Merge https://github.com/cisagov/skeleton-ansible-role-with-test-user into lineage/skeleton

mcdonnnj · mcdonnnj · commit 16521cc4e1f0 · 2025-03-06T15:29:54.000Z
# Conflicts:
#	README.md
#	molecule/default/converge.yml
#	terraform/backend.tf
#	terraform/providers.tf
#	terraform/remote_states.tf
#	terraform/user.tf
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -170,6 +170,9 @@ jobs:
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
   test:
+    # TODO:  Figure out a plan to test in all environments, not just dev-a.
+    # See cisagov/skeleton-ansible-role-with-test-user#183 for more details.
+    environment: dev-a
     name: >-
       test (${{ matrix.scenario }}) -
       ${{ matrix.platform }}-${{ matrix.architecture }}
@@ -275,7 +278,12 @@ jobs:
           sudo apt-get install apparmor-utils
           sudo aa-disable /usr/sbin/unix_chkpwd
         if: ${{ startsWith(matrix.platform, 'fedora') }}
-      - name: Run molecule tests
+      - # This is an example of how to pass GHA secrets to Molecule
+        # via an environment variable.  See also
+        # molecule/default/converge.yml in this repository.
+        # env:
+        #   THIRD_PARTY_BUCKET: ${{ secrets.THIRD_PARTY_BUCKET }}
+        name: Run molecule tests
         run: >-
           molecule test
           --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,5 @@ __pycache__
 ## Terraform ##
 .terraform
 .terraform.lock.hcl
+*.tfconfig
+*.tfvars
diff --git a/README.md b/README.md
@@ -8,64 +8,128 @@ An Ansible role for installing
 
 ## Pre-requisites (Ignore Until the COOL Migration) ##
 
-In order to execute the Molecule tests for this Ansible role in GitHub
-Actions, a build user must exist in AWS. The accompanying Terraform
-code will create the user with the appropriate name and
-permissions. This only needs to be run once per project, per AWS
-account. This user can also be used to run the Molecule tests on your
-local machine.
-
-Before the build user can be created, you will need a profile in your
-AWS credentials file that allows you to read and write your remote
-Terraform state.  (You almost certainly do not want to use local
-Terraform state for this long-lived build user.)  If the build user is
-to be created in the CISA COOL environment, for example, then you will
-need the `cool-terraform-backend` profile.
-
-The easiest way to set up the Terraform remote state profile is to
-make use of our
-[`aws-profile-sync`](https://github.com/cisagov/aws-profile-sync)
-utility. Follow the usage instructions in that repository before
-continuing with the next steps, and note that you will need to know
-where your team stores their remote profile data in order to use
+In order to execute the Molecule tests for this Ansible role in GitHub Actions,
+a test user must exist in AWS. The accompanying Terraform code will create the
+user with the appropriate name and permissions. This only needs to be run once
+per project, per AWS account. This user can also be used to run the Molecule
+tests on your local machine.
+
+Before the test user can be created, you will need a profile in your AWS
+credentials file that allows you to read and write your remote Terraform state.
+(You almost certainly do not want to use local Terraform state for this
+long-lived test user.)  If the test user is to be created in the CISA COOL
+environment, for example, then you will need the `cool-terraform-backend`
+profile.
+
+The easiest way to set up the Terraform remote state profile is to make use of
+our [`aws-profile-sync`](https://github.com/cisagov/aws-profile-sync) utility.
+Follow the usage instructions in that repository before continuing with the next
+steps, and note that you will need to know where your team stores their remote
+profile data in order to use
 [`aws-profile-sync`](https://github.com/cisagov/aws-profile-sync).
 
-To create the build user, follow these instructions:
+### Creating a test user ###
 
-```console
-cd terraform
-terraform init --upgrade=true
-terraform apply
-```
+You will need to create a test user for each environment that you use.  The
+following steps show how to create a test user for an environment named "dev".
+You will need to repeat this process for any additional environments.
+
+1. Change into the `terraform` directory:
+
+   ```console
+   cd terraform
+   ```
+
+1. Create a backend configuration file named `dev.tfconfig` containing the
+name of the bucket where "dev" environment Terraform state is stored - this file
+is required to initialize the Terraform backend in each environment:
+
+    ```hcl
+    bucket = "my-dev-terraform-state-bucket"
+    ```
+
+1. Initialize the Terraform backend for the "dev" environment using your backend
+   configuration file:
+
+    ```console
+    terraform init -backend-config=dev.tfconfig
+    ```
+
+    > [!NOTE]
+    > When performing this step for additional environments (i.e. not your first
+    > environment), use the `-reconfigure` flag:
+    >
+    > ```console
+    > terraform init -backend-config=other-env.tfconfig -reconfigure
+    > ```
+
+1. Create a Terraform variables file named `dev.tfvars` containing all
+required variables (currently only `terraform_state_bucket`):
 
