reorganized repo

README.md

@@ -85,3 +85,29 @@ nr init
 ```
 
 The initialization script consumes `config.yml` to generate a bunch of key Terraform & GitHub Actions configurations. More on this later.
+
+## Bootstrapping AWS
+
+The initial assumption here is that we are starting from zero.
+
+Much of what follows is adamped from [AWS Multi-account Multi-region Bootstrapping with Terraform](https://levelup.gitconnected.com/aws-multi-account-multi-region-bootstrapping-with-terraform-39aeed097ad2). Please review that very excellent reference for a deeper dive.
+
+### Create the Master Account
+
+This needs to be done manually. Follow these steps:
+
+1. [Sign up for a new AWS account](https://signin.aws.amazon.com/signup?request_type=register). Use a unique email; you won't be able to use it again to create another account.
+
+1. Sign into the new account as the root user and choose your desired home region in the upper right corner of the AWS Console.
+
+1. Visit the IAM Identity Center page and enable IAM Identity Center with AWS Organizations (the default choice).
+
+1. On the **Settings > Identity Source** tab, customize your AWS access portal URL (not required but recommended).
+
+1. On the **Settings > Authentication** tab, enable _Send email OTP for users created from API_ and configure Multi-Factor Authentication.
+
+1. In the IAM console (_not_ IAM Identity Center!) create Policy `Terraform-Init` and paste in the contents of [`Terraform-Init-IAM-Policy.json`](./infrastructure/start/Terraform-Init-IAM-Policy.json). **Ignore any warnings! We'll delete this policy at the end of the bootstrapping process.**
+
+1. In the IAM console new IAM user with `terraform-init` and attach the `Terraform-Init` policy.
+
+1. From the `terraform-init` user page **Security Credentials** tab, create an access key and secret key (choose the _Other_ use case or AWS will hassle you with alternatives). Save these in a secure location.

infrastructure/config.yml

@@ -6,18 +6,23 @@
 app_environments:
   bali:
     aws_account: dev
+    cognito_user_pool_name: api-user-v0-bali
     gha_on_push_branches: preview/**
   dev:
     aws_account: dev
+    cognito_user_pool_name: api-user-v0-dev
     gha_on_push_branches: dev
   prod:
     aws_account: prod
+    cognito_user_pool_name: api-user-v0-prod
     gha_on_push_branches: main
   release:
     aws_account: test
+    cognito_user_pool_name: api-user-v0-release
     gha_on_push_branches: release/**
   seattle:
     aws_account: dev
+    cognito_user_pool_name: api-user-v0-seattle
     gha_on_push_branches: preview/**
 aws_accounts:
   dev:

infrastructure/env/waf_acl/variables.tf → infrastructure/contexts/acct/main.tf

@@ -6,9 +6,11 @@ file at every commit. See the README for more info!
 */
 
 module "globals" {
-  source = "../../globals"
+  source = "../../modules/globals"
 }
 
-variable "service_major_versions" {
-  type = map(number)
+module "role_serverless_delegate" {
+  source    = "../../modules/role_serverless_delegate"
+  role_name = "${module.globals.namespace}-serverless-delegate"
 }
+

infrastructure/acct/providers.tf → infrastructure/contexts/acct/providers.tf

@@ -6,7 +6,7 @@ file at every commit. See the README for more info!
 */
 
 locals {
-  account_id = module.globals.acct_ids[terraform.workspace]
+  account_id = module.globals.aws_accounts[terraform.workspace].id
 }
 
 provider "aws" {

infrastructure/acct/variables.tf → infrastructure/contexts/acct/variables.tf

@@ -4,7 +4,3 @@ This legal notice is added to every supported source code
 file at every commit. See the README for more info!                          
 *************************************************************
 */
-
-module "globals" {
-  source = "../globals"
-}

infrastructure/contexts/env/main.tf

@@ -0,0 +1,21 @@
+/*
+******************* DO NOT EDIT THIS NOTICE *****************
+This legal notice is added to every supported source code
+file at every commit. See the README for more info!                          
+*************************************************************
+*/
+
+module "globals" {
+  source = "../../modules/globals"
+}
+
+module "s3_log_bucket" {
+  source      = "../../modules/s3_log_bucket"
+  bucket_name = "${module.globals.namespace}-log-s3-${terraform.workspace}"
+}
+
+module "waf_acl" {
+  source                 = "../../modules/waf_acl"
+  cognito_user_pool_name = module.globals.app_environments[terraform.workspace].cognito_user_pool_name
+  namespace              = module.globals.namespace
+}

infrastructure/env/providers.tf → infrastructure/contexts/env/providers.tf

@@ -6,7 +6,7 @@ file at every commit. See the README for more info!
 */
 
 locals {
-  account_id = module.globals.acct_ids[var.env_accts[terraform.workspace]]
+  account_id = module.globals.aws_accounts[module.globals.app_environments[terraform.workspace].aws_account].id
 }
 
 provider "aws" {

infrastructure/acct/role_serverless_delegate/variables.tf → infrastructure/contexts/env/variables.tf

@@ -4,7 +4,3 @@ This legal notice is added to every supported source code
 file at every commit. See the README for more info!                          
 *************************************************************
 */
-
-module "globals" {
-  source = "../../globals"
-}

infrastructure/modules/globals/outputs.tf

@@ -0,0 +1,60 @@
+/*
+******************* DO NOT EDIT THIS NOTICE *****************
+This legal notice is added to every supported source code
+file at every commit. See the README for more info!                          
+*************************************************************
+*/
+
+output "namespace" {
+  description = "Organization token prefixed to resource names."
