Initial Commit (#1)

* Initial Commit

* Initial Commit

.github/workflows/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,7 @@
+### Checklist for raising a PR
+- [ ] Is this submodule added to the [AWS README](https://github.com/cldcvr/cldcvr-xa/blob/main/aws/README.md)?
+- [ ] Is this added to the [AWS REPO](https://github.com/cldcvr/cldcvr-xa/blob/main/aws/) as a submodule? [Tutorial](https://git-scm.com/book/en/v2/Git-Tools-Submodules)
+- [ ] Does this terraform module have an `example` directory?
+- [ ] Does this terraform module contain an example code inside `example` directory?
+- [ ] Does this terraform module README has table of terraform code details? Check out `terraform-docs`.
+- [ ] Does this PR has a tag or release associated with it?

.github/workflows/workflows.yaml

@@ -0,0 +1,38 @@
+name: Github Workflow Checks
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_call:
+permissions: write-all
+jobs:
+  terraform:
+    name: TF Linting Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 1
+      - name: Setup Terraform
+        uses: hashicorp/[email protected]
+      - name: Setup Nodejs
+        uses: actions/setup-node@v1
+      - name: Run `terraform fmt`
+        id: fmt
+        run: terraform fmt -diff -check -no-color -recursive
+
+  trufflehog-scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Installing trufflehog
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
+    - name: Run Trufflehog
+      run: |
+        trufflehog git file://. --since-commit HEAD --only-verified --fail
+        

.gitignore

@@ -1,5 +1,5 @@
 # Local .terraform directories
-**/.terraform/*
+**/.terraform*
 
 # .tfstate files
 *.tfstate

0-bootstrap/README.md

@@ -0,0 +1,77 @@
+# 0-bootstrap 
+
+## Prerequisites
+This step even though contains the very inauguration of the Landing Zone still has some prerequisites viz.
+It expects that AWS Organization is already set up along with optional SSO integration as a best practice going forward.
+It expects that whoever will run the 0-bootstrap step has admin access to the management account.
+It expects we have all the configuration parameters inside the file lzconfig.yaml. This is the most important file in the GitHub repository which contains all of the configuration parameters related to AWS LZ.
+
+## Overview Details
+To achieve the expected end result with terraform, we will make use of a bash script which will expect that we use the Organization Admin Role from the management account; or any role that basically has the authority to create Organizational Units and Accounts on AWS.
+
+Authenticate the shell with AWS IAM credentials belonging to the administrator user of the management account and trigger the script 0-bootstrap/bootstrap.sh
+
+The script will do terraform apply in 0-bootstrap/tf-prerequisites directory first which will create an S3 bucket and DynamoDB table which will be used by Terraform to store the state and state locking mechanism respectively in management account.
+
+Afterwards, 0-bootstrap/bootstrap directory will get triggered which will create and Organization Unit as well as AWS Account called LZ CICD. This newly created account will hold our CICD automation stack.
+
+
+## Requirements
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.45.0 |
+| <a name="requirement_awsutils"></a> [awsutils](#requirement\_awsutils) | >= 0.1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.21.0 |
+
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_s3-state"></a> [s3-state](#module\_s3-state) | ../../terraform/modules/s3-bucket | n/a |
+| <a name="module_setup_cicd_account"></a> [setup\_cicd\_account](#module\_setup\_cicd\_account) | ./modules/cicd | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.ci-cd-master-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.ci-cd-master-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_organizations_account.bootstrap](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account) | resource |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization) | resource |
+| [aws_organizations_organizational_unit.bootstrap](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organizational_unit) | resource |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [terraform_remote_state.remote](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
+| [aws_appautoscaling_policy.dynamodb_table_read_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
+| [aws_appautoscaling_policy.dynamodb_table_write_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
+| [aws_appautoscaling_target.dynamodb_table_read_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
+| [aws_appautoscaling_target.dynamodb_table_write_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
+| [aws_dynamodb_table.dynamodb-terraform-state-lock](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
+| [aws_iam_policy_document.lz_state_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_lz-cicd-scp"></a> [lz-cicd-scp](#input\_lz-cicd-scp) | n/a | `list` | `[]` | no |
+| <a name="input_scp"></a> [scp](#input\_scp) | list of policies which you want to create | <pre>list(object({<br>    name        = string<br>    policy_file = string<br>  }))</pre> | `[]` | no |
+| <a name="input_code_pipeline_build_stages"></a> [code\_pipeline\_build\_stages](#input\_code\_pipeline\_build\_stages) | maps of build type stages configured in CodePipeline | `map` | <pre>{<br>  "regula": "regula-spec.yaml",<br>  "tf-base": "terraform-spec.yaml"<br>}</pre> | no |
+| <a name="input_custom_tags"></a> [custom\_tags](#input\_custom\_tags) | Resources tags | <pre>object({<br>    Environment    = string<br>    TargetAccounts = string<br>    DeploymentType = string<br>  })</pre> | <pre>{<br>  "DeploymentType": "Terraform",<br>  "Environment": "Deployment",<br>  "TargetAccounts": "Demo"<br>}</pre> | no |
+| <a name="input_git_repository_name"></a> [git\_repository\_name](#input\_git\_repository\_name) | Name of the remote git repository to be created | `string` | `"aws-landing-zone"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_accounts_id_map"></a> [accounts\_id\_map](#output\_accounts\_id\_map) | LZCICD AWS account id |
+| <a name="output_codebuild_name"></a> [codebuild\_name](#output\_codebuild\_name) | Codebuild Project's name |
+| <a name="output_codebuild_s3bucket"></a> [codebuild\_s3bucket](#output\_codebuild\_s3bucket) | Name of the  Codebuild bucket |
+| <a name="output_codepipeline_name"></a> [codepipeline\_name](#output\_codepipeline\_name) | The name of the pipeline. |
+| <a name="output_codepipeline_s3bucket"></a> [codepipeline\_s3bucket](#output\_codepipeline\_s3bucket) | Name of the Codepipeline bucket |

