Add support for AWS install: iam-write

p0-security · Apr 16, 2024 · c084e6a · c084e6a
1 parent caf2331
commit c084e6a
Show file tree

Hide file tree

Showing 7 changed files with 695 additions and 19 deletions.
diff --git a/docs/resources/aws_iam_write.md b/docs/resources/aws_iam_write.md
@@ -0,0 +1,178 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "p0_aws_iam_write Resource - p0"
+subcategory: ""
+description: |-
+  An AWS installation.
+  Important: This resource should be used together with the 'awsstaged' resource, with a dependency chain
+  requiring this resource to be updated after the 'awsstaged' resource.
+  P0 recommends you use these resources according to the following pattern:
+  ```
+  resource "p0awsstaged" "staged_account" {
+    id         = ...
+    components = ["iam-write"]
+  }
+  See current P0 docs for the appropriate input in this block
+  resource "awsiampolicy" "p0iammanager" {
+    ...
+  }
+  resource "awsiamrole" "p0iammanager" {
+    name               = "P0RoleIamManager"
+    assumerolepolicy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Effect = "Allow"
+          Principal = {
+            Federated = "accounts.google.com"
+          }
+          Action = "sts:AssumeRoleWithWebIdentity"
+          Condition = {
+            StringEquals = {
+              "accounts.google.com:aud" = "${p0awsstaged.stagedaccount.serviceaccountid}"
+            }
+          }
+        }
+      ]
+    })
+    managedpolicyarns = [awsiampolicy.p0iam_manager.arn]
+  }
+  resource "p0awsiamwrite" "installedaccount" {
+    id         = p0awsstaged.stagedaccount.id
+    dependson = [awsiamrole.p0iammanager]
+    ...
+  }
+  ```
+---
+
+# p0_aws_iam_write (Resource)
+
+An AWS installation.
+
+**Important**: This resource should be used together with the 'aws_staged' resource, with a dependency chain
+requiring this resource to be updated after the 'aws_staged' resource.
+
+P0 recommends you use these resources according to the following pattern:
+
+```
+resource "p0_aws_staged" "staged_account" {
+  id         = ...
+  components = ["iam-write"]
+}
+
+# See current P0 docs for the appropriate input in this block
+resource "aws_iam_policy" "p0_iam_manager" {
+  ...
+}
+
+resource "aws_iam_role" "p0_iam_manager" {
+  name               = "P0RoleIamManager"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = "accounts.google.com"
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "accounts.google.com:aud" = "${p0_aws_staged.staged_account.service_account_id}"
+          }
+        }
+      }
+    ]
+  })
+  managed_policy_arns = [aws_iam_policy.p0_iam_manager.arn]
+}
+
+resource "p0_aws_iam_write" "installed_account" {
+  id         = p0_aws_staged.staged_account.id
+  depends_on = [aws_iam_role.p0_iam_manager]
+  ...
+}
+```
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `id` (String) The AWS account ID
+- `login` (Attributes) How users log in to this AWS account (see [below for nested schema](#nestedatt--login))
+
+### Optional
+
+- `label` (String) The AWS account's alias (if available)
+
+### Read-Only
+
+- `state` (String) This account's install progress in the P0 application:
+			- 'stage': The account has been staged for installation
+			- 'configure': The account is available to be added to P0, and may be configured
+			- 'installed': The account is fully installed
+
+<a id="nestedatt--login"></a>
+### Nested Schema for `login`
+
+Required:
+
+- `type` (String) One of:
+    - 'iam': Users log in as IAM users; 'identity' attribute is required
+    - 'idc': Users log in via Identity Center (formerly 'SSO'); 'parent' attribute is required
+    - 'federated': Users log in via a federated identity provider; 'provider' attribute is required
+
+Optional:
+
+- `identity` (Attributes) How user identities are mapped to AWS IAM users (see [below for nested schema](#nestedatt--login--identity))
+- `parent` (String) Identity Center parent account ID
+- `provider` (Attributes) Federated login provider details (see [below for nested schema](#nestedatt--login--provider))
+
+<a id="nestedatt--login--identity"></a>
+### Nested Schema for `login.identity`
+
+Required:
+
+- `type` (String) One of:
+    - 'email': IAM user names are user email addresses
+    - 'tag': User email addresses appear in IAM user tag; 'tag_name' is required
+
+Optional:
+
+- `tag_name` (String) The name of the AWS user tag that holds the user's email address
+
+
+<a id="nestedatt--login--provider"></a>
+### Nested Schema for `login.provider`
+
+Required:
+
+- `app_id` (String) Okta AWS federation app ID
+- `identity_provider` (String) AWS provider integration; this is the _name_ of the AWS integration that you use for federated login,
+defined on the ["Identity providers" tab](https://console.aws.amazon.com/iam/home#/identity_providers) of your IAM dashboard
+
+Optional:
+
+- `method` (Attributes) The federation method used by your identity provider (see [below for nested schema](#nestedatt--login--provider--method))
+- `type` (String) Only 'okta' is supported at this time
+
+<a id="nestedatt--login--provider--method"></a>
+### Nested Schema for `login.provider.method`
+
+Optional:
+
+- `account_count` (Attributes) Number of AWS accounts linked to the federation app:
+    - 'single': One account only
+    - 'multi': Multiple accounts, via a parent account (see [below for nested schema](#nestedatt--login--provider--method--account_count))
+- `type` (String) Only 'saml' is supported at this time
+
+<a id="nestedatt--login--provider--method--account_count"></a>
+### Nested Schema for `login.provider.method.type`
+
+Optional:
+
+- `parent` (String) The account ID of the federation app's parent AWS account
+- `type` (String)
diff --git a/docs/resources/aws_staged.md b/docs/resources/aws_staged.md
@@ -4,12 +4,15 @@ page_title: "p0_aws_staged Resource - p0"
 subcategory: ""
 description: |-
   A staged AWS installation. Staged resources are used to generate AWS trust policies.
+  Important Before using this resource, please read the instructions for the 'awsiamwrite' resource.
 ---
 
 # p0_aws_staged (Resource)
 
 A staged AWS installation. Staged resources are used to generate AWS trust policies.
 
+**Important** Before using this resource, please read the instructions for the 'aws_iam_write' resource.
+
 
 
 <!-- schema generated by tfplugindocs -->

diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -104,6 +104,7 @@ func (p *P0Provider) Resources(ctx context.Context) []func() resource.Resource {
 	return []func() resource.Resource{
 		resources.NewRoutingRules,
 		installresources.NewStagedAws,
+		installresources.NewAwsIamWrite,
 	}
 }
 

diff --git a/internal/provider/resources/install/aws_common.go b/internal/provider/resources/install/aws_common.go
@@ -0,0 +1,15 @@
+package installresources
+
+import "regexp"
+
+var Aws = "aws"
+
+var IamWrite = "iam-write"
+var Inventory = "inventory"
+
+// All installable AWS components
+var Components = []string{IamWrite, Inventory}
+
+var AwsAccountIdRegex = regexp.MustCompile(`^\d{12}$`)
+var AwsIdpPattern = regexp.MustCompile(`^[\w.-/]+$`)
+var OktaAppIdRegex = regexp.MustCompile(`^0o\w+$`)