-
-
Notifications
You must be signed in to change notification settings - Fork 34
Expand file tree
/
Copy pathidentity.yaml
More file actions
121 lines (115 loc) · 5.72 KB
/
identity.yaml
File metadata and controls
121 lines (115 loc) · 5.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# Identity Layer Workflows
#
# These workflows are used for the quickstart setup of the identity layer.
# They automate the deployment of IAM Identity Center (AWS SSO), GitHub OIDC
# providers, and IAM roles for Terraform execution across all accounts.
#
# Documentation: https://docs.cloudposse.com/layers/identity/
#
# For Google Workspace IdP setup, see AWS documentation:
# - Enable IAM Identity Center: https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html#gs-gwp-step1
# - Configure Google Workspace: https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html#gs-gwp-step3
#
# Usage:
# atmos workflow all -f quickstart/foundation/identity
# atmos workflow deploy/sso -f quickstart/foundation/identity
# atmos workflow deploy/github-oidc-provider -f quickstart/foundation/identity
#
# Available workflows:
# - all: Deploy complete identity layer
# - vendor: Pull required components
# - deploy/all: Deploy all identity components
# - deploy/sso: Configure IAM Identity Center
# - deploy/iam-role: Deploy Terraform execution roles
# - deploy/github-oidc-provider: Deploy GitHub OIDC Provider to all accounts
#
workflows:
check-setup:
description: Verify that the environment is setup correctly to run these workflows.
steps:
- name: check-setup
type: shell
command : |-
if [[ "$GEODESIC_SHELL" != "true" ]]; then
echo "This workflow must be run from a Geodesic shell." >&2
exit 1
elif [[ -z $ATMOS_BASE_PATH ]] || [[ ! -d "$ATMOS_BASE_PATH/.git" ]]; then
echo "ATMOS_BASE_PATH must be set to the root of the git repository." >&2
echo "This is usually set automatically by Geodesic." >&2
echo "To fix: run the Geodesic shell from the root of the git repository." >&2
echo " ATMOS_BASE_PATH: \"$ATMOS_BASE_PATH\"" >&2
echo " Current directory: \"$(pwd -P)\"" >&2
exit 1
elif [[ ! -d "$ATMOS_BASE_PATH/rootfs/usr/local/bin" ]]; then
printf "No such directory: %s\n" "$ATMOS_BASE_PATH/rootfs/usr/local/bin" >&2
exit 2
fi
all:
description: Run all workflows
steps:
- command: workflow check-setup -f quickstart/foundation/identity
- command: workflow vendor -f quickstart/foundation/identity
- command: workflow deploy/all -f quickstart/foundation/identity
vendor:
description: Vendor identity layer components.
steps:
- command: vendor pull --component aws-sso
- command: vendor pull --component iam-role
- command: vendor pull --component github-oidc-provider
deploy/all:
description: Deploy all identity components.
steps:
- command: workflow deploy/sso -f quickstart/foundation/identity
- command: workflow deploy/iam-role -f quickstart/foundation/identity
- command: workflow deploy/github-oidc-provider -f quickstart/foundation/identity
deploy/sso:
description: Update aws-sso configuration.
steps:
- command: terraform deploy aws-sso -s core-gbl-root
deploy/iam-role:
description: |
Deploy iam-role/terraform and iam-role/planner roles.
These roles are used by GitHub Actions for CI/CD.
steps:
# Only deploy the planner role in the root account
- command: terraform deploy iam-role/planner -s core-gbl-root
# Core accounts
- command: terraform deploy iam-role/terraform -s core-gbl-artifacts
- command: terraform deploy iam-role/planner -s core-gbl-artifacts
- command: terraform deploy iam-role/terraform -s core-gbl-audit
- command: terraform deploy iam-role/planner -s core-gbl-audit
- command: terraform deploy iam-role/terraform -s core-gbl-auto
- command: terraform deploy iam-role/planner -s core-gbl-auto
- command: terraform deploy iam-role/terraform -s core-gbl-dns
- command: terraform deploy iam-role/planner -s core-gbl-dns
- command: terraform deploy iam-role/terraform -s core-gbl-network
- command: terraform deploy iam-role/planner -s core-gbl-network
- command: terraform deploy iam-role/terraform -s core-gbl-security
- command: terraform deploy iam-role/planner -s core-gbl-security
# Platform accounts
- command: terraform deploy iam-role/terraform -s plat-gbl-dev
- command: terraform deploy iam-role/planner -s plat-gbl-dev
- command: terraform deploy iam-role/terraform -s plat-gbl-staging
- command: terraform deploy iam-role/planner -s plat-gbl-staging
- command: terraform deploy iam-role/terraform -s plat-gbl-prod
- command: terraform deploy iam-role/planner -s plat-gbl-prod
- command: terraform deploy iam-role/terraform -s plat-gbl-sandbox
- command: terraform deploy iam-role/planner -s plat-gbl-sandbox
deploy/github-oidc-provider:
description: |
Deploy GitHub OIDC Provider to all accounts.
This enables GitHub Actions to authenticate to AWS using OIDC.
steps:
# Core accounts
- command: terraform deploy github-oidc-provider -s core-gbl-root
- command: terraform deploy github-oidc-provider -s core-gbl-artifacts
- command: terraform deploy github-oidc-provider -s core-gbl-audit
- command: terraform deploy github-oidc-provider -s core-gbl-auto
- command: terraform deploy github-oidc-provider -s core-gbl-dns
- command: terraform deploy github-oidc-provider -s core-gbl-network
- command: terraform deploy github-oidc-provider -s core-gbl-security
# Platform accounts
- command: terraform deploy github-oidc-provider -s plat-gbl-dev
- command: terraform deploy github-oidc-provider -s plat-gbl-staging
- command: terraform deploy github-oidc-provider -s plat-gbl-prod
- command: terraform deploy github-oidc-provider -s plat-gbl-sandbox