-Once the user is created you will need to update the [repository's
-secrets](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)
-with the new encrypted environment variables. This should be done
-using the
+    ```hcl
+    terraform_state_bucket = "my-dev-terraform-state-bucket"
+    ```
+
+1. Create a Terraform workspace for the "dev" environment:
+
+    ```console
+   terraform workspace new dev
+   ```
+
+1. Initialize and upgrade the Terraform workspace, then apply the configuration
+   to create the test user in the "dev" environment:
+
+    ```console
+    terraform init -upgrade=true
+    terraform apply -var-file=dev.tfvars
+    ```
+
+Once the test user is created you will need to update the
+[repository's secrets](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)
+with the new encrypted environment variables. This should be done using the
 [`terraform-to-secrets`](https://github.com/cisagov/development-guide/tree/develop/project_setup#terraform-iam-credentials-to-github-secrets-)
-tool available in the [development
-guide](https://github.com/cisagov/development-guide). Instructions for
-how to use this tool can be found in the ["Terraform IAM Credentials
-to GitHub Secrets"
-section](https://github.com/cisagov/development-guide/tree/develop/project_setup#terraform-iam-credentials-to-github-secrets-).
+tool available in the
+[development guide](https://github.com/cisagov/development-guide). Instructions
+for how to use this tool can be found in the
+["Terraform IAM Credentials to GitHub Secrets" section](https://github.com/cisagov/development-guide/tree/develop/project_setup#terraform-iam-credentials-to-github-secrets-).
 of the Project Setup README.
 
+<<<<<<< HEAD
 If you have appropriate permissions for the repository you can view
 existing secrets on the [appropriate
 page](https://github.com/cisagov/ansible-role-ncats-webd/settings/secrets) in
 the repository's settings.
+=======
+If you have appropriate permissions for the repository you can view existing
+secrets on the
+[appropriate page](https://github.com/cisagov/skeleton-ansible-role-with-test-user/settings/secrets)
+in the repository's settings.
+>>>>>>> 8cc1712a5cae219f786b8e03c4ff6941296f89c1
 
 ## Requirements ##
 
 None.
 
 ## Role Variables ##
 
+<<<<<<< HEAD
 | Variable | Description | Default | Required |
 |----------|-------------|---------|----------|
 | ncats\_webd\_install\_geoipupdate | Whether to install the MaxMind geoipupdate tool. | `false` | No |
 | ncats\_webd\_maxmind\_account\_id | The MaxMind account ID for access to a GeoIP2 database subscription. | n/a | Yes |
 | ncats\_webd\_maxmind\_license\_key | The MaxMind license key that provided access to a GeoIP2 database subscription. | n/a | Yes |
+=======
+None.
+
+<!-- markdownlint-disable line-length -->
+<!--
+| Variable | Description | Default | Required |
+|----------|-------------|---------|----------|
+| skeleton_with_test_user_bucket_name | The name of the AWS S3 bucket where the third-party files are stored. | None | Yes |
+| skeleton_with_test_user_license_object_name | The name of the AWS S3 object that is the third-party license. | `closed_source_tool.license` | No |
+-->
+<!-- markdownlint-enable line-length -->
+>>>>>>> 8cc1712a5cae219f786b8e03c4ff6941296f89c1
 
 ## Dependencies ##
 
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -2,6 +2,7 @@
 - name: Converge
   hosts: all
   tasks:
+<<<<<<< HEAD
     - name: Include ansible-role-ncats-webd
       # We do prepend the name of the role to the role variables, but
       # Molecule does its own role discovery with inconsistent naming.
@@ -11,3 +12,14 @@
       vars:
         ncats_webd_maxmind_account_id: "{{ lookup('aws_ssm', '/cyhy/core/geoip/account_id', region='us-east-1') }}"
         ncats_webd_maxmind_license_key: "{{ lookup('aws_ssm', '/cyhy/core/geoip/license_key', region='us-east-1') }}"
+=======
+    - name: Include skeleton-ansible-role-with-test-user
+      ansible.builtin.include_role:
+        name: skeleton-ansible-role-with-test-user
+      # This is an example of how to pass GHA secrets to Molecule via
+      # an environment variable.  See also the "Run molecule tests"
+      # step from the .github/workflows/build.yml workflow in this
+      # repository.
+      # vars:
+      #   skeleton_with_test_user_bucket_name: "{{ lookup('env', 'THIRD_PARTY_BUCKET') }}"
+>>>>>>> 8cc1712a5cae219f786b8e03c4ff6941296f89c1
diff --git a/terraform/backend.tf b/terraform/backend.tf
@@ -1,6 +1,14 @@
 terraform {
   backend "s3" {
+<<<<<<< HEAD
     bucket         = "ncats-terraform-state-storage"
+=======
+    # Use a partial configuration to avoid hardcoding the bucket name. This
+    # allows the bucket name to be set on a per-environment basis via the
+    # -backend-config command line option or other methods.  For details, see:
+    # https://developer.hashicorp.com/terraform/language/backend#partial-configuration
+    bucket         = ""
+>>>>>>> 8cc1712a5cae219f786b8e03c4ff6941296f89c1
     dynamodb_table = "terraform-state-lock"
     encrypt        = true
     key            = "ansible-role-ncats-webd/terraform.tfstate"
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -4,14 +4,9 @@ output "access_key" {
   sensitive   = true
 }
 
