cool-dns-certboto

Terraform code to create some roles related to the creation of and access to a cisagov/certboto-docker bucket for SSL certificates in the COOL DNS account.

Pre-requisites

• Terraform installed on your system.
• An accessible AWS S3 bucket to store Terraform state specified in backend.tf).
• An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
• Access to all of the Terraform remote states specified in remote_states.tf.

Requirements

Name	Version
terraform	~> 1.1
aws	~> 4.9

Providers

Name	Version
aws	~> 4.9
aws.dnsprovisionaccount	~> 4.9
aws.organizationsreadonly	~> 4.9
terraform	n/a

Modules

No modules.

Resources

Name	Type
aws_iam_policy.certificatesbucketfullaccess_policy	resource
aws_iam_policy.certificatesbucketreadonly_policy	resource
aws_iam_policy.provisioncertificatereadroles_policy	resource
aws_iam_policy.provisioncertificatesbucket_policy	resource
aws_iam_role.certificatesbucketfullaccess_role	resource
aws_iam_role.certificatesbucketreadonly_role	resource
aws_iam_role.provisioncertificatereadroles_role	resource
aws_iam_role_policy_attachment.certificatesbucketfullaccess_policy_attachment	resource
aws_iam_role_policy_attachment.certificatesbucketreadonly_policy_attachment	resource
aws_iam_role_policy_attachment.provisioncertificatereadroles_policy_attachment	resource
aws_iam_role_policy_attachment.provisioncertificatesbucket_policy_attachment	resource
aws_s3_bucket.certificates	resource
aws_s3_bucket_public_access_block.certificates	resource
aws_caller_identity.current	data source
aws_iam_policy_document.assume_role_doc	data source
aws_iam_policy_document.certificatesbucketfullaccess_doc	data source
aws_iam_policy_document.certificatesbucketreadonly_doc	data source
aws_iam_policy_document.provisioncertificatereadroles_doc	data source
aws_iam_policy_document.provisioncertificatesbucket_doc	data source
aws_organizations_organization.cool	data source
terraform_remote_state.dns	data source
terraform_remote_state.master	data source

Inputs

Name	Description	Type	Default	Required
aws_region	The AWS region where the non-global resources are to be provisioned (e.g. "us-east-1").	string	"us-east-1"	no
certificates_bucket_name	The name to use for the S3 bucket that will store the certboto-docker certificates.	string	n/a	yes
certificatesbucketfullaccess_role_description	The description to associate with the IAM role (as well as the corresponding policy) that allows full access to the S3 bucket where certboto-docker certificates are stored.	string	"Allows full access to the S3 bucket where certboto-docker certificates are stored."	no
certificatesbucketfullaccess_role_name	The name to assign the IAM role (as well as the corresponding policy) that allows full access to the S3 bucket where certboto-docker certificates are stored.	string	"CertificatesBucketFullAccess"	no
certificatesbucketreadonly_role_description	The description to associate with the IAM role (as well as the corresponding policy) that allows read-only access to the S3 bucket where certboto-docker certificates are stored.	string	"Allows read-only access to the S3 bucket where certboto-docker certificates are stored."	no
certificatesbucketreadonly_role_name	The name to assign the IAM role (as well as the corresponding policy) that allows read-only access to the S3 bucket where certboto-docker certificates are stored.	string	"CertificatesBucketReadOnly"	no
provisionaccount_role_name	The name of the IAM role that allows sufficient permissions to provision all AWS resources in the DNS account.	string	"ProvisionAccount"	no
provisioncertificatereadroles_role_description	The description to associate with the IAM role (as well as the corresponding policy) with the ability to create IAM roles that can read selected certificates in the certificates bucket in the DNS account.	string	"Allows provisioning of IAM roles that can read selected certificates in the certificates bucket in the DNS account."	no
provisioncertificatereadroles_role_name	The name to assign the IAM role (as well as the corresponding policy) with the ability to provision IAM roles that can read selected certificates in the certificates bucket in the DNS account.	string	"ProvisionCertificateReadRoles"	no
provisioncertificatesbucket_policy_description	The description to associate with the IAM policy that allows provisioning of the S3 bucket where certboto-docker certificates are stored.	string	"Allows provisioning of the S3 bucket where certboto-docker certificates are stored."	no
provisioncertificatesbucket_policy_name	The name to assign the IAM policy that allows provisioning of the S3 bucket where certboto-docker certificates are stored.	string	"ProvisionCertificatesBucket"	no
tags	Tags to apply to all AWS resources created.	map(string)	{}	no

Outputs

Name	Description
certificates_bucket	The S3 bucket where certboto-docker certificates will be stored.
certificatesbucketfullaccess_role	The IAM role that allows full access to the certboto-docker certificates bucket in the DNS account.
certificatesbucketreadonly_role	The IAM role that allows read-only access to the certboto-docker certificates bucket in the DNS account.
provisioncertificatereadroles_role	The IAM role with the ability to provision IAM roles that can read selected certificates in the certificates bucket in the DNS account.
provisioncertificatesbucket_policy	The IAM policy that allows provisioning of the certboto-docker certificates bucket in the DNS account.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is only the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.