+  value       = "karma"
+}
+
+output "terraform_delegate_role_token" {
+  description = "Combined with namespace to form terraform delegate role name."
+  value       = "terraform-delegate"
+}
+
+output "aws_accounts" {
+  description = "Maps AWS account tokens to account ids."
+  value = {
+    dev = {
+      id = "000000000000"
+    }
+    master = {
+      id = "000000000001"
+    }
+    prod = {
+      id = "000000000002"
+    }
+    test = {
+      id = "000000000003"
+    }
+  }
+}
+
+output "app_environments" {
+  description = "Maps environment tokens to AWS account tokens."
+  value = {
+    bali = {
+      aws_account            = "dev"
+      cognito_user_pool_name = "api-user-v0-bali"
+    }
+    dev = {
+      aws_account            = "dev"
+      cognito_user_pool_name = "api-user-v0-dev"
+    }
+    prod = {
+      aws_account            = "prod"
+      cognito_user_pool_name = "api-user-v0-prod"
+    }
+    release = {
+      aws_account            = "test"
+      cognito_user_pool_name = "api-user-v0-release"
+    }
+    seattle = {
+      aws_account            = "dev"
+      cognito_user_pool_name = "api-user-v0-seattle"
+    }
+  }
+}

infrastructure/acct/role_serverless_delegate/main.tf → infrastructure/modules/role_serverless_delegate/main.tf

@@ -6,15 +6,15 @@ file at every commit. See the README for more info!
 */
 
 data "aws_caller_identity" "current" {}
+
 data "aws_region" "current" {}
 
 locals {
   account_id = data.aws_caller_identity.current.account_id
-  role_name  = "${module.globals.namespace}-serverless-delegate"
 }
 
 resource "aws_iam_role" "serverless_delegate" {
-  name               = local.role_name
+  name               = var.role_name
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
 }
 
@@ -25,7 +25,7 @@ data "aws_iam_policy_document" "assume_role" {
     principals {
       type = "Federated"
       identifiers = [
-        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
+        "arn:aws:iam::${local.account_id}:oidc-provider/token.actions.githubusercontent.com"
       ]
     }
     condition {

infrastructure/acct/role_serverless_delegate/policy.tf → infrastructure/modules/role_serverless_delegate/policy.tf

@@ -14,7 +14,7 @@ resource "aws_iam_policy" "serverless_delegate" {
   # checkov:skip=CKV_AWS_290:Ensure IAM policies does not allow write access without constraints.
   # checkov:skip=CKV2_AWS_40:Ensure AWS IAM policy does not allow full IAM privileges.
   # checkov:skip=CKV_AWS_355:Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions.
-  name        = "${module.globals.namespace}-serverless-delegate"
+  name        = var.role_name
   description = "Policies required to deploy serverless applications."
   policy      = <<EOF
 {

infrastructure/acct/role_serverless_delegate/policy_oidc.tf → infrastructure/modules/role_serverless_delegate/policy_oidc.tf

@@ -11,7 +11,7 @@ resource "aws_iam_policy" "serverless_delegate_oicd" {
   # checkov:skip=CKV_AWS_290:Ensure IAM policies does not allow write access without constraints.
   # checkov:skip=CKV_AWS_287:Ensure IAM policies does not allow credentials exposure.
   # checkov:skip=CKV_AWS_355:Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions.
-  name        = "${module.globals.namespace}-serverless-delegate-oidc"
+  name        = "${var.role_name}-oidc"
   description = "Policies for Github OICD role"
   policy      = <<EOF
 {

infrastructure/env/s3_log_bucket/variables.tf → infrastructure/modules/role_serverless_delegate/variables.tf

@@ -5,8 +5,7 @@ file at every commit. See the README for more info!
 *************************************************************
 */
 
-module "globals" {
-  source = "../../globals"
+variable "role_name" {
+  description = "Role name"
+  type        = string
 }
-
-

infrastructure/env/s3_log_bucket/main.tf → infrastructure/modules/s3_log_bucket/main.tf

@@ -6,7 +6,7 @@ file at every commit. See the README for more info!
 */
 
 resource "aws_s3_bucket" "s3_access_log" {
-  bucket = "${module.globals.namespace}-log-s3-${terraform.workspace}"
+  bucket = var.bucket_name
   tags = {
     ENV = terraform.workspace
   }
@@ -22,12 +22,10 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "s3_access_log_sse
   }
 }
 
-# This SecureFrame test requires a policy that enforces upload encryption:
-# https://app.secureframe.com/tests/1164d64b-e7bb-4602-b658-77861223d76b/remediation
-#
-# However, there doesn't appear to be any way to force logging.s3.amazonaws.com
-# to deliver encrypted logs. When we put an enforcement policy in place like the 
-# one commented out below, the logs simply don't appear.
+# PCI requires a policy that enforces upload encryption, but there doesn't 
+# appear to be any way to force logging.s3.amazonaws.com to deliver encrypted 
+# logs. When we put an enforcement policy in place like the one commented out 
+# below, the logs simply don't appear.
 resource "aws_s3_bucket_policy" "s3_access_log_policy" {
   bucket = aws_s3_bucket.s3_access_log.bucket
   policy = jsonencode({

infrastructure/acct/main.tf → infrastructure/modules/s3_log_bucket/variables.tf

@@ -5,7 +5,7 @@ file at every commit. See the README for more info!
 *************************************************************
 */
 
-module "role_serverless_delegate" {
-  source = "./role_serverless_delegate"
+variable "bucket_name" {
+  description = "Bucket name"
+  type        = string
 }
-