Skip to content

Commit

Permalink
Updated template
Browse files Browse the repository at this point in the history
  • Loading branch information
Joeri Malmberg committed Jan 12, 2024
1 parent d04683c commit 419d577
Show file tree
Hide file tree
Showing 51 changed files with 1,666 additions and 285 deletions.
30 changes: 21 additions & 9 deletions .github/workflows/aws_deployment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,35 +12,47 @@ jobs:
changes:
runs-on: ubuntu-latest
outputs:
accounts: ${{ steps.filter.outputs.changes }}
accounts: ${{ steps.changes.outputs.all_changed_files }}
steps:
- uses: actions/checkout@v3
- uses: dorny/paths-filter@v2
id: filter
- name: Checkout
uses: actions/checkout@v4
with:
filters: |
management:
- 'cloud/management/**'
fetch-depth: 0

- uses: tj-actions/changed-files@v41
id: changes
with:
path: cloud
dir_names: "true"
dir_names_max_depth: 1
json: true
quotepath: false
escape_json: false

RunApply:
runs-on: ubuntu-latest
needs: changes
strategy:
matrix:
account: ${{ fromJSON(needs.changes.outputs.accounts) }}
continue-on-error: true
container: blackbirdcloud/terraform-toolkit:0.0.8
steps:
- name: Git clone the repository
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: change --global to --system
run: git config --global --add safe.directory /__w/my-project-name/my-project-name
run: git config --global --add safe.directory /__w/YOURPROJECTNAME/YOURPROJECTNAME

- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v2
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ vars.AWS_IAM_ROLE }}
role-session-name: github-action
aws-region: ${{ vars.AWS_REGION }}

- name: apply
working-directory: ./cloud/${{ matrix.account }}
run: terragrunt run-all apply --terragrunt-fetch-dependency-output-from-state --terragrunt-non-interactive --terragrunt-ignore-external-dependencies --terragrunt-download-dir=../../.terragrunt-cache
1 change: 1 addition & 0 deletions .terragrunt-version
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
0.54.1
44 changes: 31 additions & 13 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,25 +13,32 @@ This Repository includes:
* AWS Organizations
* AWS IAM Identity Center
* AWS Cloudformation StackSets
* AWS S3 bucket for Terraform state storage.
* AWS KMS key for Terraform state encryption.
* AWS S3 bucket for Terraform state storage.
* AWS KMS key for audit log encryption.
* AWS S3 bucket for audit log collection.
* AWS Cloudtrial organization configuration.
* GitOps (GitHub Action) pipeline

## How to deploy

1. Create an AWS Account [here](https://portal.aws.amazon.com/billing/signup#/start/email]), name it management. Select the region you would like to deploy your resources to, write down the region and account id.
2. Navigate to AWS Cloudformation => Stacks, and manually deploy both `stacks/github-oidc-provider.yaml` and `stacks/terraform-state.yaml`.
* For the GitHub oidc provider stack, fill in `SubjectClaimFilters` with the following data relating to your infra repo `repo:YOUR_GITHUB_ORGANIZATION/YOUR_GITHUB_REPOSITORY_NAME:ref:refs/heads/BRANCH_NAME` we advise to deploy use `main` as branch name. This is nessecary to make sure that only GitHub Actions that run on the main branch are allowed to plan and apply changes on AWS. Make sure to protect your main branch, as it will receive AdministratorAccess on your AWS cloud. Once the stack has been created, navigate to its resources, and note down the arn of created IAM role.
* Once the terraform state stack has been created, note down the bucket name, it will be used as the state bucket for the next steps.
2. Navigate to Security Credentials, and register a MFA device for your root account.
3. Navigate to your Account page in the Billing console, and enable acces for IAM users.
2. Navigate to AWS Cloudformation => Stacks, and manually deploy the following stack templates in the specified order: `stacks/github-oidc-provider.yaml`, `stacks/github-oidc-role.yaml`, `stacks/terraform-state.yaml`, and `stacks/iam-role.yaml`.
* For the Github oidc role stack, fill in `GitHubIdentityProviderArn` with the ARN of the IDP created on the `github-oidc-provider` stack. Fill in `SubjectClaimFilters` with the following data relating to your infra repo `repo:YOUR_GITHUB_ORGANIZATION/YOUR_GITHUB_REPOSITORY_NAME:ref:refs/heads/BRANCH_NAME` we advise to deploy use `main` as branch name. This is nessecary to make sure that only GitHub Actions that run on the main branch are allowed to plan and apply changes on AWS. Make sure to protect your main branch, as it will receive AdministratorAccess on your AWS cloud. Once the stack has been created, navigate to its resources, and note down the arn of created IAM role.
* For the terraform-state stack, fill in `GithubActionsRoleArn` with the role ARN created in the `github-oidc-role` stack. Once the terraform state stack has been created, note down the bucket name, it will be used as the state bucket for the next steps.
* For the `iam-role` stack, fill in `PrincipalARN` with the role ARN created in the `github-oidc-role` stack. Make sure to write down the Role name, and configure it in `globals.hcl` at `github_role_name`. Under `ManagedPolicyARNs` one can configure `arn:aws:iam::aws:policy/AdministratorAccess`.
3. Create 2 variables on GitHub -> Settings -> Secrets and variables -> Actions -> Variables
* `AWS_IAM_ROLE`: fill in `IAM Role ARN` created by github-oidc-provider stack
* `AWS_IAM_ROLE`: fill in `IAM Role ARN` created by github-oidc-role stack
* `AWS_REGION`: fill in your selected AWS region.
4. On `.github/workflows/aws_deployment.yml` update all occurences of `<my-project-name>` to your github repository name, line 37.

