@ -1,3 +1,9 @@
+variable "accounts_enabled" {
+  type        = "list"
+  description = "Accounts to enable"
+  default     = ["dev", "staging", "prod", "testing", "audit"]
+}
+
 variable "namespace" {
   type        = "string"
   description = "Namespace (e.g. `eg` or `example`)"
@@ -32,10 +38,6 @@ variable "tags" {
   description = "Additional tags (e.g. map(`BusinessUnit`,`XYZ`)"
 }
 
-variable "role_arn" {
-  description = "The role to be assumed in the subaccount"
-}
-
 variable "zone_id" {
   description = "DNS zone to update"
 }

aws/root-dns/parent-audit-ns.tf

@@ -1,9 +1,9 @@
 module "audit" {
-  source    = "ns"
-  role_arn  = "${data.terraform_remote_state.root.audit_organization_account_access_role}"
-  namespace = "${var.namespace}"
-  stage     = "audit"
-  zone_id   = "${aws_route53_zone.parent_dns_zone.zone_id}"
+  source           = "ns"
+  accounts_enabled = "${var.accounts_enabled}"
+  namespace        = "${var.namespace}"
+  stage            = "audit"
+  zone_id          = "${aws_route53_zone.parent_dns_zone.zone_id}"
 }
 
 output "audit_name_servers" {