Merge pull request #61 from cisagov/improvement/modern-env

Create Molecule users for a single environment

Author: dav3r

README.md

@@ -2,42 +2,39 @@
 
 [![GitHub Build Status](https://github.com/cisagov/molecule-iam-user-tf-module/workflows/build/badge.svg)](https://github.com/cisagov/molecule-iam-user-tf-module/actions)
 
-A Terraform module for creating an IAM user suitable for use in molecule
-testing of an Ansible role.
+A Terraform module for creating an IAM user suitable for use in [Molecule
+testing](https://ansible.readthedocs.io/projects/molecule/) of an
+[Ansible](https://www.redhat.com/en/ansible-collaborative) role.
 
 ## Usage ##
 
-### Multi-Account Usage ###
+### Multi-provider usage ###
 
 ```hcl
 module "example" {
   source = "github.com/cisagov/molecule-iam-user-tf-module"
 
   providers = {
-    aws                                    = aws
-    aws.images-production-provisionaccount = aws.images-production-provisionaccount
-    aws.images-staging-provisionaccount    = aws.images-staging-provisionaccount
-    aws.images-production-ssm              = aws.images-production-ssm
-    aws.images-staging-ssm                 = aws.images-staging-ssm
+    aws                         = aws
+    aws.images-provisionaccount = aws.images-provisionaccount
+    aws.images-ssm              = aws.images-ssm
   }
 
   entity         = "my-repo"
   ssm_parameters = ["/example/parameter1", "/example/config/*"]
 }
 ```
 
