Home

Awesome

MrMgr (AWS IAM)

Configures AWS IAM users, groups, OIDC.

Usage

This belongs within the infrastructure as code.

# iam/main.tf

provider "aws" {
  profile = "opszero"
  region  = "us-east-1"
}

terraform {
  backend "s3" {
    bucket  = "opszero-opszero-terraform-tfstate"
    region  = "us-east-1"
    profile = "opszero"
    encrypt = "true"

    key     = "iam"
  }
}

resource "aws_iam_policy" "deployer" {
  name        = "github-deployer-policy"
  description = "Github Deployer"

  policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Resource": "*"
        }
    ]
}
EOT
}

module "opszero-eks" {
  source = "github.com/opszero/terraform-aws-mrmgr"

  github = {
    "deployer" = {
      org = "opszero"
      repos = [
        "terraform-aws-mrmgr"
      ]
      policy_arns = [
        aws_iam_policy.deployer.arn
      ]
    }
  }

  groups = {
    "Backend" = {
      policy_arns = [
        aws_iam_policy.deployer.arn,
        "arn:${local.partition}:iam::aws:policy/IAMSelfManageServiceSpecificCredentials",
        "arn:${local.partition}:iam::aws:policy/IAMUserChangePassword",
      ]
      enable_mfa = false
      enable_self_management = true # Optional
    }
  }

  users = {
    "opszero" = {
      "groups" = [
        "Backend"
      ]
    },
  }
}
# environments/<nameofenv>/main.tf

module "opszero-eks" {
  source = "github.com/opszero/terraform-aws-kubespot"

  ...

  sso_roles = {
    admin_roles = [
      "arn:${local.partition}:iam::1234567789101:role/github-deployer"
    ]
    readonly_roles = []
    dev_roles = []
    monitoring_roles = []
  }

  ...
}


Users

Users will be created without a login profile. This means the user will exist but will not have a password to login with. Login profiles and credentials will be managed via console manually (to prevent automated disruption of everyone).

When removing a user, first disable console access.

Users without MFA will have no privilege within the system. In order to have access to AWS users will need to attach a MFA device to their account.

List Existing Users

aws --profile <profile> iam list-attached-user-policies --user-name <username>| jq '.AttachedPolicies[].PolicyArn'

Groups

OIDC

OIDC Deployer allows us to access resources within another piece of infrastructure through the use of OpenID. Check below for examples oh how dto do deployments.

Github

Example configuration for deploying to an EKS cluster without the need for AWS Access Keys.

resource "aws_iam_policy" "deployer" {
  name        = "github-deployer-policy"
  description = "Github Deployer"

  policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Resource": "*"
        }
    ]
}
EOT
}

module "iam" {
  source = "github.com/opszero/mrmgr//modules/aws"

  github = {
    "deployer" = {
      org = "opszero"
      repos = [
        "mrmgr"
      ]
      policy_arns = [
        aws_iam_policy.deployer.arn
      ]
    }
  }
}

kubespot

module "opszero-eks" {
  source = "github.com/opszero/terraform-aws-kubespot"

  ...

  sso_roles = {
    admin_roles = [
      "arn:${local.partition}:iam::1234567789101:role/github-deployer"
    ]
    readonly_roles = []
    dev_roles = []
    monitoring_roles = []
  }

  ...
}

eksdeploy.yml

---
on:
  push:
    branches:
      - develop
      - master

name: Deploy to Amazon EKS

jobs:
  deploy:
    name: Deploy
    runs-on: ubuntu-latest
    permissions: # Important to add.
      contents: read
      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:${local.partition}:iam::1234567789101:role/github-deployer
          aws-region: us-east-1
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
      - name: Build, tag, and push image to Amazon ECR
        id: build-image
        env:
          ECR_REGISTRY: 1234567789101.dkr.ecr.us-east-1.amazonaws.com
          ECR_REPOSITORY: mrmgr
          IMAGE_TAG: ${{ github.sha }}
        run: |
          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
      - name: Release Develop
        if: ${{ github.ref == 'refs/heads/develop' }}
        env:
          ECR_REGISTRY: 1234567789101.dkr.ecr.us-east-1.amazonaws.com
          ECR_REPOSITORY: mrmgr
          IMAGE_TAG: ${{ github.sha }}
        run: |
          aws eks update-kubeconfig --name mrmgr-develop
          helm upgrade --install mrmgr charts/mrmgr \
            -f ./charts/develop.yaml \
            --set image.repository=$ECR_REGISTRY/$ECR_REPOSITORY \
            --set image.tag=$IMAGE_TAG \

Gitlab

Example configuration for deploying to AWS without the need for AWS Access Keys. To list EKS cluster via GitLab Pipelines without using AWS credentials. You can also attach other policies to this IAM role.

