Merge pull request #9 from StackGuardian/aws-oidc-complete-onboarding

onboarding-example-oidc

Author: joscheuerer

aws_oidc/main.tf

@@ -33,13 +33,5 @@ resource "aws_iam_role" "oidc_role" {
 resource "aws_iam_policy_attachment" "sg_role_policy" {
   name       = "${var.role_name}-policy"
   policy_arn = var.aws_policy
-  roles      = [aws_iam_role.sg-test-role.name]
-}
-
-output "oidc_provider_arn" {
-  value = aws_iam_openid_connect_provider.oidc_provider.arn
-}
-
-output "oidc_role_arn" {
-  value = aws_iam_role.oidc_role.arn
+  roles      = [aws_iam_role.oidc_role.name]
 }

aws_oidc/provider.tf

@@ -1,36 +1,34 @@
 variable "region" {
   type = string
   description = "the region for deploying the resources"
-  default = "eu-central-1"
 }
 
 variable "url" {
   type = string
   description = "URL of the identity provider"
-  default = "https://api.app.stackguardian.io"
 }
 
 variable "client_id" {
   type = string
-  description = "List of client IDs (audiences) that identify the application registered with the OpenID Connect provider"
-  default =  "https://api.app.stackguardian.io" 
+  description = "List of client IDs (audiences) that identify the application registered with the OpenID Connect provider" 
 }
 
 variable "role_name" {
   type = string
   description = "name of the aws role thats getting created"
-  default = "test-clara-001"
 }
 
 variable "org_name" {
   type = string
   description = "the name of the StackGuardian Organization"
-  default = "wicked-hop"
 }
 
 variable "account_number" {
   type = number
   description = "the value of the account number"
-  default = 790543352839
 }
 
+variable "aws_policy" {
+  type = string
+  description = "arn of aws policy"
+}

aws_oidc/variables.tf

@@ -0,0 +1,118 @@
+# ################################
+#  # Stackguardian Workflow Group
+# ################################
+module "stackguardian_workflow_group" {
+  source = "../terraform-stackguardian-modules/stackguardian_workflow_group"
+  api_key = var.api_key
+  org_name = var.org_name
+  workflow_group_name = var.workflow_group_name
+}
+
+# ################################
+#  # Stackguardian aws oidc
+# ################################
+module "aws_oidc" {
+  source = "../terraform-stackguardian-modules/aws_oidc"
+  account_number = var.account_number
+  client_id = var.client_id
+  region = var.region
+  aws_policy = var.aws_policy
+  role_name = var.role_name
+  url = var.url
+  org_name = var.org_name
+}
+
+# ################################
+#  # Stackguardian cloud connector
+# ################################
+module "stackguardian_connector_cloud" {
+  source = "../terraform-stackguardian-modules/stackguardian_connector_cloud"
+  cloud_connector_name = var.cloud_connector_name
+  connector_type = var.connector_type
+  api_key = var.api_key
+  org_name = var.org_name
+
+  role_arn = module.aws_oidc.oidc_role_arn
+
+  aws_access_key_id = var.aws_access_key_id
+  aws_secret_access_key = var.aws_secret_access_key
+  aws_default_region = var.aws_default_region
+
+  armTenantId = var.armTenantId
+  armSubscriptionId = var.armSubscriptionId
+  armClientId = var.client_id
+  armClientSecret = var.armClientSecret
+}
+
+################################
+ # Stackguardian vcs
+################################
+locals {
+  # Determine which VCS connector to create based on non-empty credentials
+  selected_connector = merge(
+    # If GitLab creds are provided, use GitLab connector
+    length(var.gitlab_creds) > 0 ? {
+      vcs_gitlab = {
+        kind   = "GITLAB_COM"
+        config = [{
+          gitlab_creds = var.gitlab_creds
+        }]
+      }
+    } : {},
+
+    # If GitHub creds are provided, use GitHub connector
+    length(var.github_creds) > 0 ? {
+      vcs_github = {
+        kind   = "GITHUB_COM"
+        config = [{
+          github_creds = var.github_creds
+        }]
+      }
+    } : {},
+
+    # If Bitbucket creds are provided, use Bitbucket connector
+    length(var.bitbucket_creds) > 0 ? {
+      vcs_bitbucket = {
+        kind   = "BITBUCKET_COM"
+        config = [{
+          bitbucket_creds = var.bitbucket_creds
+        }]
+      }
+    } : {}
+  )
+}
+
+module "stackguardian_connector_vcs" {
+  source = "../terraform-stackguardian-modules/stackguardian_connector_vcs"
+  stackguardian_connector_vcs_name = var.stackguardian_connector_vcs_name
+  api_key = var.api_key
+  org_name = var.org_name
+  stackguardian_connector_kinds      = local.selected_connector
+}
+
+################################
+ # Stackguardian role
+################################
+module "stackguardian_role" {
+  source = "../terraform-stackguardian-modules/stackguardian_role"
+  api_key = var.api_key
+  org_name = var.org_name
+  role_name = var.role_name
+  cloud_connector = var.cloud_connector
+  stackguardian_connector_vcs = var.stackguardian_connector_vcs
+  workflow_group = var.workflow_group
+  template_list = var.template_list
+  #depends_on = [ module.stackguardian_workflow_group, module.stackguardian_connector_cloud, module.stackguardian_connector_vcs ]
+}
+
+# ################################
+#  # Stackguardian role assignment
+# ################################
+module "stackguardian_role_assignment" {
+  source = "../terraform-stackguardian-modules/stackguardian_role_assignment"
+  api_key = var.api_key
+  org_name = var.org_name
+  role_name = var.role_name
+  user_or_group = var.user_or_group
+  entity_type = var.entity_type
+}