-### Single Account Usage ###
+### Single provider usage ###
 
 ```hcl
 module "example" {
   source = "github.com/cisagov/molecule-iam-user-tf-module"
 
   providers = {
-    aws                                    = aws
-    aws.images-production-provisionaccount = aws
-    aws.images-staging-provisionaccount    = aws
-    aws.images-production-ssm              = aws
-    aws.images-staging-ssm                 = aws
+    aws                         = aws
+    aws.images-provisionaccount = aws
+    aws.images-ssm              = aws
   }
 
   entity         = "my-repo"
@@ -62,23 +59,20 @@ module "example" {
 | Name | Version |
 |------|---------|
 | aws | >= 4.9 |
-| aws.images-production-provisionaccount | >= 4.9 |
-| aws.images-staging-provisionaccount | >= 4.9 |
+| aws.images-provisionaccount | >= 4.9 |
 
 ## Modules ##
 
 | Name | Source | Version |
 |------|--------|---------|
 | ci\_user | github.com/cisagov/ci-iam-user-tf-module | n/a |
-| parameterstorereadonly\_role\_production | github.com/cisagov/ssm-read-role-tf-module | n/a |
-| parameterstorereadonly\_role\_staging | github.com/cisagov/ssm-read-role-tf-module | n/a |
+| parameterstorereadonly\_role | github.com/cisagov/ssm-read-role-tf-module | n/a |
 
 ## Resources ##
 
 | Name | Type |
 |------|------|
-| [aws_iam_role_policy_attachment.ssm_production_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.ssm_staging_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_user_policy.assume_parameterstorereadonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
 | [aws_caller_identity.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_parameterstorereadonly_role_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -95,8 +89,7 @@ module "example" {
 | Name | Description |
 |------|-------------|
 | access\_key | The IAM access key associated with the CI IAM user created by this module. |
-| production\_role | The IAM role that the CI user can assume to read SSM parameters in the production account. |
-| staging\_role | The IAM role that the CI user can assume to read SSM parameters in the staging account. |
+| role | The IAM role that the CI user can assume to read SSM parameters. |
 | user | The CI IAM user created by this module. |
 <!-- END_TF_DOCS -->
 

assume_parameterstorereadonly_role.tf

@@ -1,5 +1,5 @@
 # IAM policy document that allows assumption of the ParameterStoreReadOnly
-# role in the Images accounts (Production and Staging) for this user
+# role in the Images account for this user
 data "aws_iam_policy_document" "assume_parameterstorereadonly_role_doc" {
   statement {
     actions = [
@@ -8,16 +8,15 @@ data "aws_iam_policy_document" "assume_parameterstorereadonly_role_doc" {
     ]
     effect = "Allow"
     resources = [
-      module.parameterstorereadonly_role_production.role.arn,
-      module.parameterstorereadonly_role_staging.role.arn
+      module.parameterstorereadonly_role.role.arn
     ]
   }
 }
 
 # The IAM policy allowing this user to assume their custom
-# ParameterStoreReadOnly role in the Images accounts (Production and Staging)
+# ParameterStoreReadOnly role in the Images account
 resource "aws_iam_user_policy" "assume_parameterstorereadonly" {
-  name   = "Images-Assume${module.parameterstorereadonly_role_production.role.name}"
+  name   = "Images-Assume${module.parameterstorereadonly_role.role.name}"
   policy = data.aws_iam_policy_document.assume_parameterstorereadonly_role_doc.json
   user   = module.ci_user.user.name
 }

examples/basic_usage/main.tf

@@ -15,57 +15,34 @@ provider "aws" {
   region  = "us-east-1"
 }
 
-# ProvisionAccount AWS provider for the Images (Production) account
+# ProvisionAccount AWS provider for the Images account
 provider "aws" {
-  alias = "images-production-provisionaccount"
+  alias = "images-provisionaccount"
   default_tags {
     tags = local.tags
   }
-  profile = "cool-images-production-provisionaccount"
+  profile = "cool-images-provisionaccount"
   region  = "us-east-1"
 }
 
-# ProvisionAccount AWS provider for the Images (Staging) account
+# ProvisionParameterStoreReadRoles AWS provider for the Images account
 provider "aws" {
-  alias = "images-staging-provisionaccount"
+  alias = "images-ssm"
   default_tags {
     tags = local.tags
   }
-  profile = "cool-images-staging-provisionaccount"
+  profile = "cool-images-provisionparameterstorereadroles"
   region  = "us-east-1"
 }
 
-# ProvisionParameterStoreReadRoles AWS provider for the
-# Images (Production) account
-provider "aws" {
-  alias = "images-production-ssm"
-  default_tags {
-    tags = local.tags
-  }
-  profile = "cool-images-production-provisionparameterstorereadroles"
-  region  = "us-east-1"
-}
-
-# ProvisionParameterStoreReadRoles AWS provider for the
-# Images (Staging) account
-provider "aws" {
-  alias = "images-staging-ssm"
-  default_tags {
-    tags = local.tags
-  }
-  profile = "cool-images-staging-provisionparameterstorereadroles"
-  region  = "us-east-1"
-}
 
 module "iam_user" {
   source = "../.."
 
   providers = {
