QuingKhaos/00-defaults.tf

## 00-defaults.tf
variable "aws_default_region" {
  default = "eu-west-1"
}

variable "administrator_default_arn" {
  default = "arn:aws:iam::aws:policy/AdministratorAccess"
}

variable "developer_default_arn" {
  default = "arn:aws:iam::aws:policy/PowerUserAccess"
}

variable "billing_default_arn" {
  default = "arn:aws:iam::aws:policy/job-function/Billing"
}

variable "onelogin_account_id" {
  default = "ONELOGIN_ACCOUNTID"
}

variable "onelogin_external_id" {
  default = "ONELOGIN_EXTERNALID"
}

## 10-acme.tf
// Configure AWS provider
variable "acme" {
  default = "ACCOUNTID"
}

provider "aws" {
  alias = "acme"
  profile = "acme"
  region = "${var.aws_default_region}"
  shared_credentials_file = "./credentials"
  allowed_account_ids = ["${var.acme}"]
}

// Set human readable alias for the account
resource "aws_iam_account_alias" "acme" {
  account_alias = "acme"
  provider = "aws.acme"
}

// Add OneLogin as SAML IdP
resource "aws_iam_saml_provider" "acme_onelogin" {
  name = "OneLogin"
  saml_metadata_document = "${file("saml-metadata/acme.xml")}"
  provider = "aws.acme"
}

output "acme_saml_provider_arn" {
  value = "${aws_iam_saml_provider.acme_onelogin.arn}"
}

data "aws_iam_policy_document" "acme_onelogin_assume" {
  statement {
    sid = "OneLogin"
    actions = ["sts:AssumeRoleWithSAML"]

    principals {
      type = "Federated"
      identifiers = ["${aws_iam_saml_provider.acme_onelogin.arn}"]
    }

    condition {
      test = "StringEquals"
      variable = "SAML:aud"
      values = ["https://signin.aws.amazon.com/saml"]
    }
  }

  provider = "aws.acme"
}

// Create roles to be assumed via OneLogin
resource "aws_iam_role" "acme_administrator" {
  name = "Administrator"
  assume_role_policy = "${data.aws_iam_policy_document.acme_onelogin_assume.json}"
  provider = "aws.acme"
}

resource "aws_iam_role_policy_attachment" "acme_administrator" {
  role = "${aws_iam_role.acme_administrator.name}"
  policy_arn = "${var.administrator_default_arn}"
  provider = "aws.acme"
}

resource "aws_iam_role" "acme_developer" {
  name = "Developer"
  assume_role_policy = "${data.aws_iam_policy_document.acme_onelogin_assume.json}"
  provider = "aws.acme"
}

resource "aws_iam_role_policy_attachment" "acme_developer" {
  role = "${aws_iam_role.acme_developer.name}"
  policy_arn = "${var.developer_default_arn}"
  provider = "aws.acme"
}

resource "aws_iam_role" "acme_billing" {
  name = "Billing"
  assume_role_policy = "${data.aws_iam_policy_document.acme_onelogin_assume.json}"
  provider = "aws.acme"
}

resource "aws_iam_role_policy_attachment" "acme_billing" {
  role = "${aws_iam_role.acme_billing.name}"
  policy_arn = "${var.billing_default_arn}"
  provider = "aws.acme"
}

// Create OneLogin external access
data "aws_iam_policy_document" "acme_onelogin_external" {
  statement {
    sid = "OneLogin"
    actions = [
      "iam:ListAccountAliases",
      "iam:ListRoles",
    ]
    resources = ["*"]
  }

  provider = "aws.acme"
}

resource "aws_iam_policy" "acme_onelogin_external" {
  name = "OneLoginExternalRole"
  description = "External role policy to enable OneLogin's AWS Account to pull Account Aliases and Roles."
  policy = "${data.aws_iam_policy_document.acme_onelogin_external.json}"
  provider = "aws.acme"
}

data "aws_iam_policy_document" "acme_onelogin_external_assume" {
  statement {
    sid = "OneLogin"
    actions = ["sts:AssumeRole"]

    principals {
      type = "AWS"
      identifiers = ["arn:aws:iam::${var.onelogin_account_id}:root"]
    }

    condition {
      test = "StringEquals"
      variable = "sts:ExternalId"
      values = ["${var.onelogin_external_id}"]
    }
  }

  provider = "aws.acme"
}

resource "aws_iam_role" "acme_onelogin_external" {
  name = "OneLogin"
  assume_role_policy = "${data.aws_iam_policy_document.acme_onelogin_external_assume.json}"
  provider = "aws.acme"
}

resource "aws_iam_role_policy_attachment" "acme_onelogin_external" {
  role = "${aws_iam_role.acme_onelogin_external.name}"
  policy_arn = "${aws_iam_policy.acme_onelogin_external.arn}"
  provider = "aws.acme"
}
	variable "aws_default_region" {
	default = "eu-west-1"
	}