main.tf

@@ -0,0 +1,24 @@
+terraform {
+  required_providers {
+    stackguardian = {
+      source  = "StackGuardian/stackguardian"
+      version = "1.1.0-rc5"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.84.0"
+    }
+  }
+}
+
+# StackGuardian provider configuration
+provider "stackguardian" {
+  api_key  = var.api_key
+  org_name = var.org_name
+  api_uri  = "https://api.app.stackguardian.io"
+}
+
+# AWS provider configuration
+provider "aws" {
+  region = var.region
+}

provider.tf

@@ -1,6 +1,6 @@
 resource "stackguardian_connector" "sg_aws_static_connector" {
   count = (var.connector_type == "AWS_STATIC") ? 1 : 0
-  resource_name = var.resource_name
+  resource_name = var.cloud_connector_name
   description = "Onboarding example of terraform-provider-stackguardian for AWSConnectorCloud"
   settings = {
     kind = var.connector_type,
@@ -10,12 +10,24 @@ resource "stackguardian_connector" "sg_aws_static_connector" {
         aws_default_region = var.aws_default_region
       }]
   }
-  scope = ["*"]
+}
+
+
+resource "stackguardian_connector" "sg_aws_oidc_connector" {
+  count = (var.connector_type == "AWS_OIDC") ? 1 : 0
+  resource_name = var.cloud_connector_name
+  description = "Onboarding example of terraform-provider-stackguardian for AWSConnectorCloud"
+  settings = {
+    kind = var.connector_type,
+    config = [{
+        role_arn = var.role_arn
+      }]
+  }
 }
 
 resource "stackguardian_connector" "sg_azure_static_connector" {
   count = (var.connector_type == "AZURE_STATIC") ? 1 : 0
-  resource_name = var.resource_name
+  resource_name = var.cloud_connector_name
   description = "Onboarding example of terraform-provider-stackguardian for AzureConnectorCloud"
   settings = {
     kind = var.connector_type,
@@ -26,5 +38,4 @@ resource "stackguardian_connector" "sg_azure_static_connector" {
         armClientSecret = var.armClientSecret
     }]
   }
-  scope = ["*"]
 }

stackguardian_connector_cloud/main.tf

@@ -1,6 +1,6 @@
 output "resource_name" {
   description = "Cloud Connector Name created"
-  value       = var.resource_name
+  value       = var.cloud_connector_name
 }
 output "connector_type" {
   description = "Cloud Connector Type created"

stackguardian_connector_cloud/outputs.tf

@@ -2,14 +2,13 @@ terraform {
   required_providers {
     stackguardian = {
       source = "StackGuardian/stackguardian"
-      version = "1.0.0-rc3"
+      version = "1.1.0-rc5"
     }
   }
 }
 
 provider "stackguardian" {
-  
-  api_key = var.api_key                                  # Replace this with your API key(test wiothout it)
-  org_name = var.org_name                                # Replace this with your organization name
-  api_uri = "https://testapi.qa.stackguardian.io"        # Use testapi instead of production for testing
+  api_key = var.api_key
+  org_name = var.org_name
+  api_uri = "https://api.app.stackguardian.io"
 }

stackguardian_connector_cloud/provider.tf

@@ -1,19 +1,21 @@
-variable "connector_type" {
+variable "api_key" {
   type = string
-  # AWS_STATIC, AWS_RBAC, AWS_OIDC, AZURE_STATIC, AZURE_OIDC, GCP_STATIC
+  description = "Your organization's API key on the StackGuardian Platform"
 }
 
-variable "resource_name" {
- type = string
-  description = "Name of the Cloud connector"
-}
-variable "api_key" {
+variable "org_name" {
   type = string
-  description = "API key to authenticate to StackGuardian"
+  description = "Your organization name on StackGuardian Platform"
 }
-variable "org_name" {
+
+variable "connector_type" {
   type = string
-  description = "Organisation name in StackGuardian platform"
+  description = "type of connector. You can select anyone of the following AWS_STATIC, AWS_RBAC, AWS_OIDC, AZURE_STATIC, AZURE_OIDC, GCP_STATIC"
+}
+
+variable "cloud_connector_name" {
+ type = string
+  description = "Name of the Cloud connector"
 }
 
 
@@ -23,42 +25,47 @@ variable "org_name" {
 
 variable "aws_access_key_id" {
   type = string
-  description = "AWS ACCESS Key ID"
-  default = ""
+  description = "your AWS acoount access key"
 }
+
 variable "aws_secret_access_key" {
   type = string
-  description = "AWS ACCESS Key Secret"
-  default = ""
+  description = "your AWS account secret access key"
 }
+
 variable "aws_default_region" {
   type = string
-  description = "AWS Default Region for Connector"
-  default = ""
+  description = "any default region you want to set, for all your deployments"
 }
 
 ################
 # AZURE_STATIC Credentials
 ################
 
-
 variable "armTenantId" {
   type = string
-  description = "Azure Tenant ID"
-  default = ""
+  description = "your azure account tenant id"
 }
+
 variable "armSubscriptionId" {
   type = string
-  description = "Subscription ID"
-  default = ""
+  description = "your azure subscription id"
 }
+
 variable "armClientId" {
   type = string
-  description = "Client ID for Enterprise App"
-  default = ""
+  description = "your azure client id"
 }
+
 variable "armClientSecret" {
   type = string
-  description = "Client Secret for Enterprise App"
-  default = ""
+  description = "your azure client secret"
+}
+
+################
+# aws_oidc 
+################
+variable "role_arn" {
+  type = string
+  description = "arn of the aws oidc role"
 }