Skip to content

Commit

Permalink
Feature/4/self managed ssh keys (#5)
Browse files Browse the repository at this point in the history 
* Support self-managed SSH keys plus file cleanup
* CHANGELOG.md bump
  • Loading branch information
@jufemaiz
jufemaiz authored Aug 2, 2019
1 parent 62aefdf commit cac085d
Show file tree
Hide file tree
Showing 13 changed files with 89 additions and 73 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# CHANGELOG

## v0.0.3 (2019-08-02)

* Self-managed SSH keys supported

## v0.0.2 (2019-08-01)

* Tags added!
Expand Down
20 changes: 20 additions & 0 deletions groups/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,4 +290,24 @@ data "aws_iam_policy_document" "self_management" {
values = ["true"]
}
}

statement {
sid = "AllowUsersToSelfManageTheirSSHKeys"

actions = [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
]

resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}"]

condition {
test = "Bool"
variable = "aws:MultiFactorAuthPresent"
values = ["true"]
}
}
}
18 changes: 9 additions & 9 deletions groups/readme.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ cat << README > README.md
This module generates generic IAM roles as follows.
* Devops
* DevopsProd
* ReadOnly
* ReadOnlyProd
* Superuser
* SuperuserProd
* Support
* SupportProd
* UserSelfManagement
* `Devops`
* `DevopsProd`
* `ReadOnly`
* `ReadOnlyProd`
* `Superuser`
* `SuperuserProd`
* `Support`
* `SupportProd`
* `UserSelfManagement`
## Usage
Expand Down
1 change: 0 additions & 1 deletion groups/tagging.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,3 @@ locals {
},
)
}

1 change: 0 additions & 1 deletion groups/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

terraform {
required_version = ">= 0.12"
}
12 changes: 6 additions & 6 deletions roles/readme.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,21 +9,21 @@ This module generates generic IAM roles as follows.
## Human roles
* Devops
* Readonly
* Superuser
* Support
* `Devops`
* `Readonly`
* `Superuser`
* `Support`
## Machine roles
* Metrics
* `Metrics`
## Miscellany
Since this module is recommended to be applied across all accounts, it comes
with some other goodies:-
* Password defaults
* Password defaults
## Usage
Expand Down
1 change: 0 additions & 1 deletion roles/tagging.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,3 @@ locals {
},
)
}

1 change: 0 additions & 1 deletion roles/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,4 +77,3 @@ variable "tags" {
type = map(string)
default = {}
}

1 change: 0 additions & 1 deletion roles/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

