Add infrastructure for AWS Activate account

.tool-versions

@@ -1 +1 @@
-terraform 1.5.4
+terraform 1.5.6

infrastructure/somleng/aws_activate_1/bootstrap/iam_roles.tf

@@ -0,0 +1,33 @@
+resource "aws_iam_role" "administrator" {
+  name = "administrator"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "${aws_iam_user.samnang.arn}",
+          "${aws_iam_user.dwilkie.arn}"
+        ]
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "Bool": {
+          "aws:MultiFactorAuthPresent": "true"
+        }
+      }
+    }
+  ]
+}
+EOF
+
+}
+
+resource "aws_iam_role_policy_attachment" "administrator" {
+  role       = aws_iam_role.administrator.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+

infrastructure/somleng/aws_activate_1/bootstrap/iam_users.tf

@@ -0,0 +1,33 @@
+resource "aws_iam_user" "samnang" {
+  name = "samnang"
+}
+
+resource "aws_iam_user" "dwilkie" {
+  name = "dwilkie"
+}
+
+resource "aws_iam_group" "readonly_admin" {
+  name = "readonly-admin"
+}
+
+resource "aws_iam_group_policy_attachment" "readonly_admin" {
+  group      = aws_iam_group.readonly_admin.name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
+resource "aws_iam_user_group_membership" "samnang" {
+  user = aws_iam_user.samnang.name
+
+  groups = [
+    aws_iam_group.readonly_admin.name,
+  ]
+}
+
+resource "aws_iam_user_group_membership" "dwilkie" {
+  user = aws_iam_user.dwilkie.name
+
+  groups = [
+    aws_iam_group.readonly_admin.name,
+  ]
+}
+

infrastructure/somleng/aws_activate_1/bootstrap/outputs.tf

@@ -0,0 +1,12 @@
+output "samnang_user_arn" {
+  value = aws_iam_user.samnang.arn
+}
+
+output "dwilkie_user_arn" {
+  value = aws_iam_user.dwilkie.arn
+}
+
+output "infrastructure_bucket" {
+  value = aws_s3_bucket.infrastructure.id
+}
+

infrastructure/somleng/aws_activate_1/bootstrap/password_policy.tf

@@ -0,0 +1,10 @@
+resource "aws_iam_account_password_policy" "this" {
+  minimum_password_length        = 16
+  require_lowercase_characters   = true
+  require_numbers                = true
+  require_uppercase_characters   = true
+  require_symbols                = true
+  allow_users_to_change_password = true
+  password_reuse_prevention      = 10
+  max_password_age               = 90
+}

infrastructure/somleng/aws_activate_1/bootstrap/s3.tf

@@ -0,0 +1,25 @@
+resource "aws_s3_bucket" "infrastructure" {
+  bucket = "infrastructure.aws-activate-1.somleng.org"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "infrastructure" {
+  bucket = aws_s3_bucket.infrastructure.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_versioning" "infrastructure" {
+  bucket = aws_s3_bucket.infrastructure.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}

infrastructure/somleng/aws_activate_1/bootstrap/terraform.tf

@@ -0,0 +1,14 @@
+terraform {
+  backend "s3" {
+    bucket  = "infrastructure.aws-activate-1.somleng.org"
+    key     = "bootstrap.tfstate"
+    encrypt = true
+    region  = "ap-southeast-1"
+  }
+
+  required_version = ">= 0.12"
+}
+
+provider "aws" {
+  region = var.aws_region
+}

infrastructure/somleng/aws_activate_1/bootstrap/variables.tf

@@ -0,0 +1,4 @@
+variable "aws_region" {
+  default = "ap-southeast-1"
+}
+

infrastructure/somleng/aws_activate_1/bootstrap/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+  required_version = ">= 0.13"
+}