Updated template (#4)

* Updated template

---------

Co-authored-by: Joeri Malmberg <joeri.malmberg@blackbird.cloud>

.github/workflows/aws_deployment.yml

@@ -12,35 +12,47 @@ jobs:
   changes:
     runs-on: ubuntu-latest
     outputs:
-      accounts: ${{ steps.filter.outputs.changes }}
+      accounts: ${{ steps.changes.outputs.all_changed_files }}
     steps:
-      - uses: actions/checkout@v3
-      - uses: dorny/paths-filter@v2
-        id: filter
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
-          filters: |
-            management:
-              - 'cloud/management/**'
+          fetch-depth: 0
+
+      - uses: tj-actions/changed-files@v41
+        id: changes
+        with:
+          path: cloud
+          dir_names: "true"
+          dir_names_max_depth: 1
+          json: true
+          quotepath: false
+          escape_json: false
+
   RunApply:
     runs-on: ubuntu-latest
     needs: changes
     strategy:
       matrix:
         account: ${{ fromJSON(needs.changes.outputs.accounts) }}
+    continue-on-error: true 
     container: blackbirdcloud/terraform-toolkit:0.0.8
     steps:
       - name: Git clone the repository
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+
       - name: change --global to --system
-        run: git config --global --add safe.directory /__w/my-project-name/my-project-name
+        run: git config --global --add safe.directory /__w/YOURPROJECTNAME/YOURPROJECTNAME
+
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ vars.AWS_IAM_ROLE }}
           role-session-name: github-action
           aws-region: ${{ vars.AWS_REGION }}
+
       - name: apply
         working-directory: ./cloud/${{ matrix.account }}
         run: terragrunt run-all apply --terragrunt-fetch-dependency-output-from-state --terragrunt-non-interactive --terragrunt-ignore-external-dependencies --terragrunt-download-dir=../../.terragrunt-cache

.terragrunt-version

@@ -0,0 +1 @@
+0.54.1

README.md

@@ -13,39 +13,55 @@ This Repository includes:
     * AWS Organizations
     * AWS IAM Identity Center
     * AWS Cloudformation StackSets
-    * AWS S3 bucket for Terraform state storage.
     * AWS KMS key for Terraform state encryption.
+    * AWS S3 bucket for Terraform state storage.
+    * AWS KMS key for audit log encryption.
+    * AWS S3 bucket for audit log collection.
+    * AWS Cloudtrial organization configuration.
 * GitOps (GitHub Action) pipeline
 