	variable "administrator_default_arn" {
	default = "arn:aws:iam::aws:policy/AdministratorAccess"
	}

	variable "developer_default_arn" {
	default = "arn:aws:iam::aws:policy/PowerUserAccess"
	}

	variable "billing_default_arn" {
	default = "arn:aws:iam::aws:policy/job-function/Billing"
	}

	variable "onelogin_account_id" {
	default = "ONELOGIN_ACCOUNTID"
	}

	variable "onelogin_external_id" {
	default = "ONELOGIN_EXTERNALID"
	}
	// Configure AWS provider
	variable "acme" {
	default = "ACCOUNTID"
	}

	provider "aws" {
	alias = "acme"
	profile = "acme"
	region = "${var.aws_default_region}"
	shared_credentials_file = "./credentials"
	allowed_account_ids = ["${var.acme}"]
	}

	// Set human readable alias for the account
	resource "aws_iam_account_alias" "acme" {
	account_alias = "acme"
	provider = "aws.acme"
	}

	// Add OneLogin as SAML IdP
	resource "aws_iam_saml_provider" "acme_onelogin" {
	name = "OneLogin"
	saml_metadata_document = "${file("saml-metadata/acme.xml")}"
	provider = "aws.acme"
	}

	output "acme_saml_provider_arn" {
	value = "${aws_iam_saml_provider.acme_onelogin.arn}"
	}

	data "aws_iam_policy_document" "acme_onelogin_assume" {
	statement {
	sid = "OneLogin"
	actions = ["sts:AssumeRoleWithSAML"]

	principals {
	type = "Federated"
	identifiers = ["${aws_iam_saml_provider.acme_onelogin.arn}"]
	}

	condition {
	test = "StringEquals"
	variable = "SAML:aud"
	values = ["https://signin.aws.amazon.com/saml"]
	}
	}

	provider = "aws.acme"
	}

	// Create roles to be assumed via OneLogin
	resource "aws_iam_role" "acme_administrator" {
	name = "Administrator"
	assume_role_policy = "${data.aws_iam_policy_document.acme_onelogin_assume.json}"
	provider = "aws.acme"
	}

	resource "aws_iam_role_policy_attachment" "acme_administrator" {
	role = "${aws_iam_role.acme_administrator.name}"
	policy_arn = "${var.administrator_default_arn}"
	provider = "aws.acme"
	}

	resource "aws_iam_role" "acme_developer" {
	name = "Developer"
	assume_role_policy = "${data.aws_iam_policy_document.acme_onelogin_assume.json}"
	provider = "aws.acme"
	}

	resource "aws_iam_role_policy_attachment" "acme_developer" {
	role = "${aws_iam_role.acme_developer.name}"
	policy_arn = "${var.developer_default_arn}"
	provider = "aws.acme"
	}

	resource "aws_iam_role" "acme_billing" {
	name = "Billing"
	assume_role_policy = "${data.aws_iam_policy_document.acme_onelogin_assume.json}"
	provider = "aws.acme"
	}

	resource "aws_iam_role_policy_attachment" "acme_billing" {
	role = "${aws_iam_role.acme_billing.name}"
	policy_arn = "${var.billing_default_arn}"
	provider = "aws.acme"
	}

	// Create OneLogin external access
	data "aws_iam_policy_document" "acme_onelogin_external" {
	statement {
	sid = "OneLogin"
	actions = [
	"iam:ListAccountAliases",
	"iam:ListRoles",
	]
	resources = ["*"]
	}

	provider = "aws.acme"
	}

	resource "aws_iam_policy" "acme_onelogin_external" {
	name = "OneLoginExternalRole"
	description = "External role policy to enable OneLogin's AWS Account to pull Account Aliases and Roles."
	policy = "${data.aws_iam_policy_document.acme_onelogin_external.json}"
	provider = "aws.acme"
	}

	data "aws_iam_policy_document" "acme_onelogin_external_assume" {
	statement {
	sid = "OneLogin"
	actions = ["sts:AssumeRole"]

	principals {
	type = "AWS"
	identifiers = ["arn:aws:iam::${var.onelogin_account_id}:root"]
	}

	condition {
	test = "StringEquals"
	variable = "sts:ExternalId"
	values = ["${var.onelogin_external_id}"]
	}
	}

	provider = "aws.acme"
	}

	resource "aws_iam_role" "acme_onelogin_external" {
	name = "OneLogin"
	assume_role_policy = "${data.aws_iam_policy_document.acme_onelogin_external_assume.json}"
	provider = "aws.acme"
	}

	resource "aws_iam_role_policy_attachment" "acme_onelogin_external" {
	role = "${aws_iam_role.acme_onelogin_external.name}"
	policy_arn = "${aws_iam_policy.acme_onelogin_external.arn}"
	provider = "aws.acme"
	}