Add support for permissions boundaries (#26)

* Add support for permissions boundaries

* Add support for permissions boundaries

Author: npalm

examples/default/vpc.tf

@@ -1,7 +1,8 @@
 module "vpc" {
   source = "git::https://github.com/philips-software/terraform-aws-vpc.git?ref=2.1.0"
 
-  environment = local.environment
-  aws_region  = local.aws_region
+  environment                = local.environment
+  aws_region                 = local.aws_region
+  create_private_hosted_zone = false
 }
 

examples/permissions-boundary/README.md

@@ -0,0 +1,22 @@
+# Runners deployed with permissions boundary 
+
+This modules shows how to create GitHub action runners with permissions boundaries and paths used in role, policies, and instance profiles.
+
+## Usages
+
+Steps for the full setup, such as creating a GitHub app can be find the module [README](../../README.md). First create the deploy role and boundary policies. This steps required an admin user.
+
+```bash
+cd setup
+terraform init
+terraform apply
+cd ..
+```
+
+After the apply a new role and policies are created, the state of the first step is imported in this workspace to load the role and policy. The deployment of the runner module is first assuming the new role before creating all resources. Before running Terraform, ensure the GitHub app is configured. 
+
+```
+terraform init
+terraform apply
+```
+

examples/permissions-boundary/lambdas-download/main.tf

@@ -0,0 +1,21 @@
+module "lambdas" {
+  source = "../../../modules/download-lambda"
+  lambdas = [
+    {
+      name = "webhook"
+      tag  = "v0.0.0-beta"
+    },
+    {
+      name = "runners"
+      tag  = "v0.0.0-beta"
+    },
+    {
+      name = "runner-binaries-syncer"
+      tag  = "v0.0.0-beta"
+    }
+  ]
+}
+
+output "files" {
+  value = module.lambdas.files
+}

examples/permissions-boundary/main.tf

@@ -0,0 +1,52 @@
+locals {
+  environment = "boundaries"
+  aws_region  = "eu-west-1"
+}
+
+resource "random_password" "random" {
+  length = 32
+}
+
+data "terraform_remote_state" "iam" {
+  backend = "local"
+
+  config = {
+    path = "${path.module}/setup/terraform.tfstate"
+  }
+}
+
+module "runners" {
+  source = "../../"
+  providers = {
+    aws = aws.terraform_role
+  }
+
+  aws_region = local.aws_region
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  environment = local.environment
+  tags = {
+    Project = "ProjectX"
+  }
+
+  github_app = {
+    key_base64     = var.github_app_key_base64
+    id             = var.github_app_id
+    client_id      = var.github_app_client_id
+    client_secret  = var.github_app_client_secret
+    webhook_secret = random_password.random.result
+  }
+
+  webhook_lambda_zip                = "lambdas-download/webhook.zip"
+  runner_binaries_syncer_lambda_zip = "lambdas-download/runner-binaries-syncer.zip"
+  runners_lambda_zip                = "lambdas-download/runners.zip"
+  enable_organization_runners       = false
+  runner_extra_labels               = "default,example"
+
+  instance_profile_path     = "/runners/"
+  role_path                 = "/runners/"
+  role_permissions_boundary = data.terraform_remote_state.iam.outputs.boundary
+}
+
+

examples/permissions-boundary/outputs.tf

@@ -0,0 +1,12 @@
+output "runners" {
+  value = {
+    lambda_syncer_name = module.runners.binaries_syncer.lambda.function_name
+  }
+}
+
+output "webhook" {
+  value = {
+    secret   = random_password.random.result
+    endpoint = module.runners.webhook.endpoint
+  }
+}

examples/permissions-boundary/providers.tf

@@ -0,0 +1,9 @@
+provider "aws" {
+  alias   = "terraform_role"
+  region  = local.aws_region
+  version = "2.61"
+  assume_role {
+    role_arn = data.terraform_remote_state.iam.outputs.role
+  }
+}
+

examples/permissions-boundary/setup/main.tf

@@ -0,0 +1,15 @@
+data "aws_caller_identity" "current" {}
+
+module "iam" {
+  source = "../../../modules/setup-iam-permissions"
+
+  environment = "boundaries"
+  account_id  = data.aws_caller_identity.current.account_id
+
+  namespaces = {
+    boundary_namespace         = "bounaries"
+    role_namespace             = "runners"
+    policy_namespace           = "runners"
+    instance_profile_namespace = "runners"
+  }
+}

examples/permissions-boundary/setup/outpus.tf

@@ -0,0 +1,7 @@
+output "role" {
+  value = module.iam.role
+}
+
+output "boundary" {
+  value = module.iam.boundary
+}

examples/permissions-boundary/setup/providers.tf

@@ -0,0 +1,4 @@
+provider "aws" {
+  region  = "eu-west-1"
+  version = "2.61"
+}

examples/permissions-boundary/variables.tf

@@ -0,0 +1,9 @@
+
+variable "github_app_key_base64" {}
+
+variable "github_app_id" {}
+
+variable "github_app_client_id" {}
+
+variable "github_app_client_secret" {}
+