Bootstrapping (#64)

* Add script to facilitate bootstrapping temporary roles

* Add makefiles

* Update docs

* optional root admin names

* Update aws/root-iam/README.md

Co-Authored-By: osterman <[email protected]>

Author: osterman

aws/account-settings/Makefile

@@ -0,0 +1,11 @@
+init:
+	init-terraform
+
+plan:
+	terraform $@
+
+apply:
+	terraform $@
+
+clean:
+	rm -rf .terraform

aws/accounts/Makefile

@@ -0,0 +1,11 @@
+init:
+	init-terraform
+
+plan:
+	terraform $@
+
+apply:
+	terraform $@
+
+clean:
+	rm -rf .terraform

aws/bootstrap/Makefile

@@ -0,0 +1,22 @@
+AWS_DEFAULT_REGION := us-east-1
+IAM_ROLE ?= bootstrap
+IAM_POLICY_ARN ?= arn:aws:iam::aws:policy/AdministratorAccess 
+
+export AWS_ROOT_ACCOUNT_ID=$(shell aws sts get-caller-identity --output text --query 'Account')
+
+export ASSUME_ROLE_POLICY=$(shell envsubst < assume-role.json > /tmp/assume-role.json; echo file:///tmp/assume-role.json)
+
+## Provision a temporary IAM role for bootstrapping
+create/iam-role:
+	@aws iam create-role --role-name "$(IAM_ROLE)" --assume-role-policy-document "$(ASSUME_ROLE_POLICY)" >/dev/null
+	@aws iam attach-role-policy --role-name "$(IAM_ROLE)" --policy-arn $(IAM_POLICY_ARN) >/dev/null
+	@echo "The '$(IAM_ROLE) role has been created. Use '$(IAM_ROLE)' anywhere an assumed role is required."
+
+## Destroy the temporary IAM role for bootstrapping
+delete/iam-role:
+	@aws iam detach-role-policy --role-name "$(IAM_ROLE)" --policy-arn $(IAM_POLICY_ARN) >/dev/null
+	@aws iam delete-role --role-name "$(IAM_ROLE)" > /dev/null
+	@echo "The '$(IAM_ROLE)' role has been deleted"
+
+list/iam-role:
+	@aws iam list-roles | jq -r '.Roles | .[] | .RoleName + " " + .Arn' | xargs -n 2 printf '%-40s %s\n'

aws/bootstrap/assume-role.json

@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": { "AWS": "arn:aws:iam::$AWS_ACCOUNT_ID:root" },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}

aws/chamber/Makefile

@@ -0,0 +1,11 @@
+init:
+	init-terraform
+
+plan:
+	terraform $@
+
+apply:
+	terraform $@
+
+clean:
+	rm -rf .terraform

aws/cloudtrail/Makefile

@@ -0,0 +1,11 @@
+init:
+	init-terraform
+
+plan:
+	terraform $@
+
+apply:
+	terraform $@
+
+clean:
+	rm -rf .terraform

aws/iam/Makefile

@@ -0,0 +1,11 @@
+init:
+	init-terraform
+
+plan:
+	terraform $@
+
+apply:
+	terraform $@
+
+clean:
+	rm -rf .terraform

aws/root-dns/Makefile

@@ -0,0 +1,11 @@
+init:
+	init-terraform
+
+plan:
+	terraform $@
+
+apply:
+	terraform $@
+
+clean:
+	rm -rf .terraform

aws/root-iam/Makefile

@@ -0,0 +1,11 @@
+init:
+	init-terraform
+
+plan:
+	terraform $@
+
+apply:
+	terraform $@
+
+clean:
+	rm -rf .terraform

aws/root-iam/README.md

@@ -0,0 +1,5 @@
+# root-iam
+
+This module is responsible for setting up the access groups in the root account. 
+
+If provisioning this during a cold-start process, make sure you have `TF_VAR_aws_assume_role_arn` set to nil.