terraform {
required_version = ">= 0.12"
}
100 changes: 50 additions & 50 deletions user/readme.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,79 +9,79 @@ This module generates a single user, and adds them to appropriate groups.
# Usage instructions:
1. Generate a PGP key
1. Generate a PGP key
### Option A
### Option A
Use keybase.io. You can just feed your keybase.io username in to this module
and we'll do the rest.
Use keybase.io. You can just feed your keybase.io username in to this module
and we'll do the rest.
### Option B
### Option B
[Find some supported software for your platform](https://gnupg.org/download/)
[Find some supported software for your platform](https://gnupg.org/download/)
2. Use this module to create your user
2. Use this module to create your user
\`\`\`
module "stuart" {
source = "[email protected]:aceteknologi/terraform-iam.git//user?ref=v0.0.1"
\`\`\`
module "stuart" {
source = "[email protected]:aceteknologi/terraform-iam.git//user?ref=v0.0.1"
username = "[email protected]"
username = "[email protected]"
# if you used keybase.io this could be
# public_pgp_key = "keybase:<username>"
# if you used keybase.io this could be
# public_pgp_key = "keybase:<username>"
# or it could be something long-winded, like
# public_pgp_key = "mQINBFxre0gBEADEP8d8Lp9Yn6wMLhBuJxtTpEOivHkvxClBdz7neGz/t679LwbDIZJcbX3maFpH8+2LwRSFlV5OPJvv4Ldee2xKDxkSI7mhBSd0VsrndJ+gD2n++P1iN5XElif75O7OS5kdU3ikloZGxgGXA+bz1hKYlg48PTvWatHGlQoZvd4yzMxBhW80eNlW+rUOAQ8fKAzur0VJdA8VYGAo1IV6EhZXRrLiQGvCG2HY5oKux4TZqrh8+OXNjRRdhtVk9sKPHHbwd+ZkmBDjTgrjO+AtDBF3XGVWjfmAoCrR8GvTW5z6X6JKCeCn46nrn7HLdt8HF/nnARcJCEb9nlwj/k/3PiruEZtzN5JaNJXjLv3psF7IkzJUvOmAmUxonACgaM/udci28/XAL1aHONjGs91AUNUdE+riNz+nAdPh8Gjd4WSpF3+b9GjqAtHL1COvlkOQFyjnInhHIJqEA1tVAaKfW94Ci40221VtS+H+W1CsHsTKbG6adQP0FyuoBiaY+HQI8mFctjFoHHHtb8h6azVULMDm3kj+wlTb2Ebvg4RJ7OuUDzfSMypIFgFwv9BZmGcPGdprW/6gmR7hguiYjjr61duPo8NOmGLzEPikUkTp+HrsObrM1qzq+P7KmSv9KfHbrKhVRMsSPpexMHApNIJH/b64GZxzkvQdlLto7PXVKBxYvwARAQABtCdTdHVhcnQgQXVsZCA8c3R1YXJ0LmF1bGRAdmlvc3RyZWFtLmNvbT6JAlQEEwEIAD4WIQT92vo/WQvY5j0yMiFhPn0QP1bB6gUCXGt7SAIbAwUJAAk6gAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBhPn0QP1bB6gXaEAC+oBEo3mTuB+m4Sk5yJvv6vpQubPpgYpu4/W353JkLa0o6a3eUzf1Idl3amvDZMR2LCmruAktMEsn1aYScu2tO/klQoj5xndEQzbGqdSM8o5WB0sjzv4QTYEzJJ4Ai5V4daDIbNdNfgkhPS7XPQ8ejW3Y6WK8AyPHRHImlYLZdzLq5FjU6z2HjB8zhPOWz92dDUwMKhN3ZdC7Quze0P61ZxdpLAi9ltLzAT3iAzogXK1pJToOZoolFsNXoiv0ILOT144LTwtHNijfzgyeOGgIAYat518MGuOc+lTttRHs8UVCpMrj2mf3/wUzceD7ZlspoPlzRrY0+OiR/HD60xgjWkKYbWusDr3Epp06yiTc2e0TLq2JKbkWGxBdk9ngOu/lNKfTVwPiAE3tpSff93eeGUleAWkCNCjVS3w80agiUqNF5rW7DHbY4BLr5uzjVfd804EBEIL2