0-bootstrap/bootstrap.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Create S3 bucket and dynamodb table in master account for terraform
+terraform -chdir=tf-prerequisites init
+terraform -chdir=tf-prerequisites apply --auto-approve
+
+# Apply terraform to the bootstap directory and fetch Account Id of newly created account in a variable
+terraform -chdir=bootstrap init -backend-config=backend.conf
+ORG_ID=$(aws organizations describe-organization | jq .Organization.Id)
+terraform -chdir=bootstrap import aws_organizations_organization.org $ORG_ID 
+terraform -chdir=bootstrap apply --auto-approve
+
+# Assume role inside newly created account and apply terraform to create CICD stack
+terraform -chdir=cicd init -backend-config=backend.conf
+terraform -chdir=cicd apply --auto-approve

0-bootstrap/bootstrap/backend.conf

@@ -0,0 +1 @@
+../../global-lz-state-backend.conf

0-bootstrap/bootstrap/data.tf

@@ -0,0 +1 @@
+data "aws_organizations_organization" "org" {}

0-bootstrap/bootstrap/iam.tf

@@ -0,0 +1,28 @@
+resource "aws_iam_role" "ci-cd-master-role" {
+  name = "ci-cd-master-Role"
+
+  depends_on = [
+    aws_organizations_account.bootstrap
+  ]
+  assume_role_policy = <<-EOF
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "Statement1",
+			"Effect": "Allow",
+			"Principal": {
+				"AWS": "arn:aws:iam::${aws_organizations_account.bootstrap.id}:root"
+			},
+			"Action": "sts:AssumeRole"
+		}
+	]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "ci-cd-master-role-policy" {
+  role       = aws_iam_role.ci-cd-master-role.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+

0-bootstrap/bootstrap/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  lz_config = yamldecode(file("../../lzconfig.yaml"))
+}

