Skip to content

Latest commit

 

History

History
136 lines (99 loc) · 7.46 KB

File metadata and controls

136 lines (99 loc) · 7.46 KB

Usage Example

IMPORTANT: To successfully complete this example, you must first deploy the module by following module workspace example.

Attach Run Task into HCP Terraform Workspace

Follow the steps below to attach the run task created from the module into a new HCP Terraform workspace. The new workspace will attempt to create multiple invalid IAM resources. The Run tasks integration with IAM Access Analyzer will validate it as part of post-plan stage.

  • Use the provided demo workspace configuration.

    cd examples/demo_workspace
  • Change the org name in with your own HCP Terraform org name. Optionally, change the workspace name.

    terraform {
    
      cloud {
        # TODO: Change this to your HCP Terraform org name.
        organization = "wellsiau-org"
    
        # OPTIONAL: Change the workspace name
        workspaces {
          name = "AWS-Runtask-IAM-Access-Analyzer-Demo"
        }
      }
      ...
    }
  • Populate the required variables, change the placeholder value below.

    echo 'tfc_org="<enter your org name here>"' >> tf.auto.tfvars
    echo 'aws_region="<enter the AWS region here>"' >> tf.auto.tfvars
    echo 'runtask_id="<enter the Run Task ID output from previous module deployment>"' >> tf.auto.tfvars
    echo 'demo_workspace_name="<enter the same workspace name as in your terraform - cloud block>"' >> tf.auto.tfvars
  • Initialize HCP Terraform.

    terraform init
  • We recommend configuring dynamic credentials to provision to AWS from your HCP Terraform workspace or organization. Follow these instructions to learn more.

  • In order to create and configure the run tasks, you also need to have HCP Terraform token stored as Variable/Variable Sets in the workspace. Add TFE_HOSTNAME and TFE_TOKEN environment variable to the same variable set or directly on the workspace. TFC Configure Variable Set

  • Enable the flag to attach the run task to the demo workspace.

    echo 'flag_attach_runtask="true"' >> tf.auto.tfvars
    terraform apply
  • Navigate back to HCP Terraform, locate the new demo workspace and confirm that the Run Task is attached to the demo workspace. TFC Run Task in Workspace

Test IAM Access Analyzer using Run Task

The following steps deploy simple IAM policy with invalid permissions. This should trigger the Run Task to send failure and stop the apply.

  • Enable the flag to deploy invalid IAM policy to the demo workspace.

    echo 'flag_deploy_invalid_resource="true"' >> tf.auto.tfvars
  • Run Terraform apply again

    terraform apply
  • Terraform apply will fail due to several errors, use the CloudWatch link to review the errors. HCP TF Run Task results

Requirements

Name Version
terraform >= 1.0.7
aws >=5.72.0
tfe >=0.38.0

Providers

Name Version
aws >=5.72.0
tfe >=0.38.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.sample_log resource
aws_iam_policy.policy_with_computed_values resource
aws_iam_policy.policy_with_data_source resource
aws_iam_policy.policy_with_eof resource
aws_iam_role.invalid_assume_role resource
aws_iam_role_policy.invalid_iam_role_policy resource
aws_kms_key.invalid_kms_key_policy resource
aws_organizations_policy.invalid_scp_policy resource
tfe_workspace_run_task.aws-iam-analyzer-attach resource
aws_caller_identity.current_account data source
aws_iam_policy_document.invalid_kms_key_policy data source
aws_iam_policy_document.policy_with_data_source data source
aws_partition.current_partition data source
aws_region.current_region data source
tfe_organization.org data source
tfe_workspace.workspace data source

Inputs

Name Description Type Default Required
aws_region The region from which this module will be executed. string n/a yes
demo_workspace_name The workspace name string n/a yes
runtask_id The run task id of the IAM Access Analyzer run task string n/a yes
tfc_org Terraform Organization name string n/a yes
flag_attach_runtask Switch this flag to true to attach the run task to the workspace bool false no
flag_deploy_invalid_resource Switch this flag to true to deploy sample invalid IAM policy and validate it with Run Task bool false no
runtask_enforcement_level The description give to the attached run task (optional) string "mandatory" no
runtask_stage The description give to the attached run task (optional) string "post_plan" no

Outputs

No outputs.