 ## How to deploy
 
 1. Create an AWS Account [here](https://portal.aws.amazon.com/billing/signup#/start/email]), name it management. Select the region you would like to deploy your resources to, write down the region and account id.
-2. Navigate to AWS Cloudformation => Stacks, and manually deploy both `stacks/github-oidc-provider.yaml` and `stacks/terraform-state.yaml`.
-    * For the GitHub oidc provider stack, fill in `SubjectClaimFilters` with the following data relating to your infra repo `repo:YOUR_GITHUB_ORGANIZATION/YOUR_GITHUB_REPOSITORY_NAME:ref:refs/heads/BRANCH_NAME` we advise to deploy use `main` as branch name. This is nessecary to make sure that only GitHub Actions that run on the main branch are allowed to plan and apply changes on AWS. Make sure to protect your main branch, as it will receive AdministratorAccess on your AWS cloud. Once the stack has been created, navigate to its resources, and note down the arn of created IAM role.
-    * Once the terraform state stack has been created, note down the bucket name, it will be used as the state bucket for the next steps.
-3. Create 2 variables on GitHub -> Settings -> Secrets and variables -> Actions -> Variables
-    * `AWS_IAM_ROLE`: fill in `IAM Role ARN` created by github-oidc-provider stack
+2. Navigate to Security Credentials, and register a MFA device for your root account.
+3. Navigate to your Account page in the Billing console, and enable acces for IAM users.
+4. Select the region in which you would like to create your AWS resources.
+5. Navigate to AWS Cloudformation => Stacks, and manually deploy the following stack templates in the specified order: `stacks/github-oidc-provider.yaml`, `stacks/github-oidc-role.yaml`, `stacks/terraform-state.yaml`, and `stacks/iam-role.yaml`.
+    * For the Github oidc role stack, fill in `GitHubIdentityProviderArn` with the ARN of the IDP created on the `github-oidc-provider` stack. Fill in `SubjectClaimFilters` with the following data relating to your infra repo `repo:YOUR_GITHUB_ORGANIZATION/YOUR_GITHUB_REPOSITORY_NAME:ref:refs/heads/BRANCH_NAME` we advise to deploy use `main` as branch name. This is nessecary to make sure that only GitHub Actions that run on the main branch are allowed to plan and apply changes on AWS. Make sure to protect your main branch, as it will receive AdministratorAccess on your AWS cloud. Once the stack has been created, navigate to its resources, and note down the arn of created IAM role. For `GitHubActionsJumpRoleName` use the same name as you will on the `iam-role` stack `RoleName` parameter.
+    * For the `terraform-state` stack, fill in `GithubActionsRoleArn` with the role ARN created in the `github-oidc-role` stack. Once the terraform state stack has been created, note down the bucket name, it will be used as the state bucket for the next steps.
+    * For the `iam-role` stack, fill in `PrincipalARN` with the role ARN created in the `github-oidc-role` stack. Make sure to write down the Role name, and configure it in `globals.hcl` at `github_role_name`. Under `ManagedPolicyARNs` one can configure `arn:aws:iam::aws:policy/AdministratorAccess`.
+6. Create 2 variables on GitHub -> Settings -> Secrets and variables -> Actions -> Variables
+    * `AWS_IAM_ROLE`: fill in `IAM Role ARN` created by github-oidc-role stack
     * `AWS_REGION`: fill in your selected AWS region.
-4. On `.github/workflows/aws_deployment.yml` update all occurences of `<my-project-name>` to your github repository name, line 37.
-
-5. On `cloud/global.hcl` enter all the required information at the `Enter manually` block.
-6. On` cloud/management/terragrunt.hcl` enter all the information under `Enter manually` block. Use the bucket name created by `stacks/terraform-state.yaml` for `bucket_name`, and enter the account id from the AWS account you created in step 1.
-7. Go to `cloud/00-organization/terragrunt.hcl` and fill in the primary, operational, securit, and billing contact information.
-
-8. (Optional) If your IDP supports provisioning users and groups, you can skip this step, and delete the `cloud/management/02-iam-sso/01-users` folder, and the `cloud/management/02-iam-sso/02-groups` folder.
+7. On `.github/workflows/aws_deployment.yml` update all occurences of `<my-project-name>` to your github repository name, line 46.
+8. On `global.hcl` enter all the required information at the `Enter manually` block.
+9. On `cloud/management/terragrunt.hcl` enter all the information under `Enter manually` block. Remember to do the same for the other account their terragrunt files.
+10. Go to `cloud/management/00-organization/terragrunt.hcl` and fill in the local values under `Enter manually`, and under inputs fill in the primary, operational, securit, and billing contact information. Configure the accounts you would like to create.
+11. (Optional) If your IDP supports provisioning users and groups, you can skip this step, and delete the `cloud/management/02-iam-sso/01-users` folder, and the `cloud/management/02-iam-sso/02-groups` folder.
     * Create the users list on `cloud/management/02-iam-sso/01-users/terragrunt.hcl`, you can remove `john.doe@email.com`.
     *    `cloud/management/02-iam-sso/02-groups/terragrunt.hcl` enter the groups with the users you would like to create. Make sure to assign the users created by adding multiple `dependency.users.outputs.users["USER_EMAIL"].user_id` and replace `USER_EMAIL` with the actual email.
     * On initial run align the `mock_output` value of `dependency "users"` with `01-users`, make sure all emails registered `01-users` are `listed`. `user_id` value can be left `"user_id"`
 
