Merge branch 'develop' of github.com:cisagov/skeleton-ansible-role-with-test-user into lineage/skeleton

mcdonnnj · mcdonnnj · commit c0cb3e271309 · 2020-08-31T13:59:50.000-04:00
diff --git a/.github/lineage.yml b/.github/lineage.yml
@@ -1,6 +1,5 @@
 ---
-version: "1"
-
 lineage:
   skeleton:
-    remote-url: https://github.com/cisagov/skeleton-ansible-role.git
+    remote-url: https://github.com/cisagov/skeleton-ansible-role-with-test-user.git
+version: '1'
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,4 @@
 .mypy_cache
-__pycache__
 .python-version
-terraform/.terraform
+__pycache__
+.terraform
diff --git a/README.md b/README.md
@@ -7,6 +7,52 @@
 An Ansible role for installing
 [cisagov/ncats-webd](https://github.com/cisagov/ncats-webd).
 
+## Pre-requisites (Ignore Until the COOL Migration) ##
+
+In order to execute the Molecule tests for this Ansible role in GitHub
+Actions, a build user must exist in AWS. The accompanying Terraform
+code will create the user with the appropriate name and
+permissions. This only needs to be run once per project, per AWS
+account. This user can also be used to run the Molecule tests on your
+local machine.
+
+Before the build user can be created, the following profile must exist in
+your AWS credentials file:
+
+* `cool-terraform-backend`
+
+The easiest way to set up that profile is to use our
+[`aws-profile-sync`](https://github.com/cisagov/aws-profile-sync)
+utility. Follow the usage instructions in that repository before
+continuing with the next steps. Note that you will need to know where
+your team stores their remote profile data in order to use
+[`aws-profile-sync`](https://github.com/cisagov/aws-profile-sync).
+
+To create the build user, follow these instructions:
+
+```console
+cd terraform
+terraform init --upgrade=true
+terraform apply
+```
+
+Once the user is created you will need to update the [repository's
+secrets](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)
+with the new encrypted environment variables. This should be done
+using the
+[`terraform-to-secrets`](https://github.com/cisagov/development-guide/tree/develop/project_setup#terraform-iam-credentials-to-github-secrets-)
+tool available in the [development
+guide](https://github.com/cisagov/development-guide). Instructions for
+how to use this tool can be found in the ["Terraform IAM Credentials
+to GitHub Secrets"
+section](https://github.com/cisagov/development-guide/tree/develop/project_setup#terraform-iam-credentials-to-github-secrets-).
+of the Project Setup README.
+
+If you have appropriate permissions for the repository you can view
+existing secrets on the [appropriate
+page](https://github.com/cisagov/ansible-role-ncats-webd/settings/secrets) in
+the repository's settings.
+
 ## Requirements ##
 
 None.
diff --git a/terraform/backend.tf b/terraform/backend.tf
@@ -1,9 +1,9 @@
 terraform {
   backend "s3" {
-    encrypt        = true
     bucket         = "ncats-terraform-state-storage"
     dynamodb_table = "terraform-state-lock"
-    region         = "us-east-1"
+    encrypt        = true
     key            = "ansible-role-ncats-webd/terraform.tfstate"
+    region         = "us-east-1"
   }
 }
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -0,0 +1,20 @@
+output "access_key" {
+  value       = module.user.access_key
+  description = "The IAM access key associated with the CI IAM user created by this module."
+  sensitive   = true
+}
+
+output "production_role" {
+  value       = module.user.production_role
+  description = "The IAM role that the CI user can assume to read SSM parameters in the production account."
+}
+
+output "staging_role" {
+  value       = module.user.staging_role
+  description = "The IAM role that the CI user can assume to read SSM parameters in the staging account."
+}
+
+output "user" {
+  value       = module.user.user
+  description = "The CI IAM user created by this module."
+}
diff --git a/terraform/user.tf b/terraform/user.tf
@@ -1,4 +1,5 @@
-module "iam_user" {
+# Create the test user
+module "user" {
   source = "github.com/cisagov/molecule-iam-user-tf-module"
 
   providers = {
@@ -11,5 +12,6 @@ module "iam_user" {
 
   entity         = "ansible-role-ncats-webd"
   ssm_parameters = ["/cyhy/core/geoip/license_key"]
-  tags           = var.tags
+
+  tags = var.tags
 }
diff --git a/terraform/versions.tf b/terraform/versions.tf
@@ -1,4 +1,11 @@
-
 terraform {
-  required_version = ">= 0.12"
+  # We want to hold off on 0.13 until we have tested it.
+  required_version = "~> 0.12.0"
+
+  # If you use any other providers you should also pin them to the
+  # major version currently being used.  This practice will help us
+  # avoid unwelcome surprises.
+  required_providers {
+    aws = "~> 2.0"
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,9 @@`
`1`	`1`	`terraform {`
`2`	`2`	`backend "s3" {`
`3`		`- encrypt = true`
`4`	`3`	`bucket = "ncats-terraform-state-storage"`
`5`	`4`	`dynamodb_table = "terraform-state-lock"`
`6`		`- region = "us-east-1"`
	`5`	`+ encrypt = true`
`7`	`6`	`key = "ansible-role-ncats-webd/terraform.tfstate"`
	`7`	`+ region = "us-east-1"`
`8`	`8`	`}`
`9`	`9`	`}`