diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..9233a3a --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,68 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: "(GHA)" + reviewers: + - "UKHomeOffice/core-cloud-devops" + labels: + - "dependencies" + - "patch" + - package-ecosystem: "terraform" + directory: "/modules/aws/group_account_assignments" + schedule: + interval: "daily" + commit-message: + prefix: "(TF)" + reviewers: + - "UKHomeOffice/core-cloud-devops" + labels: + - "dependencies" + - "patch" + - package-ecosystem: "terraform" + directory: "/modules/aws/group_user_memberships" + schedule: + interval: "daily" + commit-message: + prefix: "(TF)" + reviewers: + - "UKHomeOffice/core-cloud-devops" + labels: + - "dependencies" + - "patch" + - package-ecosystem: "terraform" + directory: "/modules/aws/groups" + schedule: + interval: "daily" + commit-message: + prefix: "(TF)" + reviewers: + - "UKHomeOffice/core-cloud-devops" + labels: + - "dependencies" + - "patch" + - package-ecosystem: "terraform" + directory: "/modules/aws/ssoadmin_instance" + schedule: + interval: "daily" + commit-message: + prefix: "(TF)" + reviewers: + - "UKHomeOffice/core-cloud-devops" + labels: + - "dependencies" + - "patch" + - package-ecosystem: "terraform" + directory: "/modules/aws/users" + schedule: + interval: "daily" + commit-message: + prefix: "(TF)" + reviewers: + - "UKHomeOffice/core-cloud-devops" + labels: + - "dependencies" + - "patch" diff --git a/.github/workflows/pull-request-sast.yaml b/.github/workflows/pull-request-sast.yaml new file mode 100644 index 0000000..6f5731f --- /dev/null +++ b/.github/workflows/pull-request-sast.yaml @@ -0,0 +1,26 @@ +name: Validate Terraform with Trivy + +on: + push: + branches: + - main + pull_request: + +permissions: + contents: read + +jobs: + RunTerraformValidation: + name: Run Terraform Validation + runs-on: ubuntu-latest + + steps: + - name: Clone the Repository + uses: actions/checkout@v4 + + # Results have to be a table as the organisation does not have Advanced Security license. + - name: Run Trivy against Terraform + uses: aquasecurity/trivy-action@0.17.0 + with: + scan-type: 'config' + exit-code: '1' diff --git a/README.md b/README.md index ed3646c..281e00a 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,15 @@ # Core Cloud Terraform Modules This repository contains the core Terraform modules for the Core Cloud Platform. + +## Modules + +The following modules are available: + +- [AWS](./modules/aws/README.md) + +## Example Usage + +Example usage can be found in the README of each module. + +Additionally, the [core-cloud-lza-iam-terraform 🔒](https://github.com/UKHomeOffice/core-cloud-lza-iam-terraform) module contains an example of how to use the modules. diff --git a/modules/aws/README.md b/modules/aws/README.md new file mode 100644 index 0000000..cabb776 --- /dev/null +++ b/modules/aws/README.md @@ -0,0 +1,13 @@ +# Core Cloud AWS Terraform Modules + +This repository contains the core Terraform modules for AWS. + +## Modules + +The following modules are available: + +- [Group Account Assignments](./group_account_assignments/README.md) +- [Group User Memberships](./group_user_memberships/README.md) +- [Groups](./groups/README.md) +- [Identity Center Instance](./ssoadmin_instance/README.md) +- [Users](./users/README.md) diff --git a/modules/aws/group_account_assignments/.terraform.lock.hcl b/modules/aws/group_account_assignments/.terraform.lock.hcl new file mode 100644 index 0000000..28ba3ec --- /dev/null +++ b/modules/aws/group_account_assignments/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.37.0" + constraints = "~> 5.37.0" + hashes = [ + "h1:CQeYyWigNz838zjXKYH9VDkpjqlGB0phcM742YXiNh4=", + "zh:00f40a3d9593476693a7a72d993fd289f7be374fe3f2799776c6296eb6ff890a", + "zh:1010a9fbf55852a8da3473de4ec0f1fcf29efa85d66f61cbe2b086dbbd7747ae", + "zh:103a5674d1eb1cff05fe35e9baa9875afd18d740868b63f9c0c25eadb5eb4eb7", + "zh:270ac1b7a1327c1456a43df44c0b5cc3e26ed6d8861a709adeea1da684a563f5", + "zh:424362c02c8917c0586f3dd49aca27b7e0c21f5a23374b7045e9be3b5646c028", + "zh:549fa2ea187964ab9a0c354310947ead30e09b3199db1ff377c21d7547d78299", + "zh:6492d2ccc7f7d60e83cd8b7244adc53f30efc17d84b1ffc1b8fd6c385f8255fd", + "zh:66fb7b3b8a357071d26c5996c16d426edf07502a05ac86f4a6f73646ee7d1bbb", + "zh:6ecc05fb466d06ea8945564d2cdb8c2a8827d8cfca1550e9fb7eac0e95920196", + "zh:7932360b627b211dad937d278a8692a6c52bd6c0a71e4ec9e94ccbe825053822", + "zh:97ed1b4a18842c4d56a735329e87b4ef91a47e820e5a5c3c2dd64e293408bfc8", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:d5e022052011e1984b9c2f8bc5a6b05c909e3b5bf40c3baddf191bf90e3169c2", + "zh:d7e9488b2ce5904efb91c8577b3fe9b0cd599c4cd508f1f163f292930f54fdf0", + "zh:e57cd93d5cd81dd0f446076af6e47a53ce83df2947ec64ed39a1090d4bdf8f0b", + ] +} diff --git a/modules/aws/group_account_assignments/README.md b/modules/aws/group_account_assignments/README.md new file mode 100644 index 0000000..00015ac --- /dev/null +++ b/modules/aws/group_account_assignments/README.md @@ -0,0 +1,22 @@ +# Core Cloud AWS Group Account Assignation Module + +This module is responsible for creating and managing group account assignments through Identity Center in AWS. + +## Usage + +```hcl +module "group_account_assignments" { + source = "git::ssh://git@github.com/UKHomeOffice/core-cloud-terraform-modules.git//modules/aws/group_account_assignments" + + group_name = each.key + identity_store = module.aws_ssoadmin_instance.instance + accounts = each.value.accounts +} +``` + +## Validation + +This module expects the variables to conform to the following: +- `group_name` - Must be a string between 1 and 64 characters. +- `accounts` - Key/Value pairing of the account ID and the permission set. +- `identity_store` - Must be a valid Identity Store object that contains both the `id` and `arn` attributes. diff --git a/modules/aws/group_account_assignments/main.tf b/modules/aws/group_account_assignments/main.tf new file mode 100644 index 0000000..5de2fe1 --- /dev/null +++ b/modules/aws/group_account_assignments/main.tf @@ -0,0 +1,39 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.37.0" + } + } +} + +data "aws_ssoadmin_permission_set" "identity_center_permission_set" { + for_each = var.accounts + + name = each.value + instance_arn = var.identity_store.arn +} + +data "aws_identitystore_group" "identity_store_groups" { + identity_store_id = var.identity_store.id + + alternate_identifier { + unique_attribute { + attribute_path = "DisplayName" + attribute_value = var.group_name + } + } +} + +resource "aws_ssoadmin_account_assignment" "user_account_assignments" { + for_each = var.accounts + + instance_arn = var.identity_store.arn + permission_set_arn = data.aws_ssoadmin_permission_set.identity_center_permission_set[each.key].arn + + principal_id = data.aws_identitystore_group.identity_store_groups.id + principal_type = "GROUP" + + target_id = each.key + target_type = "AWS_ACCOUNT" +} diff --git a/modules/aws/group_account_assignments/variables.tf b/modules/aws/group_account_assignments/variables.tf new file mode 100644 index 0000000..1cb55cd --- /dev/null +++ b/modules/aws/group_account_assignments/variables.tf @@ -0,0 +1,22 @@ +variable "identity_store" { + description = "The AWS SSO instance to create the group in." + type = object({ + id = string + arn = string + }) +} + +variable "accounts" { + description = "The AWS accounts to assign the group to." + type = map(string) +} + +variable "group_name" { + description = "The ID of the group to assign the user to." + type = string + + validation { + condition = length(var.group_name) >= 1 && length(var.group_name) <= 64 + error_message = "The group name must be less than 64 characters." + } +} diff --git a/modules/aws/group_user_memberships/.terraform.lock.hcl b/modules/aws/group_user_memberships/.terraform.lock.hcl new file mode 100644 index 0000000..28ba3ec --- /dev/null +++ b/modules/aws/group_user_memberships/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.37.0" + constraints = "~> 5.37.0" + hashes = [ + "h1:CQeYyWigNz838zjXKYH9VDkpjqlGB0phcM742YXiNh4=", + "zh:00f40a3d9593476693a7a72d993fd289f7be374fe3f2799776c6296eb6ff890a", + "zh:1010a9fbf55852a8da3473de4ec0f1fcf29efa85d66f61cbe2b086dbbd7747ae", + "zh:103a5674d1eb1cff05fe35e9baa9875afd18d740868b63f9c0c25eadb5eb4eb7", + "zh:270ac1b7a1327c1456a43df44c0b5cc3e26ed6d8861a709adeea1da684a563f5", + "zh:424362c02c8917c0586f3dd49aca27b7e0c21f5a23374b7045e9be3b5646c028", + "zh:549fa2ea187964ab9a0c354310947ead30e09b3199db1ff377c21d7547d78299", + "zh:6492d2ccc7f7d60e83cd8b7244adc53f30efc17d84b1ffc1b8fd6c385f8255fd", + "zh:66fb7b3b8a357071d26c5996c16d426edf07502a05ac86f4a6f73646ee7d1bbb", + "zh:6ecc05fb466d06ea8945564d2cdb8c2a8827d8cfca1550e9fb7eac0e95920196", + "zh:7932360b627b211dad937d278a8692a6c52bd6c0a71e4ec9e94ccbe825053822", + "zh:97ed1b4a18842c4d56a735329e87b4ef91a47e820e5a5c3c2dd64e293408bfc8", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:d5e022052011e1984b9c2f8bc5a6b05c909e3b5bf40c3baddf191bf90e3169c2", + "zh:d7e9488b2ce5904efb91c8577b3fe9b0cd599c4cd508f1f163f292930f54fdf0", + "zh:e57cd93d5cd81dd0f446076af6e47a53ce83df2947ec64ed39a1090d4bdf8f0b", + ] +} diff --git a/modules/aws/group_user_memberships/README.md b/modules/aws/group_user_memberships/README.md new file mode 100644 index 0000000..c584f18 --- /dev/null +++ b/modules/aws/group_user_memberships/README.md @@ -0,0 +1,22 @@ +# Core Cloud AWS Group User Membership Module + +This module is responsible for creating and managing group user memberships through Identity Center in AWS. + +## Usage + +```hcl +module "groups_user_membership" { + source = "git::ssh://git@github.com/UKHomeOffice/core-cloud-terraform-modules.git//modules/aws/group-user-memberships" + + group_name = + identity_store_id = + users = ARRAY() +} +``` + +## Validation + +This module expects the variables to conform to the following: +- `group_name` - Must be a string between 1 and 64 characters. +- `users` - List containing the usernames to be added to the group. +- `identity_store_id` - Must be a valid Identity Store ID. diff --git a/modules/aws/group_user_memberships/main.tf b/modules/aws/group_user_memberships/main.tf new file mode 100644 index 0000000..675bd77 --- /dev/null +++ b/modules/aws/group_user_memberships/main.tf @@ -0,0 +1,40 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.37.0" + } + } +} + +data "aws_identitystore_group" "identity_store_groups" { + identity_store_id = var.identity_store_id + + alternate_identifier { + unique_attribute { + attribute_path = "DisplayName" + attribute_value = var.group_name + } + } +} + +data "aws_identitystore_user" "identity_store_users" { + for_each = toset(var.users) + + identity_store_id = var.identity_store_id + + alternate_identifier { + unique_attribute { + attribute_path = "UserName" + attribute_value = each.key + } + } +} + +resource "aws_identitystore_group_membership" "group_membership" { + for_each = toset(var.users) + + identity_store_id = var.identity_store_id + group_id = data.aws_identitystore_group.identity_store_groups.id + member_id = data.aws_identitystore_user.identity_store_users[each.key].id +} diff --git a/modules/aws/group_user_memberships/variables.tf b/modules/aws/group_user_memberships/variables.tf new file mode 100644 index 0000000..d1df783 --- /dev/null +++ b/modules/aws/group_user_memberships/variables.tf @@ -0,0 +1,24 @@ +variable "identity_store_id" { + description = "The AWS SSO instance to