UKHomeOffice · LiamMacP · Feb 27, 2024 · Feb 27, 2024 · Feb 27, 2024 · Feb 27, 2024
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,68 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "(GHA)"
+    reviewers:
+      - "UKHomeOffice/core-cloud-devops"
+    labels:
+      - "dependencies"
+      - "patch"
+  - package-ecosystem: "terraform"
+    directory: "/modules/aws/group_account_assignments"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "(TF)"
+    reviewers:
+      - "UKHomeOffice/core-cloud-devops"
+    labels:
+      - "dependencies"
+      - "patch"
+  - package-ecosystem: "terraform"
+    directory: "/modules/aws/group_user_memberships"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "(TF)"
+    reviewers:
+      - "UKHomeOffice/core-cloud-devops"
+    labels:
+      - "dependencies"
+      - "patch"
+  - package-ecosystem: "terraform"
+    directory: "/modules/aws/groups"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "(TF)"
+    reviewers:
+      - "UKHomeOffice/core-cloud-devops"
+    labels:
+      - "dependencies"
+      - "patch"
+  - package-ecosystem: "terraform"
+    directory: "/modules/aws/ssoadmin_instance"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "(TF)"
+    reviewers:
+      - "UKHomeOffice/core-cloud-devops"
+    labels:
+      - "dependencies"
+      - "patch"
+  - package-ecosystem: "terraform"
+    directory: "/modules/aws/users"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "(TF)"
+    reviewers:
+      - "UKHomeOffice/core-cloud-devops"
+    labels:
+      - "dependencies"
+      - "patch"
diff --git a/.github/workflows/pull-request-sast.yaml b/.github/workflows/pull-request-sast.yaml
@@ -0,0 +1,26 @@
+name: Validate Terraform with Trivy
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  RunTerraformValidation:
+    name: Run Terraform Validation
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Clone the Repository
+        uses: actions/checkout@v4
+
+      # Results have to be a table as the organisation does not have Advanced Security license.
+      - name: Run Trivy against Terraform
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'config'
+          exit-code: '1'
diff --git a/README.md b/README.md
@@ -1,3 +1,15 @@
 # Core Cloud Terraform Modules
 
 This repository contains the core Terraform modules for the Core Cloud Platform.
+
+## Modules
+
+The following modules are available:
+
+- [AWS](./modules/aws/README.md)
+
+## Example Usage
+
+Example usage can be found in the README of each module. 
+
+Additionally, the [core-cloud-lza-iam-terraform 🔒](https://github.com/UKHomeOffice/core-cloud-lza-iam-terraform) module contains an example of how to use the modules.
diff --git a/modules/aws/README.md b/modules/aws/README.md
@@ -0,0 +1,13 @@
+# Core Cloud AWS Terraform Modules
+
+This repository contains the core Terraform modules for AWS.
+
+## Modules
+
+The following modules are available:
+
+- [Group Account Assignments](./group_account_assignments/README.md)
+- [Group User Memberships](./group_user_memberships/README.md)
+- [Groups](./groups/README.md)
+- [Identity Center Instance](./ssoadmin_instance/README.md)
+- [Users](./users/README.md)
diff --git a/modules/aws/group_account_assignments/.terraform.lock.hcl b/modules/aws/group_account_assignments/.terraform.lock.hcl
diff --git a/modules/aws/group_account_assignments/README.md b/modules/aws/group_account_assignments/README.md
@@ -0,0 +1,22 @@
+# Core Cloud AWS Group Account Assignation Module
+
+This module is responsible for creating and managing group account assignments through Identity Center in AWS.
+
+## Usage
+
+```hcl
+module "group_account_assignments" {
+  source = "git::ssh://[email protected]/UKHomeOffice/core-cloud-terraform-modules.git//modules/aws/group_account_assignments"
+
+  group_name     = each.key
+  identity_store = module.aws_ssoadmin_instance.instance
+  accounts       = each.value.accounts
+}
+```
+
+## Validation
+
+This module expects the variables to conform to the following:
+- `group_name` - Must be a string between 1 and 64 characters.
+- `accounts` - Key/Value pairing of the account ID and the permission set.