0-bootstrap/bootstrap/main.tf

@@ -0,0 +1,11 @@
+resource "aws_organizations_organizational_unit" "bootstrap" {
+  name      = local.lz_config.bootstrap.bootstrap_ou_name
+  parent_id = data.aws_organizations_organization.org.roots.0.id
+}
+
+resource "aws_organizations_account" "bootstrap" {
+  name      = local.lz_config.bootstrap.bootstrap_account_name
+  parent_id = aws_organizations_organizational_unit.bootstrap.id
+  role_name = "OrganizationAccountAccessRole"
+  email     = local.lz_config.bootstrap.bootstrap_account_email
+}

0-bootstrap/bootstrap/org.tf

@@ -0,0 +1,7 @@
+resource "aws_organizations_organization" "org" {
+  feature_set = "ALL"
+  aws_service_access_principals = ["sso.amazonaws.com", "config.amazonaws.com", "malware-protection.guardduty.amazonaws.com",
+    "guardduty.amazonaws.com", "config-multiaccountsetup.amazonaws.com", "fms.amazonaws.com",
+  "cloudtrail.amazonaws.com", "detective.amazonaws.com", "ram.amazonaws.com", "securityhub.amazonaws.com", "macie.amazonaws.com", ]
+  enabled_policy_types = ["SERVICE_CONTROL_POLICY"]
+}

0-bootstrap/bootstrap/outputs.tf

@@ -0,0 +1,11 @@
+output "accounts_id_map" {
+  description = "LZCICD AWS account id"
+  value = {
+    "lz_ci_cd" = aws_organizations_account.bootstrap.id
+  }
+}
+
+output "ci_cd_master_role_arn" {
+  description = "CI_CD Master Role ARN"
+  value       = aws_iam_role.ci-cd-master-role.arn
+}

0-bootstrap/bootstrap/provider.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = local.lz_config.global.home_region
+}

0-bootstrap/bootstrap/variables.tf

@@ -0,0 +1,13 @@
+variable "lz-cicd-scp" {
+  default     = []
+  description = "LZCICD account scp policies"
+}
+
+variable "scp" {
+  type = list(object({
+    name        = string
+    policy_file = string
+  }))
+  default     = []
+  description = "list of policies which you want to create"
+}

0-bootstrap/bootstrap/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.45.0"
+    }
+  }
+  backend "s3" {
+    key = "0-bootstrap/lz-ci-cd-bootstrap/terraform.tfstate"
+  }
+}

0-bootstrap/cicd/backend.conf

@@ -0,0 +1 @@
+../../global-lz-state-backend.conf

0-bootstrap/cicd/data.tf

@@ -0,0 +1,10 @@
+data "aws_organizations_organization" "org" {}
+
+data "terraform_remote_state" "remote" {
+  backend = "s3"
+  config = {
+    bucket = local.lz_config.global.lz_state_bucket
+    key    = "0-bootstrap/lz-ci-cd-bootstrap/terraform.tfstate"
+    region = local.lz_config.global.home_region
+  }
+}

0-bootstrap/cicd/local.tf

@@ -0,0 +1,4 @@
+locals {
+  lz_config             = yamldecode(file("../../lzconfig.yaml"))
+  master_role_to_assume = ["arn:aws:iam::${data.aws_organizations_organization.org.master_account_id}:role/ci-cd-master-Role"]
+}

0-bootstrap/cicd/main.tf

@@ -0,0 +1,17 @@
+module "setup_cicd_account" {
+  source = "./modules/cicd"
+  providers = {
+    aws = aws.lzcicd
+  }
+  custom_tags                     = var.custom_tags
+  account_type                    = "LandingZoneCICD"
+  pipeline_deployment_bucket_name = "${var.git_repository_name}-bootstrap"
+  region                          = local.lz_config.global.home_region
+  roles                           = local.master_role_to_assume
+  code_pipeline_build_stages      = var.code_pipeline_build_stages
+  git_repository_name             = var.git_repository_name
+  git_repo_id                     = local.lz_config.bootstrap.cicd.git_repo_id
+  git_branch                      = local.lz_config.bootstrap.cicd.git_branch
+  s3-bucket-prefix                = local.lz_config.bootstrap.cicd.s3_bucket_prefix
+  ci-cd-master-role               = data.terraform_remote_state.remote.outputs.ci_cd_master_role_arn
+}