-output "production_role" {
-  value       = module.user.production_role
-  description = "The IAM role that the CI user can assume to read SSM parameters in the production account."
-}
-
-output "staging_role" {
-  value       = module.user.staging_role
-  description = "The IAM role that the CI user can assume to read SSM parameters in the staging account."
+output "role" {
+  value       = module.user.role
+  description = "The IAM role that the CI user can assume to read SSM parameters in the Images account."
 }
 
 output "user" {
diff --git a/terraform/providers.tf b/terraform/providers.tf
@@ -8,3 +8,47 @@ provider "aws" {
   }
   region = var.aws_region
 }
+<<<<<<< HEAD
+=======
+
+# The provider used to create the role that can be assumed to do
+# everything the CI user needs to do in the Images account.
+provider "aws" {
+  alias = "images_provisionaccount"
+  assume_role {
+    role_arn     = data.terraform_remote_state.images.outputs.provisionaccount_role.arn
+    session_name = local.caller_user_name
+  }
+  default_tags {
+    tags = var.tags
+  }
+  region = var.aws_region
+}
+
+# The provider used to create policies and roles that can read
+# parameters from AWS SSM Parameter Store in the Images account.
+provider "aws" {
+  alias = "images_ssm"
+  assume_role {
+    role_arn     = data.terraform_remote_state.images_ssm.outputs.provisionparameterstorereadroles_role.arn
+    session_name = local.caller_user_name
+  }
+  default_tags {
+    tags = var.tags
+  }
+  region = var.aws_region
+}
+
+# The provider used to create the test user
+provider "aws" {
+  alias = "users"
+  assume_role {
+    role_arn     = data.terraform_remote_state.users.outputs.provisionaccount_role.arn
+    session_name = local.caller_user_name
+  }
+  default_tags {
+    tags = var.tags
+  }
+  region = var.aws_region
+}
+>>>>>>> 8cc1712a5cae219f786b8e03c4ff6941296f89c1
diff --git a/terraform/remote_states.tf b/terraform/remote_states.tf
@@ -0,0 +1,50 @@
+# ------------------------------------------------------------------------------
+# Retrieve state data from a Terraform backend. This allows use of the
+# root-level outputs of one or more Terraform configurations as input
+# data for this configuration.
+# ------------------------------------------------------------------------------
+
+data "terraform_remote_state" "images" {
+  backend = "s3"
+
+  config = {
+    bucket         = var.terraform_state_bucket
+    dynamodb_table = "terraform-state-lock"
+    encrypt        = true
+    key            = "cool-accounts/images.tfstate"
+    profile        = "cool-terraform-readstate"
+    region         = "us-east-1"
+  }
+
+  workspace = terraform.workspace
+}
+
+data "terraform_remote_state" "images_ssm" {
+  backend = "s3"
+
+  config = {
+    bucket         = var.terraform_state_bucket
+    dynamodb_table = "terraform-state-lock"
+    encrypt        = true
+    key            = "cool-images-parameterstore/terraform.tfstate"
+    profile        = "cool-terraform-readstate"
+    region         = "us-east-1"
+  }
+
+  workspace = terraform.workspace
+}
+
+data "terraform_remote_state" "users" {
+  backend = "s3"
+
+  config = {
+    bucket         = var.terraform_state_bucket
+    dynamodb_table = "terraform-state-lock"
+    encrypt        = true
+    key            = "cool-accounts/users.tfstate"
+    profile        = "cool-terraform-readstate"
+    region         = "us-east-1"
+  }
+
+  workspace = terraform.workspace
+}
diff --git a/terraform/user.tf b/terraform/user.tf
@@ -3,6 +3,7 @@ module "user" {
   source = "github.com/cisagov/molecule-iam-user-tf-module"
 
   providers = {
+<<<<<<< HEAD
     aws                                    = aws
     aws.images-production-provisionaccount = aws
     aws.images-staging-provisionaccount    = aws
@@ -15,4 +16,13 @@ module "user" {
     "/cyhy/core/geoip/account_id",
     "/cyhy/core/geoip/license_key",
   ]
+=======
+    aws                         = aws.users
+    aws.images-provisionaccount = aws.images_provisionaccount
+    aws.images-ssm              = aws.images_ssm
+  }
+
+  entity         = "skeleton-ansible-role-with-test-user"
+  ssm_parameters = ["/example/parameter"]
+>>>>>>> 8cc1712a5cae219f786b8e03c4ff6941296f89c1
 }
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -1,3 +1,14 @@
+# ------------------------------------------------------------------------------
+# Required parameters
+#
+# You must provide a value for each of these parameters.
+# ------------------------------------------------------------------------------
+
+variable "terraform_state_bucket" {
+  description = "The name of the S3 bucket where Terraform state is stored."
+  type        = string
+}
+
 # ------------------------------------------------------------------------------
 # Optional parameters
 #