create the group in." + type = string + + validation { + condition = can(regex("d-[a-z0-9]{10}", var.identity_store_id)) + error_message = "The identity store id must be in the format `d-` followed by 10 alphanumeric characters." + } +} + +variable "users" { + description = "The AWS accounts to assign the group to." + type = list(string) +} + +variable "group_name" { + description = "The ID of the group to assign the user to." + type = string + + validation { + condition = length(var.group_name) >= 1 && length(var.group_name) <= 64 + error_message = "The group name must be less than 64 characters." + } +} diff --git a/modules/aws/groups/.terraform.lock.hcl b/modules/aws/groups/.terraform.lock.hcl new file mode 100644 index 0000000..28ba3ec --- /dev/null +++ b/modules/aws/groups/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.37.0" + constraints = "~> 5.37.0" + hashes = [ + "h1:CQeYyWigNz838zjXKYH9VDkpjqlGB0phcM742YXiNh4=", + "zh:00f40a3d9593476693a7a72d993fd289f7be374fe3f2799776c6296eb6ff890a", + "zh:1010a9fbf55852a8da3473de4ec0f1fcf29efa85d66f61cbe2b086dbbd7747ae", + "zh:103a5674d1eb1cff05fe35e9baa9875afd18d740868b63f9c0c25eadb5eb4eb7", + "zh:270ac1b7a1327c1456a43df44c0b5cc3e26ed6d8861a709adeea1da684a563f5", + "zh:424362c02c8917c0586f3dd49aca27b7e0c21f5a23374b7045e9be3b5646c028", + "zh:549fa2ea187964ab9a0c354310947ead30e09b3199db1ff377c21d7547d78299", + "zh:6492d2ccc7f7d60e83cd8b7244adc53f30efc17d84b1ffc1b8fd6c385f8255fd", + "zh:66fb7b3b8a357071d26c5996c16d426edf07502a05ac86f4a6f73646ee7d1bbb", + "zh:6ecc05fb466d06ea8945564d2cdb8c2a8827d8cfca1550e9fb7eac0e95920196", + "zh:7932360b627b211dad937d278a8692a6c52bd6c0a71e4ec9e94ccbe825053822", + "zh:97ed1b4a18842c4d56a735329e87b4ef91a47e820e5a5c3c2dd64e293408bfc8", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:d5e022052011e1984b9c2f8bc5a6b05c909e3b5bf40c3baddf191bf90e3169c2", + "zh:d7e9488b2ce5904efb91c8577b3fe9b0cd599c4cd508f1f163f292930f54fdf0", + "zh:e57cd93d5cd81dd0f446076af6e47a53ce83df2947ec64ed39a1090d4bdf8f0b", + ] +} diff --git a/modules/aws/groups/README.md b/modules/aws/groups/README.md new file mode 100644 index 0000000..28359c3 --- /dev/null +++ b/modules/aws/groups/README.md @@ -0,0 +1,22 @@ +# Core Cloud AWS Groups Module + +This module is responsible for creating and managing groups through Identity Center in AWS. + +## Usage + +```hcl +module "groups" { + source = "git::ssh://git@github.com/UKHomeOffice/core-cloud-terraform-modules.git//modules/aws/groups" + + group_name = + group_description = + identity_store_id = +} +``` + +## Validation + +This module expects the variables to conform to the following: +- `group_name` - Must be a string between 1 and 64 characters. +- `group_description` - Must be a string between 1 and 256 characters. +- `identity_store_id` - Must be a valid Identity Store ID. diff --git a/modules/aws/groups/main.tf b/modules/aws/groups/main.tf new file mode 100644 index 0000000..8b21882 --- /dev/null +++ b/modules/aws/groups/main.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.37.0" + } + } +} + +resource "aws_identitystore_group" "identity_store_groups" { + display_name = var.group_name + description = var.group_description + identity_store_id = var.identity_store_id +} diff --git a/modules/aws/groups/variables.tf b/modules/aws/groups/variables.tf new file mode 100644 index 0000000..80507f7 --- /dev/null +++ b/modules/aws/groups/variables.tf @@ -0,0 +1,29 @@ +variable "group_name" { + type = string + description = "The name of the group to create." + + validation { + condition = length(var.group_name) >= 1 && length(var.group_name) <= 64 + error_message = "The group name must be less than 64 characters." + } +} + +variable "group_description" { + type = string + description = "The description of the group to create." + + validation { + condition = length(var.group_description) >= 1 && length(var.group_description) <= 256 + error_message = "The description must be less than 256 characters." + } +} + +variable "identity_store_id" { + description = "The AWS SSO instance to create the group in." + type = string + + validation { + condition = can(regex("d-[a-z0-9]{10}", var.identity_store_id)) + error_message = "The identity store id must be in the format `d-` followed by 10 alphanumeric characters." + } +} diff --git a/modules/aws/ssoadmin_instance/.terraform.lock.hcl b/modules/aws/ssoadmin_instance/.terraform.lock.hcl new file mode 100644 index 0000000..28ba3ec --- /dev/null +++ b/modules/aws/ssoadmin_instance/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.37.0" + constraints = "~> 5.37.0" + hashes = [ + "h1:CQeYyWigNz838zjXKYH9VDkpjqlGB0phcM742YXiNh4=", + "zh:00f40a3d9593476693a7a72d993fd289f7be374fe3f2799776c6296eb6ff890a", + "zh:1010a9fbf55852a8da3473de4ec0f1fcf29efa85d66f61cbe2b086dbbd7747ae", + "zh:103a5674d1eb1cff05fe35e9baa9875afd18d740868b63f9c0c25eadb5eb4eb7", + "zh:270ac1b7a1327c1456a43df44c0b5cc3e26ed6d8861a709adeea1da684a563f5", + "zh:424362c02c8917c0586f3dd49aca27b7e0c21f5a23374b7045e9be3b5646c028", + "zh:549fa2ea187964ab9a0c354310947ead30e09b3199db1ff377c21d7547d78299", + "zh:6492d2ccc7f7d60e83cd8b7244adc53f30efc17d84b1ffc1b8fd6c385f8255fd", + "zh:66fb7b3b8a357071d26c5996c16d426edf07502a05ac86f4a6f73646ee7d1bbb", + "zh:6ecc05fb466d06ea8945564d2cdb8c2a8827d8cfca1550e9fb7eac0e95920196", + "zh:7932360b627b211dad937d278a8692a6c52bd6c0a71e4ec9e94ccbe825053822", + "zh:97ed1b4a18842c4d56a735329e87b4ef91a47e820e5a5c3c2dd64e293408bfc8", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:d5e022052011e1984b9c2f8bc5a6b05c909e3b5bf40c3baddf191bf90e3169c2", + "zh:d7e9488b2ce5904efb91c8577b3fe9b0cd599c4cd508f1f163f292930f54fdf0", + "zh:e57cd93d5cd81dd0f446076af6e47a53ce83df2947ec64ed39a1090d4bdf8f0b", + ] +} diff --git a/modules/aws/ssoadmin_instance/README.md b/modules/aws/ssoadmin_instance/README.md new file mode 100644 index 0000000..086eabd --- /dev/null +++ b/modules/aws/ssoadmin_instance/README.md @@ -0,0 +1,17 @@ +# Core Cloud AWS Identity Center Instance Module + +This module is responsible for retrieving the first Identity Store ID and ARN within an account. + +## Usage + +```hcl +module "users" { + source = "git::ssh://git@github.com/UKHomeOffice/core-cloud-terraform-modules.git//modules/aws/ssoadmin_instance" +} +``` + +## Outputs + +This module returns a singular `instance` output that contains the following attributes: +- `id` - The ID of the instance. +- `arn` - The ARN of the instance. diff --git a/modules/aws/ssoadmin_instance/main.tf b/modules/aws/ssoadmin_instance/main.tf new file mode 100644 index 0000000..1e0a52f --- /dev/null +++ b/modules/aws/ssoadmin_instance/main.tf @@ -0,0 +1,10 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.37.0" + } + } +} + +data "aws_ssoadmin_instances" "instance" {} diff --git a/modules/aws/ssoadmin_instance/outputs.tf b/modules/aws/ssoadmin_instance/outputs.tf new file mode 100644 index 0000000..4554dc3 --- /dev/null +++ b/modules/aws/ssoadmin_instance/outputs.tf @@ -0,0 +1,7 @@ +output "instance" { + description = "The AWS SSO instance to create the group in." + value = { + id = tolist(data.aws_ssoadmin_instances.instance.identity_store_ids)[0] + arn = tolist(data.aws_ssoadmin_instances.instance.arns)[0] + } +} diff --git a/modules/aws/users/.terraform.lock.hcl b/modules/aws/users/.terraform.lock.hcl new file mode 100644 index 0000000..28ba3ec --- /dev/null +++ b/modules/aws/users/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.37.0" + constraints = "~> 5.37.0" + hashes = [ + "h1:CQeYyWigNz838zjXKYH9VDkpjqlGB0phcM742YXiNh4=", + "zh:00f40a3d9593476693a7a72d993fd289f7be374fe3f2799776c6296eb6ff890a", + "zh:1010a9fbf55852a8da3473de4ec0f1fcf29efa85d66f61cbe2b086dbbd7747ae", + "zh:103a5674d1eb1cff05fe35e9baa9875afd18d740868b63f9c0c25eadb5eb4eb7", + "zh:270ac1b7a1327c1456a43df44c0b5cc3e26ed6d8861a709adeea1da684a563f5", + "zh:424362c02c8917c0586f3dd49aca27b7e0c21f5a23374b7045e9be3b5646c028", + "zh:549fa2ea187964ab9a0c354310947ead30e09b3199db1ff377c21d7547d78299", + "zh:6492d2ccc7f7d60e83cd8b7244adc53f30efc17d84b1ffc1b8fd6c385f8255fd", + "zh:66fb7b3b8a357071d26c5996c16d426edf07502a05ac86f4a6f73646ee7d1bbb", + "zh:6ecc05fb466d06ea8945564d2cdb8c2a8827d8cfca1550e9fb7eac0e95920196", + "zh:7932360b627b211dad937d278a8692a6c52bd6c0a71e4ec9e94ccbe825053822", + "zh:97ed1b4a18842c4d56a735329e87b4ef91a47e820e5a5c3c2dd64e293408bfc8", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:d5e022052011e1984b9c2f8bc5a6b05c909e3b5bf40c3baddf191bf90e3169c2", + "zh:d7e9488b2ce5904efb91c8577b3fe9b0cd599c4cd508f1f163f292930f54fdf0", + "zh:e57cd93d5cd81dd0f446076af6e47a53ce83df2947ec64ed39a1090d4bdf8f0b", + ] +} diff --git a/modules/aws/users/README.md b/modules/aws/users/README.md new file mode 100644 index 0000000..28509d3 --- /dev/null +++ b/modules/aws/users/README.md @@ -0,0 +1,26 @@ +# Core Cloud AWS Users Module + +This module is responsible for creating and managing users through Identity Center in AWS. + +## Usage + +```hcl +module "users" { + source = "git::ssh://git@github.com/UKHomeOffice/core-cloud-terraform-modules.git//modules/aws/users" + + user_name = + given_name = + family_name = + email = + identity_store_id = +} +``` + +## Validation + +This module expects the variables to conform to the following: +- `user_name` - Must be a string between 1 and 64 characters. +- `given_name` - Must be a string between 1 and 64 characters. +- `family_name` - Must be a string between 1 and 64 characters. +- `email` - Must be a valid unique email address. +- `identity_store_id` - Must be a valid Identity Store ID. diff --git a/modules/aws/users/main.tf b/modules/aws/users/main.tf new file mode 100644 index 0000000..c5d7772 --- /dev/null +++ b/modules/aws/users/main.tf @@ -0,0 +1,25 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.37.0" + } + } +} + +resource "aws_identitystore_user" "identity_center_users" { + identity_store_id = var.identity_store_id + + display_name = "${var.given_name} ${var.family_name}" + user_name = var.user_name + + name { + given_name = var.given_name + family_name = var.family_name + } + + emails { + primary = true + value = var.email + } +} diff --git a/modules/aws/users/variables.tf b/modules/aws/users/variables.tf new file mode 100644 index 0000000..c47852b --- /dev/null +++ b/modules/aws/users/variables.tf @@ -0,0 +1,44 @@ +variable "user_name" { + type = string + description = "The name of the user to create." + + validation { + condition = length(var.user_name) >= 1 && length(var.user_name) <= 64 + error_message = "The user name must be less than 64 characters." + } +} + +variable "given_name" { + type = string + description = "The given name of the user." + + validation { + condition = length(var.given_name) >= 1 && length(var.given_name) <= 64 + error_message = "The given name must be less than 64 characters." + } +} + +variable "family_name" { + type = string + description = "The family name of the user." + + validation { + condition = length(var.family_name) >= 1 && length(var.family_name) <= 64 + error_message = "The family name must be less than 64 characters." + } +} + +variable "email" { + type = string + description = "The email address of the user." +} + +variable "identity_store_id" { + description = "The AWS SSO instance to create the group in." + type = string + + validation { + condition = can(regex("d-[a-z0-9]{10}", var.identity_store_id)) + error_message = "The identity store id must be in the format `d-` followed by 10 alphanumeric characters." + } +}