From a00a23076193f17e4fd6d07f4440c181594a2e7d Mon Sep 17 00:00:00 2001 From: Sunny Date: Fri, 31 May 2024 11:13:17 +0000 Subject: [PATCH] Add AWS account management docs and configurations Directory accounts/aws/ contains docs and terraform configurations for setting up a new AWS account, preparing it for use as the Flux test infrastructure and managing the account further with all the configurations in code. Signed-off-by: Sunny --- .gitignore | 4 ++ accounts/aws/README.md | 76 ++++++++++++++++++++++++++++++++++++++ accounts/aws/main.tf | 83 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 163 insertions(+) create mode 100644 .gitignore create mode 100644 accounts/aws/README.md create mode 100644 accounts/aws/main.tf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9257cce --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +.env +.terraform +.terraform.* +terraform.tfstate* diff --git a/accounts/aws/README.md b/accounts/aws/README.md new file mode 100644 index 0000000..d061ec6 --- /dev/null +++ b/accounts/aws/README.md @@ -0,0 +1,76 @@ +# AWS Account + +This documents how to set up an AWS account, prepare it to use for Flux test +infrastructure and various usage workflows for managing the account. + +## New account initial setup + +- Once a new AWS account is created, log in as the root user and enable + multi-factor authentication for the root account, refer + https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html. +- For Billing and Cost Management in the account, enable IAM access to billing, + refer https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_billing.html. + This will enable the other users to be able to view the billing console if + they have the necessary permissions. With access to billing console, the users + would be able to know the cost of their resource usage and help keep the cost + in control. +- For user management IAM Identity Center is used, which makes it easy to invite + and manage users in the account. AWS sends invitation email to the users and + provides an access portal to verify the email address, set up MFA device and + help log into the account easily. Choose a region, say `us-east-2`, switch to + the region in the AWS web console and enable IAM Identity Center, refer + https://docs.aws.amazon.com/SetUp/latest/UserGuide/setup-enableIdC.html. If + asked, create an AWS Organization and enable the Identity Center as an + organization, which is the recommended usage by AWS. + - After enabling IAM Identity Center, go to the IAM Identity Center console + settings and enable Multi-factor authentication, refer + https://docs.aws.amazon.com/singlesignon/latest/userguide/mfa-getting-started.html. + Configure the following options: + - Under **Prompt users for MFA**, select *Only when the sign-in context + changes*. + - Under **Users can authenticate with these MFA types**, select both + *Security keys* and *Authenticator apps*. + - Under **If a user does not yet have a registered MFA device**, select + *Require them to register an MFA device at sign in*. + - Under the **Authentication** tab in IAM Identity Center settings, configure + the **Standard authentication** to *Send email OTP for users created from + API*. This will make sure invitation emails are sent to the users when + created using terraform or other tooling. +- Some tools like aws-nuke require the AWS account to have an alias set before + operating on the account. Set an account alias in the IAM Dashboard, refer + https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html. + It can be set to `fluxcd` or edited if needed in the future. + +The above covers the initial setup. Further account setup will be done by code +as described in the following sections. + +## Account management + +After the initial setup, the account can be managed using terraform +configurations for provisioning and maintaining all the resources. + +`main.tf` contains terraform configuration for creating IAM Identity Center +permission sets, groups using the permission sets, their association with the +AWS account, users for web console access, IAM Identity providers which are used +in the tests for authenticating with federated identities and assuming roles +with permissions needed for running the tests. + +For first time setup, an IAM user can be created manually with the administrator +access to apply the configurations in `main.tf`. This will create the user +accounts who can log in and use the account. + +**NOTE:** Due to a limitation in the AWS Identity Center API, the user accounts +created via API require explicit email verification. Refer +https://github.com/hashicorp/terraform-provider-aws/issues/28102 for details. +Due to this, after creating a new user, an administrator needs to go to the +user's page and click on **Send email verification link** button. + +After applying the configuration, the IAM user can be deleted and the created +non-root users can be used to manage the account. Also see +https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html +for details about AWS access portal sign in. + +The account can be managed by updating the terraform code and regularly applying +the changes using terraform in a GitHub actions workflow. Updates to users and +resources in the account can be go through the usual GitHub pull request +workflow. diff --git a/accounts/aws/main.tf b/accounts/aws/main.tf new file mode 100644 index 0000000..f06832a --- /dev/null +++ b/accounts/aws/main.tf @@ -0,0 +1,83 @@ +data "aws_caller_identity" "current" {} +data "aws_ssoadmin_instances" "current" {} + +# Create a permission set for administrator access. +resource "aws_ssoadmin_permission_set" "admin" { + name = "AdministratorAccess" + instance_arn = tolist(data.aws_ssoadmin_instances.current.arns)[0] + description = "To be used to grant administrator access to users and groups." + session_duration = "PT8H" + # TODO: Decide and add tags. +} + +# Create a group for administrators. +resource "aws_identitystore_group" "admin" { + identity_store_id = tolist(data.aws_ssoadmin_instances.current.identity_store_ids)[0] + display_name = "Admin" + description = "Admin Group" +} + +# Assign the admin group and permission set. +resource "aws_ssoadmin_account_assignment" "admin_account_assignment" { + instance_arn = tolist(data.aws_ssoadmin_instances.current.arns)[0] + permission_set_arn = aws_ssoadmin_permission_set.admin.arn + + principal_id = aws_identitystore_group.admin.group_id + principal_type = "GROUP" + + target_id = data.aws_caller_identity.current.account_id + target_type = "AWS_ACCOUNT" +} + +# Attach a AdministratorAccess managed policy to the administrator permission +# set. +# NOTE: Since this attachment affects accounts the permission set is associated +# with, it has to depends on the account assignment. +resource "aws_ssoadmin_managed_policy_attachment" "admin" { + depends_on = [aws_ssoadmin_account_assignment.admin_account_assignment] + + instance_arn = tolist(data.aws_ssoadmin_instances.current.arns)[0] + managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" + permission_set_arn = aws_ssoadmin_permission_set.admin.arn +} + +# Create user and assign a group. +resource "aws_identitystore_user" "darkowlzz" { + identity_store_id = tolist(data.aws_ssoadmin_instances.current.identity_store_ids)[0] + + display_name = "Sunny" + user_name = "darkowlzz" + + name { + given_name = "Sunny" + family_name = "Sunny" + } + + emails { + value = "strainer_exception937@simplelogin.com" + primary = true + } +} +resource "aws_identitystore_group_membership" "darkowlzz_admin" { + identity_store_id = tolist(data.aws_ssoadmin_instances.current.identity_store_ids)[0] + group_id = aws_identitystore_group.admin.group_id + member_id = aws_identitystore_user.darkowlzz.user_id +} + +# Register GitHub OIDC identity provider. +resource "aws_iam_openid_connect_provider" "github" { + url = "https://token.actions.githubusercontent.com" + + client_id_list = [ + "sts.amazonaws.com", + ] + + # For obtaining the thumbprint, refer + # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html. + # Another easier way to obtain this is from the AWS IAM Identity Provider web + # console. When a provider is added through the web console, the thumbprint is + # optional. AWS automatically obtains it and shows it in the console. + thumbprint_list = ["1b511abead59c6ce207077c0bf0e0043b1382612"] + + # TODO: Decide and add tags. +}