QWwAtJzjDd4hp4c/vwDJ957GytFGCsqQunXM8PTV8s/NN29YnFvebRpA/h1RWb/QK2HjdfynfSP6AIWfY6rJbcoev3ELjnhOTrPqNtGYk43gRhnl621ANX3BWLvmcOeY9gcZOC9/bKdA8lXm9asFfXP4Q9I+jva/WfPFr/lnVIiS8XtAwD3KB/FvtqEwCuWhhJasTdG2WWzRWfHi9mzAapbxCT8pEYMMVvrkCDQRca3tIARAA4AB7BnGtbqqfmpOGkdjxj72hQocAc0ssG1TPZkiClj/PXz929NHtju+NvTmZNnphXOBFVPjUVXjojiUpGdk9dSu8EdwV9tXkzl0PQouwi84IeZbvhkSel4xoYZbkVxoYQT/foidoDsSPL1yceWJQnKb+up7Bd7hugUDMMnSNMOI5ZTYAjm96NPdUbiByzh0dzddxG7HFD92uaUIn9g0HlmvriLxbgjPHsUNfKOuSx7nZg5/4ltZtssW0QbEHOm0L54ns4NmIfGHrSk2g7/84HAZP9pT74xHOfAQTGm8GaoUdcWeCa+PvBUdZTwBYjItGgdY0IMReux+TqCHa3pL9e/gKfUI6BM+gg867OPXckKsKJ1aBXSx12q9Kv63aCPNw0w95XiGXJgVyqlMorTHKi6H2dWMZMdQ3+ZUahPYof1X7L/ClLQk3xGBCygUgakVAlGYwwSJ2yVwdxoQaPUQ+hbz/bVl3DyEetnKQyNfsKsUb76XKzuz+VTY9B3RJhlqoBvEbP9B9K+6dpFlfJ1SgGPDFbJnfFiULRX5LV0OlKGSwiEiEh77WioIseNAjHqJDlNwTFQC8a5M0aBRWjEwMJuwRq6HzJ7bhWl8OFg8dX6W+68LjWOvCHZStlTxpgsoXCJCa3G24rvDVM9GkSvmAktyavuLOm3nW2he8dy22GVsAEQEAAYkCPAQYAQgAJhYhBP3a+j9ZC9jmPTIyIWE+fRA/VsHqBQJca3tIAhsMBQkACTqAAAoJEGE+fRA/VsHqr9kQAL8icxR1JnhoCPwoGLiTTOXH8wBvJFol1aYeGE9nSkvIa3h1XrqgzvoHQDJYqbzgcFwhmxklFilQDPHEygmRHliQNgu/XxIJFxP21VWPlP3cJzLmmCluc0yd8lEaFlQHOQd+BP7YRCktnTcQQNc3/xQVnopIGVAfDVADSGnnz510rAWVQV3QHG4acY5E2ArdCMWcktqa5kuyEzGT0tWrebH7eiTj9l2v46ypfvgSfxGFmaMgqQmT8Ug+fYo9RXUg3hpM8hseq4d+fdkIZXlKkKTMgv3wH9i86zjuVMAmOrEty6EFDC284gjmIunVxpIbZTYsEucrMYIBytfqLNmOC49utScOQWhpT3aXknpXHE0zVKxVcn/VM/dlWD9rKJKTp4RuWVKKv161360/0oMMzBb/CSiexsIJI2IEAjpw4n53RKRNZjX6RDeRnQqvAYEKG3qMUlEvMN2WtmVuKChmgg5Kc2qbTAa0FkY1SSH2QYt+ew+USabX6+Ni8UG7uKCht81Wo26ffkdSfiIj+jKJBS7A8llvNQpNU9r7fyOmlxvUxdqUBw2BDVX3RVul5jHEckJb6JpCZh9ik8TYo8TOAWM111Cwm5xTAaSBcqc7E4w5/RlGfQN4diC4FdsQicSiG05vnPrh/ROQYbge1ZwRN7w9hAJ8JMywYFN/GpzdroYJ"
# or it could be something long-winded, like
# public_pgp_key = "mQINBFxre0gBEADEP8d8Lp9Yn6wMLhBuJxtTpEOivHkvxClBdz7neGz/t679LwbDIZJcbX3maFpH8+2LwRSFlV5OPJvv4Ldee2xKDxkSI7mhBSd0VsrndJ+gD2n++P1iN5XElif75O7OS5kdU3ikloZGxgGXA+bz1hKYlg48PTvWatHGlQoZvd4yzMxBhW80eNlW+rUOAQ8fKAzur0VJdA8VYGAo1IV6EhZXRrLiQGvCG2HY5oKux4TZqrh8+OXNjRRdhtVk9sKPHHbwd+ZkmBDjTgrjO+AtDBF3XGVWjfmAoCrR8GvTW5z6X6JKCeCn46nrn7HLdt8HF/nnARcJCEb9nlwj/k/3PiruEZtzN5JaNJXjLv3psF7IkzJUvOmAmUxonACgaM/udci28/XAL1aHONjGs91AUNUdE+riNz+nAdPh8Gjd4WSpF3+b9GjqAtHL1COvlkOQFyjnInhHIJqEA1tVAaKfW94Ci40221VtS+H+W1CsHsTKbG6adQP0FyuoBiaY+HQI8mFctjFoHHHtb8h6azVULMDm3kj+wlTb2Ebvg4RJ7OuUDzfSMypIFgFwv9BZmGcPGdprW/6gmR7hguiYjjr61duPo8NOmGLzEPikUkTp+HrsObrM1qzq+P7KmSv9KfHbrKhVRMsSPpexMHApNIJH/b64GZxzkvQdlLto7PXVKBxYvwARAQABtCdTdHVhcnQgQXVsZCA8c3R1YXJ0LmF1bGRAdmlvc3RyZWFtLmNvbT6JAlQEEwEIAD4WIQT92vo/WQvY5j0yMiFhPn0QP1bB6gUCXGt7SAIbAwUJAAk6gAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBhPn0QP1bB6gXaEAC+oBEo3mTuB+m4Sk5yJvv6vpQubPpgYpu4/W353JkLa0o6a3eUzf1Idl3amvDZMR2LCmruAktMEsn1aYScu2tO/klQoj5xndEQzbGqdSM8o5WB0sjzv4QTYEzJJ4Ai5V4daDIbNdNfgkhPS7XPQ8ejW3Y6WK8AyPHRHImlYLZdzLq5FjU6z2HjB8zhPOWz92dDUwMKhN3ZdC7Quze0P61ZxdpLAi9ltLzAT3iAzogXK1pJToOZoolFsNXoiv0ILOT144LTwtHNijfzgyeOGgIAYat518MGuOc+lTttRHs8UVCpMrj2mf3/wUzceD7ZlspoPlzRrY0+OiR/HD60xgjWkKYbWusDr3Epp06yiTc2e0TLq2JKbkWGxBdk9ngOu/lNKfTVwPiAE3tpSff93eeGUleAWkCNCjVS3w80agiUqNF5rW7DHbY4BLr5uzjVfd804EBEIL2QWwAtJzjDd4hp4c/vwDJ957GytFGCsqQunXM8PTV8s/NN29YnFvebRpA/h1RWb/QK2HjdfynfSP6AIWfY6rJbcoev3ELjnhOTrPqNtGYk43gRhnl621ANX3BWLvmcOeY9gcZOC9/bKdA8lXm9asFfXP4Q9I+jva/WfPFr/lnVIiS8XtAwD3KB/FvtqEwCuWhhJasTdG2WWzRWfHi9mzAapbxCT8pEYMMVvrkCDQRca3tIARAA4AB7BnGtbqqfmpOGkdjxj72hQocAc0ssG1TPZkiClj/PXz929NHtju+NvTmZNnphXOBFVPjUVXjojiUpGdk9dSu8EdwV9tXkzl0PQouwi84IeZbvhkSel4xoYZbkVxoYQT/foidoDsSPL1yceWJQnKb+up7Bd7hugUDMMnSNMOI5ZTYAjm96NPdUbiByzh0dzddxG7HFD92uaUIn9g0HlmvriLxbgjPHsUNfKOuSx7nZg5/4ltZtssW0QbEHOm0L54ns4NmIfGHrSk2g7/84HAZP9pT74xHOfAQTGm8GaoUdcWeCa+PvBUdZTwBYjItGgdY0IMReux+TqCHa3pL9e/gKfUI6BM+gg867OPXckKsKJ1aBXSx12q9Kv63aCPNw0w95XiGXJgVyqlMorTHKi6H2dWMZMdQ3+ZUahPYof1X7L/ClLQk3xGBCygUgakVAlGYwwSJ2yVwdxoQaPUQ+hbz/bVl3DyEetnKQyNfsKsUb76XKzuz+VTY9B3RJhlqoBvEbP9B9K+6dpFlfJ1SgGPDFbJnfFiULRX5LV0OlKGSwiEiEh77WioIseNAjHqJDlNwTFQC8a5M0aBRWjEwMJuwRq6HzJ7bhWl8OFg8dX6W+68LjWOvCHZStlTxpgsoXCJCa3G24rvDVM9GkSvmAktyavuLOm3nW2he8dy22GVsAEQEAAYkCPAQYAQgAJhYhBP3a+j9ZC9jmPTIyIWE+fRA/VsHqBQJca3tIAhsMBQkACTqAAAoJEGE+fRA/VsHqr9kQAL8icxR1JnhoCPwoGLiTTOXH8wBvJFol1aYeGE9nSkvIa3h1XrqgzvoHQDJYqbzgcFwhmxklFilQDPHEygmRHliQNgu/XxIJFxP21VWPlP3cJzLmmCluc0yd8lEaFlQHOQd+BP7YRCktnTcQQNc3/xQVnopIGVAfDVADSGnnz510rAWVQV3QHG4acY5E2ArdCMWcktqa5kuyEzGT0tWrebH7eiTj9l2v46ypfvgSfxGFmaMgqQmT8Ug+fYo9RXUg3hpM8hseq4d+fdkIZXlKkKTMgv3wH9i86zjuVMAmOrEty6EFDC284gjmIunVxpIbZTYsEucrMYIBytfqLNmOC49utScOQWhpT3aXknpXHE0zVKxVcn/VM/dlWD9rKJKTp4RuWVKKv161360/0oMMzBb/CSiexsIJI2IEAjpw4n53RKRNZjX6RDeRnQqvAYEKG3qMUlEvMN2WtmVuKChmgg5Kc2qbTAa0FkY1SSH2QYt+ew+USabX6+Ni8UG7uKCht81Wo26ffkdSfiIj+jKJBS7A8llvNQpNU9r7fyOmlxvUxdqUBw2BDVX3RVul5jHEckJb6JpCZh9ik8TYo8TOAWM111Cwm5xTAaSBcqc7E4w5/RlGfQN4diC4FdsQicSiG05vnPrh/ROQYbge1ZwRN7w9hAJ8JMywYFN/GpzdroYJ"
# Maximum 10 groups!
groups = [
"\${module.groups.self_management_group_name}",
"\${module.groups.devops_group_name}",
"\${module.groups.devops_prod_group_name}",
"\${module.groups.superuser_group_name}",
"\${module.groups.superuser_prod_group_name}",
]
# Maximum 10 groups!
groups = [
"\${module.groups.self_management_group_name}",
"\${module.groups.devops_group_name}",
"\${module.groups.devops_prod_group_name}",
"\${module.groups.superuser_group_name}",