+- `identity_store` - Must be a valid Identity Store object that contains both the `id` and `arn` attributes.
diff --git a/modules/aws/group_account_assignments/main.tf b/modules/aws/group_account_assignments/main.tf
@@ -0,0 +1,39 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.37.0"
+    }
+  }
+}
+
+data "aws_ssoadmin_permission_set" "identity_center_permission_set" {
+  for_each = var.accounts
+
+  name = each.value
+  instance_arn = var.identity_store.arn
+}
+
+data "aws_identitystore_group" "identity_store_groups" {
+  identity_store_id = var.identity_store.id
+
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "DisplayName"
+      attribute_value = var.group_name
+    }
+  }
+}
+
+resource "aws_ssoadmin_account_assignment" "user_account_assignments" {
+  for_each = var.accounts
+
+  instance_arn       = var.identity_store.arn
+  permission_set_arn = data.aws_ssoadmin_permission_set.identity_center_permission_set[each.key].arn
+
+  principal_id   = data.aws_identitystore_group.identity_store_groups.id
+  principal_type = "GROUP"
+
+  target_id   = each.key
+  target_type = "AWS_ACCOUNT"
+}
diff --git a/modules/aws/group_account_assignments/variables.tf b/modules/aws/group_account_assignments/variables.tf
@@ -0,0 +1,22 @@
+variable "identity_store" {
+  description = "The AWS SSO instance to create the group in."
+  type        = object({
+    id   = string
+    arn  = string 
+  })
+}
+
+variable "accounts" {
+  description = "The AWS accounts to assign the group to."
+  type = map(string)
+}
+
+variable "group_name" {
+  description = "The ID of the group to assign the user to."
+  type        = string
+
+  validation {
+    condition     = length(var.group_name) >= 1 && length(var.group_name) <= 64
+    error_message = "The group name must be less than 64 characters."
+  }
+}
diff --git a/modules/aws/group_user_memberships/.terraform.lock.hcl b/modules/aws/group_user_memberships/.terraform.lock.hcl
diff --git a/modules/aws/group_user_memberships/README.md b/modules/aws/group_user_memberships/README.md
@@ -0,0 +1,22 @@
+# Core Cloud AWS Group User Membership Module
+
+This module is responsible for creating and managing group user memberships through Identity Center in AWS.
+
+## Usage
+
+```hcl
+module "groups_user_membership" {
+  source = "git::ssh://[email protected]/UKHomeOffice/core-cloud-terraform-modules.git//modules/aws/group-user-memberships"
+
+  group_name        = <VALUE>
+  identity_store_id = <VALUE>
+  users             = ARRAY(<VALUE>)
+}
+```
+
+## Validation
+
+This module expects the variables to conform to the following:
+- `group_name` - Must be a string between 1 and 64 characters.
+- `users` - List containing the usernames to be added to the group.
+- `identity_store_id` - Must be a valid Identity Store ID.
diff --git a/modules/aws/group_user_memberships/main.tf b/modules/aws/group_user_memberships/main.tf
@@ -0,0 +1,40 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.37.0"
+    }
+  }
+}
+
+data "aws_identitystore_group" "identity_store_groups" {
+  identity_store_id = var.identity_store_id
+
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "DisplayName"
+      attribute_value = var.group_name
+    }
+  }
+}
+
+data "aws_identitystore_user" "identity_store_users" {
+  for_each = toset(var.users)
+
+  identity_store_id = var.identity_store_id
+
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "UserName"
+      attribute_value = each.key
+    }
+  }
+}
+
+resource "aws_identitystore_group_membership" "group_membership" {
+  for_each = toset(var.users)
+
+  identity_store_id = var.identity_store_id
+  group_id = data.aws_identitystore_group.identity_store_groups.id
+  member_id = data.aws_identitystore_user.identity_store_users[each.key].id
+}
diff --git a/modules/aws/group_user_memberships/variables.tf b/modules/aws/group_user_memberships/variables.tf
@@ -0,0 +1,24 @@
+variable "identity_store_id" {
+  description = "The AWS SSO instance to create the group in."
+  type        = string
+
+  validation {
+    condition     = can(regex("d-[a-z0-9]{10}", var.identity_store_id))
+    error_message = "The identity store id must be in the format `d-` followed by 10 alphanumeric characters."
+  }
+}
+
+variable "users" {
+  description = "The AWS accounts to assign the group to."
+  type = list(string)
+}
+
+variable "group_name" {
+  description = "The ID of the group to assign the user to."
+  type        = string
+
+  validation {
+    condition     = length(var.group_name) >= 1 && length(var.group_name) <= 64
+    error_message = "The group name must be less than 64 characters."
+  }
+}
diff --git a/modules/aws/groups/.terraform.lock.hcl b/modules/aws/groups/.terraform.lock.hcl