5. On `cloud/global.hcl` enter all the required information at the `Enter manually` block.
6. On` cloud/management/terragrunt.hcl` enter all the information under `Enter manually` block. Use the bucket name created by `stacks/terraform-state.yaml` for `bucket_name`, and enter the account id from the AWS account you created in step 1.
7. Go to `cloud/00-organization/terragrunt.hcl` and fill in the primary, operational, securit, and billing contact information.
4. On `.github/workflows/aws_deployment.yml` update all occurences of `<my-project-name>` to your github repository name, line 46.
<!-- 5. Manually enabled IAM Identity Center in your AWS region.
6. Configure IAM MFA settings, and Standard authentication settings. -->

5. On `global.hcl` enter all the required information at the `Enter manually` block.
6. On `cloud/management/terragrunt.hcl` enter all the information under `Enter manually` block. Remember to do the same for the other account their terragrunt files.
7. Go to `cloud/management/00-organization/terragrunt.hcl` and fill in the local values under `Enter manually`, and under inputs fill in the primary, operational, securit, and billing contact information. Configure the accounts you would like to create.
8. (Optional) If your IDP supports provisioning users and groups, you can skip this step, and delete the `cloud/management/02-iam-sso/01-users` folder, and the `cloud/management/02-iam-sso/02-groups` folder.
* Create the users list on `cloud/management/02-iam-sso/01-users/terragrunt.hcl`, you can remove `[email protected]`.
* `cloud/management/02-iam-sso/02-groups/terragrunt.hcl` enter the groups with the users you would like to create. Make sure to assign the users created by adding multiple `dependency.users.outputs.users["USER_EMAIL"].user_id` and replace `USER_EMAIL` with the actual email.
Expand All @@ -40,12 +47,23 @@ This Repository includes:
10. (Optional) On `cloud/management/02-iam-sso/03-permission-sets/terragrunt.hcl` enter the permission-sets you would like to create. We have included some commonly used permission-sets.
11. (Optional) On `cloud/management/02-iam-sso/04-account-assignment/terragrunt.hcl` assign accounts and permission-sets, to users and groups. The default value will deploy the `AdministratorAccess` permission set for the Administrators group.
12. Commit and push, it will trigger the pipeline to run.
* It will *fail* initially
* It will succesfuly create your AWS organization, and *fail* to create all modules after that.
13. Then there are a few steps to be taken before re-runing the pipeline
* Open your AWS web console and navigate to Cloudformation => StackSets, then enable trusted access.
* Open your AWS web console and navigate to IAM Identity Center, then click on enable.
* Open your AWS web console and navigate to IAM Identity Center => Settings. At the identity source tab, click Actions and select change identity source. Read the documentation [here](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html) to proceed depending your Organization's IDP.
14. Re-run the pipeline and all IAM and StackSets should now deploy succesfully.
* You can now choose to use the AWS IAM Center Identity Directory, or configure your own Directory. Read the documentation [here](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html) to proceed depending your Organization's IDP.
* If you choose to use the AWS IAM Identity Center Directory:
* Configure the MFA settings.
* On settings => Authentication, enable `Send email OTP for users created from API`.
14. Re-run the failed pipeline and all IAM and StackSets should now deploy succesfully.
15. On `cloud/logs/terragrunt.hcl` enter all the information under `Enter manually` block. Remember to do the same for the other account their terragrunt files.
16. On `cloud/keys/terragrunt.hcl` enter all the information under `Enter manually` block. Remember to do the same for the other account their terragrunt files.
17. On `policies.hcl` replace `YOUR_KEYS_ACCOUNT_ID` with the keys account ID.
18. On `global.hcl` enter `management_account_id` and `logs_account_id`.
19. The pipeline jobs will fail because of missing dependencies, so you will have to retry them a few times until everything has been created.
20. Configure AWS profiles with AdminstratorAccess permissions on your local machine for all created AWS accounts.
21. Update `global.hcl` `remote_state_bucket` to the bucket created at `cloud/management/04-terraform-state/01-bucket`
22. You can now migrate the Terraform state to the newly created Terraform state bucket, and delete the `terraform-state` Cloudformation stack when finished. If you open a termimal in the `cloud` directory, you can execute `terragrunt --terragrunt-non-interactive run-all init -migrate-state -input=true`, you will manually have to enter "yes" a number of times.