"\${module.groups.superuser_prod_group_name}",
]
tags = "\${local.tags}"
}
tags = "\${local.tags}"
}
output "stuart" {
value = <<EOF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Initial login details for \${module.stuart.name}
output "stuart" {
value = <<EOF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Initial login details for \${module.stuart.name}
Password: \${module.stuart.encrypted_password}
Password: \${module.stuart.encrypted_password}
Please decrypt this password with the PGP key with the fingerprint \${module.stuart.key_fingerprint}
Hint: \`echo "\${module.stuart.encrypted_password}" | base64 --decode | gpg\`
OR
\`echo "\${module.stuart.encrypted_password}" | base64 --decode | keybase pgp decrypt\`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EOF
}
\`\`\`
Please decrypt this password with the PGP key with the fingerprint \${module.stuart.key_fingerprint}
Hint: \`echo "\${module.stuart.encrypted_password}" | base64 --decode | gpg\`
OR
\`echo "\${module.stuart.encrypted_password}" | base64 --decode | keybase pgp decrypt\`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EOF
}
\`\`\`
3. Decode the output
3. Decode the output
\`echo "wcFMA/........." | base64 --decode | gpg\`
\`echo "wcFMA/........." | base64 --decode | gpg\`
4. Login to the [console!](https://console.aws.amazon.com/)
4. Login to the [console!](https://console.aws.amazon.com/)
# Enter your account ID
# Enter your username
# Enter your decrypted password
# Enter your account ID
# Enter your username
# Enter your decrypted password
5. Navigate to IAM » <Your User> » Security credentials
5. Navigate to IAM » <Your User> » Security credentials
6. Next to "Assigned MFA device", hit the "Manage" link and create yourself an
MFA device
6. Next to "Assigned MFA device", hit the "Manage" link and create yourself an
MFA device
7. Sign out
7. Sign out
8. Sign in (this time with MFA!)
8. Sign in (this time with MFA!)
9. Navigate back to IAM » <Your User> » Security credentials
9. Navigate back to IAM » <Your User> » Security credentials
10. Hit the create access key button! You now have keys. Rotate them often.
Expand Down
1 change: 0 additions & 1 deletion user/tagging.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,3 @@ locals {
},
)
}

1 change: 0 additions & 1 deletion user/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,3 @@ variable "tags" {

variable "username" {
}

1 change: 0 additions & 1 deletion user/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

terraform {
required_version = ">= 0.12"
}

0 comments on commit cac085d

Please sign in to comment.