resource "aws_iam_policy" "deployer" {
  name        = "gitlab-deployer-policy"
  description = "GitLab Deployer"

  policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Resource": "*"
        }
    ]
}
EOT
}

module "iam" {
  source = "github.com/opszero/mrmgr//modules/aws"

  gitlab = {
    "deployer" = {
      iam_role_name = "gitlab_oidc_role"
      audience      = "https://gitlab.com"
      gitlab_url    = "https://gitlab.com"
      match_field   = "sub"
      match_value = [
        "project_path:opszero/mrmgr:ref_type:branch:ref:main"
      ]
      policy_arns = [
        aws_iam_policy.deployer.arn
      ]
    }
  }
}

.gitlab_ci.yml

variables:
  REGION: us-east-1
  ROLE_ARN:  arn:${local.partition}:iam::${AWS_ACCOUNT_ID}:role/gitlab_role

image:
  name: amazon/aws-cli:latest
  entrypoint:
    - '/usr/bin/env'

assume role:
    script:
        - >
          STS=($(aws sts assume-role-with-web-identity
          --role-arn ${ROLE_ARN}
          --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
          --web-identity-token $CI_JOB_JWT_V2
          --duration-seconds 3600
          --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
          --output text))
        - export AWS_ACCESS_KEY_ID="${STS[0]}"
        - export AWS_SECRET_ACCESS_KEY="${STS[1]}"
        - export AWS_SESSION_TOKEN="${STS[2]}"
        - export AWS_REGION="$REGION"
        - aws sts get-caller-identity
        - aws eks list-clusters

GitLab CI Outputs

gitlabci_output

BitBucket

module "mrmgr" {
  source = "github.com/opszero/terraform-aws-mrmgr"

  bitbucket = {
    "deployer" = {
      subjects = [
        "{REPOSITORY_UUID}[:{ENVIRONMENT_UUID}]:{STEP_UUID}"
      ]
      policy_json = [
        aws_iam_policy.deployer.json
      ]
    }
  }

Providers

NameVersion
<a name="provider_aws"></a> awsn/a
<a name="provider_tls"></a> tlsn/a

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_bitbucket"></a> bitbucketTerraform object to create IAM OIDC identity provider in AWS to integrate with Bitbucketmap{}no
<a name="input_github"></a> githubTerraform object to create IAM OIDC identity provider in AWS to integrate with github actionsmap{}no
<a name="input_gitlab"></a> gitlabTerraform object to create IAM OIDC identity provider in AWS to integrate with gitlab CImap{}no
<a name="input_groups"></a> groupsTerraform object to create AWS IAM groups with custom IAM policiesmap{}no
<a name="input_management_account"></a> management_accountIs this an AWS management account that has child accounts?boolfalseno
<a name="input_opszero_enabled"></a> opszero_enabledDeploy opsZero omyac cloudformation stackboolfalseno
<a name="input_users"></a> usersTerraform object to create AWS IAM usersmap{}no
<a name="input_vanta_account_id"></a> vanta_account_idVanta account idstring""no
<a name="input_vanta_enabled"></a> vanta_enabledn/aboolfalseno
<a name="input_vanta_external_id"></a> vanta_external_idVanta external idstring""no

Resources

NameType
aws_cloudformation_stack.opszeroresource
aws_iam_policy.mfaresource
aws_iam_policy.sshresource
aws_iam_policy.vanta_childresource
aws_iam_policy.vanta_managementresource
aws_iam_policy_attachment.sshresource
aws_iam_role.vanta_auditorresource
aws_iam_role_policy_attachment.vanta_childresource
aws_iam_role_policy_attachment.vanta_managementresource
aws_iam_role_policy_attachment.vanta_security_auditresource
aws_caller_identity.currentdata source
aws_iam_policy.SecurityAuditdata source
aws_iam_policy_document.sshdata source
aws_iam_policy_document.vanta_childdata source
aws_iam_policy_document.vanta_managementdata source
aws_partition.currentdata source
tls_certificate.githubdata source

Outputs

No outputs.

🚀 Built by opsZero!

<a href="https://opszero.com"><img src="https://opszero.com/wp-content/uploads/2024/07/opsZero_logo_svg.svg" width="300px"/></a>

Since 2016 opsZero has been providing Kubernetes expertise to companies of all sizes on any Cloud. With a focus on AI and Compliance we can say we seen it all whether SOC2, HIPAA, PCI-DSS, ITAR, FedRAMP, CMMC we have you and your customers covered.

We provide support to organizations in the following ways:

We do this with a high-touch support model where you:

Please schedule a call if you need support.

<br/><br/>

<div style="display: block"> <img src="https://opszero.com/wp-content/uploads/2024/07/aws-advanced.png" width="150px" /> <img src="https://opszero.com/wp-content/uploads/2024/07/AWS-public-sector.png" width="150px" /> <img src="https://opszero.com/wp-content/uploads/2024/07/AWS-eks.png" width="150px" /> </div>