This project is used to manage IAM permissions for COOL users that are allowed to create and renew COOL certificates.
- Terraform installed on your system.
- An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
- An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
- Access to all of the Terraform remote states specified in remote_states.tf.
- User accounts for all users must have been created previously. We
recommend using the
cisagov/cool-users-non-adminrepository to create users. - Terraform in
cisagov/cool-dns-certbotomust have been applied. - Terraform in
cisagov/cool-dns-cyber.dhs.govmust have been applied.
- Create a Terraform workspace (if you haven't already done so) by running
terraform workspace new <workspace_name> - Create a
<workspace_name>.tfvarsfile with all of the required variables (see Inputs below for details):
users = [
"firstname1.lastname1",
"firstname2.lastname2"
]- Run the command
terraform init. - Run the command
terraform apply -var-file=<workspace_name>.tfvars.
| Name | Version |
|---|---|
| terraform | ~> 1.1 |
| aws | ~> 4.9 |
| Name | Version |
|---|---|
| aws | ~> 4.9 |
| aws.users | ~> 4.9 |
| terraform | n/a |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| assume_dns_certificatesbucketfullaccess_policy_description | The description to associate with the IAM policy that allows assumption of the role that allows full access to the certificates bucket in the DNS account. | string |
"The IAM policy that allows assumption of the role that allows full access to the certificates bucket in the DNS account." |
no |
| assume_dns_certificatesbucketfullaccess_policy_name | The name to assign the IAM policy that allows assumption of the role that allows full access to the certificates bucket in the DNS account. | string |
"DNS-AssumeCertificatesBucketFullAccess" |
no |
| assume_dns_route53resourcechange_cyber_dhs_gov_policy_description | The description to associate with the IAM policy that allows assumption of the role that allows sufficient permissions to modify resource records in the cyber.dhs.gov zone in the DNS account. | string |
"The IAM policy that allows assumption of the role that allows sufficient permissions to modify resource records in the cyber.dhs.gov zone in the DNS account." |
no |
| assume_dns_route53resourcechange_cyber_dhs_gov_policy_name | The name to assign the IAM policy that allows assumption of the role that allows sufficient permissions to modify resource records in the cyber.dhs.gov zone in the DNS account. | string |
"DNS-AssumeRoute53ResourceChange-cyber.dhs.gov" |
no |
| aws_region | The AWS region to deploy into (e.g. us-east-1). | string |
"us-east-1" |
no |
| certificate_managers_group_name | The name of the group to be created for certificate manager users. | string |
"certificate_managers" |
no |
| tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
| users | A list containing the usernames of each user that is allowed to manage certificates. Example: [ "firstname1.lastname1", "firstname2.lastname2" ]. | list(string) |
n/a | yes |
No outputs.
Running pre-commit requires running terraform init in every directory that
contains Terraform code. In this repository, this is just the main directory.
We welcome contributions! Please see CONTRIBUTING.md for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.