## Troubleshooting

Expand Down
19 changes: 0 additions & 19 deletions aws_provider.hcl

This file was deleted.

25 changes: 25 additions & 0 deletions cloud/keys/01-account/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions cloud/keys/01-account/terragrunt.hcl
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
include {
path = find_in_parent_folders()
}

include "remote_state" {
path = find_in_parent_folders("remote_state.hcl")
}

terraform {
source = "tfr:///blackbird-cloud/account-info/aws//?version=1.0.2"
}

inputs = {
aws_sso_permission_sets = ["AdministratorAccess"]
}
25 changes: 25 additions & 0 deletions cloud/keys/10-keys/01-terraform-state/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

64 changes: 64 additions & 0 deletions cloud/keys/10-keys/01-terraform-state/terragrunt.hcl
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
include {
path = find_in_parent_folders()
}

include "remote_state" {
path = find_in_parent_folders("remote_state.hcl")
}

dependency "account" {
config_path = "../..//01-account"
}

locals {
policies = read_terragrunt_config(find_in_parent_folders("policies.hcl")).locals
global = read_terragrunt_config(find_in_parent_folders("global.hcl")).locals
}

terraform {
source = "tfr:///blackbird-cloud/kms-key/aws//?version=1.0.0"
}

inputs = {
name = "terraform-state"

policy = <<EOF
{
"Version": "2012-10-17",
"Id": "mykey-policy",
"Statement": [
${local.policies.statements.keys_account_root},
{
"Sid": "Allow keys account Administrators to manage the KMS key.",
"Effect": "Allow",
"Principal": {
"AWS": [
"${dependency.account.outputs.sso_roles.AdministratorAccess.arn}",
"arn:aws:iam::${dependency.account.outputs.account_id}:role/${local.global.github_role_name}"
]
},
"Action": ${local.policies.actions.key_admin},
"Resource": "*"
},
{
"Sid": "Allow management account to assign usage of the KMS key.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${local.global.management_account_id}:root"
},
"Action":${local.policies.actions.key_usage},
"Resource": "*"
},
{
"Sid": "Allow GitHub bootstrap usage of the KMS key.",
"Effect": "Allow",
"Principal": {
"AWS": "${local.global.github_actions_state_role_arn}"
},
"Action": ${local.policies.actions.key_usage},
"Resource": "*"
}
]
}
EOF
}
25 changes: 25 additions & 0 deletions cloud/keys/10-keys/02-logging/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 419d577

Please sign in to comment.