-    aws                                    = aws
-    aws.images-production-provisionaccount = aws.images-production-provisionaccount
-    aws.images-staging-provisionaccount    = aws.images-staging-provisionaccount
-    aws.images-production-ssm              = aws.images-production-ssm
-    aws.images-staging-ssm                 = aws.images-staging-ssm
+    aws                         = aws
+    aws.images-provisionaccount = aws.images-provisionaccount
+    aws.images-ssm              = aws.images-ssm
   }
 
   entity         = "molecule-iam-user-tf-module"

outputs.tf

@@ -4,14 +4,9 @@ output "access_key" {
   value       = module.ci_user.access_key
 }
 
-output "production_role" {
-  description = "The IAM role that the CI user can assume to read SSM parameters in the production account."
-  value       = module.ci_user.production_role
-}
-
-output "staging_role" {
-  description = "The IAM role that the CI user can assume to read SSM parameters in the staging account."
-  value       = module.ci_user.staging_role
+output "role" {
+  description = "The IAM role that the CI user can assume to read SSM parameters."
+  value       = module.ci_user.role
 }
 
 output "user" {

parameterstorereadonly_role.tf

@@ -1,37 +1,23 @@
 # ------------------------------------------------------------------------------
-# Create the IAM roles that allow read-only access to the specified SSM
-# Parameter Store parameters in the Images accounts (Production and Staging).
+# Create the IAM role that allows read-only access to the specified SSM
+# Parameter Store parameters in the Images account.
 # ------------------------------------------------------------------------------
 
 # Get the default caller identity, which corresponds to the Users account.
 # This is needed to determine the Users account ID.
 data "aws_caller_identity" "users" {
 }
 
-module "parameterstorereadonly_role_production" {
+module "parameterstorereadonly_role" {
   source = "github.com/cisagov/ssm-read-role-tf-module"
 
   providers = {
-    aws = aws.images-production-ssm
+    aws = aws.images-ssm
   }
 
   account_ids   = [data.aws_caller_identity.users.account_id]
   entity_name   = var.entity
   iam_usernames = [module.ci_user.user.name]
-  role_name     = "ParameterStoreReadOnly-%s-Production"
-  ssm_names     = var.ssm_parameters
-}
-
-module "parameterstorereadonly_role_staging" {
-  source = "github.com/cisagov/ssm-read-role-tf-module"
-
-  providers = {
-    aws = aws.images-staging-ssm
-  }
-
-  account_ids   = [data.aws_caller_identity.users.account_id]
-  entity_name   = var.entity
-  iam_usernames = [module.ci_user.user.name]
-  role_name     = "ParameterStoreReadOnly-%s-Staging"
+  role_name     = "ParameterStoreReadOnly-%s"
   ssm_names     = var.ssm_parameters
 }

providers.tf

@@ -1,23 +1,12 @@
 # This is the provider that is used to create the role that can be
 # assumed to perform CI functions.
 provider "aws" {
-  alias = "images-production-provisionaccount"
+  alias = "images-provisionaccount"
 }
 
-# This is the provider that is used to create the role that can be
-# assumed to perform CI functions.
-provider "aws" {
-  alias = "images-staging-provisionaccount"
-}
-
-# This is the provider that is used to create the role and policy that can
-# read Parameter Store parameters inside the Images Production account
-provider "aws" {
-  alias = "images-production-ssm"
-}
 
 # This is the provider that is used to create the role and policy that can
-# read Parameter Store parameters inside the Images Staging account
+# read Parameter Store parameters inside the Images account
 provider "aws" {
-  alias = "images-staging-ssm"
+  alias = "images-ssm"
 }

user.tf

@@ -2,27 +2,19 @@ module "ci_user" {
   source = "github.com/cisagov/ci-iam-user-tf-module"
 
   providers = {
-    aws            = aws
-    aws.production = aws.images-production-provisionaccount
-    aws.staging    = aws.images-staging-provisionaccount
+    aws    = aws
+    aws.ci = aws.images-provisionaccount
   }
 
   role_description = local.role_description
   role_name        = local.role_name
   user_name        = local.user_name
 }
 
-# Attach the AWS SSM Parameter Store read role policies to the CI
-# production and staging roles
-resource "aws_iam_role_policy_attachment" "ssm_staging_attachment" {
-  provider = aws.images-staging-provisionaccount
+# Attach the AWS SSM Parameter Store read role policy to the CI role
+resource "aws_iam_role_policy_attachment" "ssm" {
+  provider = aws.images-provisionaccount
 
-  policy_arn = module.parameterstorereadonly_role_staging.policy.arn
-  role       = module.ci_user.staging_role.name
-}
-resource "aws_iam_role_policy_attachment" "ssm_production_attachment" {
-  provider = aws.images-production-provisionaccount
-
-  policy_arn = module.parameterstorereadonly_role_production.policy.arn
-  role       = module.ci_user.production_role.name
+  policy_arn = module.parameterstorereadonly_role.policy.arn
+  role       = module.ci_user.role.name
 }