-10. (Optional) On `cloud/management/02-iam-sso/03-permission-sets/terragrunt.hcl` enter the permission-sets you would like to create. We have included some commonly used permission-sets.
-11. (Optional) On `cloud/management/02-iam-sso/04-account-assignment/terragrunt.hcl` assign accounts and permission-sets, to users and groups. The default value will deploy the `AdministratorAccess` permission set for the Administrators group.
-12. Commit and push, it will trigger the pipeline to run.
-    * It will *fail* initially
-13. Then there are a few steps to be taken before re-runing the pipeline
+12. (Optional) On `cloud/management/02-iam-sso/03-permission-sets/terragrunt.hcl` enter the permission-sets you would like to create. We have included some commonly used permission-sets.
+13. (Optional) On `cloud/management/02-iam-sso/04-account-assignment/terragrunt.hcl` assign accounts and permission-sets, to users and groups. The default value will deploy the `AdministratorAccess` permission set for the Administrators group.
+14. Commit and push, it will trigger the pipeline to run.
+    * It will succesfuly create your AWS organization, and *fail* to create all other modules after that.
+15. Then there are a few steps to be taken before re-runing the pipeline
     * Open your AWS web console and navigate to Cloudformation => StackSets, then enable trusted access.
     * Open your AWS web console and navigate to IAM Identity Center, then click on enable.
-    * Open your AWS web console and navigate to IAM Identity Center => Settings. At the identity source tab, click Actions and select change identity source. Read the documentation [here](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html) to proceed depending your Organization's IDP.
-14. Re-run the pipeline and all IAM and StackSets should now deploy succesfully. 
+    * You can now choose to use the AWS IAM Center Identity Directory, or configure your own Directory. Read the documentation [here](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html) to proceed depending your Organization's IDP.
+    * If you choose to use the AWS IAM Identity Center Directory:
+        * Configure the MFA settings.
+        * On settings => Authentication, enable `Send email OTP for users created from API`.
+16. Re-run the failed pipeline and all IAM and StackSets should now deploy succesfully.
+17. On `cloud/logs/terragrunt.hcl` enter all the information under `Enter manually` block. Remember to do the same for the other account their terragrunt files.
+18. On `cloud/keys/terragrunt.hcl` enter all the information under `Enter manually` block. Remember to do the same for the other account their terragrunt files.
+19. On `policies.hcl` replace `YOUR_KEYS_ACCOUNT_ID` with the keys account ID.
+20. On `global.hcl` enter `management_account_id` and `logs_account_id`.
+21. The pipeline jobs will fail because of missing dependencies, so you will have to retry them a few times until everything has been created.
+22. Configure AWS profiles with AdminstratorAccess permissions on your local machine for all created AWS accounts.
+23. Update `global.hcl` `remote_state_bucket` to the bucket created at `cloud/management/04-terraform-state/01-bucket`
+24. You can now migrate the Terraform state to the newly created Terraform state bucket, and delete the `terraform-state` Cloudformation stack when finished. If you open a termimal in the `cloud` directory, you can execute `terragrunt --terragrunt-non-interactive run-all init -migrate-state -input=true`, you will manually have to enter "yes" a number of times.
 
 ## Troubleshooting
 

cloud/keys/01-account/terragrunt.hcl

@@ -0,0 +1,15 @@
+include {
+  path = find_in_parent_folders()
+}
+
+include "remote_state" {
+  path = find_in_parent_folders("remote_state.hcl")
+}
+
+terraform {
+  source = "tfr:///blackbird-cloud/account-info/aws//?version=1.0.2"
+}
+
+inputs = {
+  aws_sso_permission_sets = ["AdministratorAccess"]
+}

cloud/keys/10-keys/01-terraform-state/terragrunt.hcl

@@ -0,0 +1,64 @@
+include {
+  path = find_in_parent_folders()
+}
+
+include "remote_state" {
+  path = find_in_parent_folders("remote_state.hcl")
+}
+
+dependency "account" {
+  config_path = "../..//01-account"
+}
+
+locals {
+  policies = read_terragrunt_config(find_in_parent_folders("policies.hcl")).locals
+  global   = read_terragrunt_config(find_in_parent_folders("global.hcl")).locals
+}
+
+terraform {
+  source = "tfr:///blackbird-cloud/kms-key/aws//?version=1.0.0"
+}
+
+inputs = {
+  name = "terraform-state"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Id": "mykey-policy",
+    "Statement": [
+       ${local.policies.statements.keys_account_root},
+        {
+          "Sid": "Allow keys account Administrators to manage the KMS key.",
+          "Effect": "Allow",
+          "Principal": {
+              "AWS": [
+                "${dependency.account.outputs.sso_roles.AdministratorAccess.arn}",
+                "arn:aws:iam::${dependency.account.outputs.account_id}:role/${local.global.github_role_name}"
+              ]
+          },
+          "Action": ${local.policies.actions.key_admin},
+          "Resource": "*"
+        },
+        {
+          "Sid": "Allow management account to assign usage of the KMS key.",
+          "Effect": "Allow",
+          "Principal": {
+              "AWS": "arn:aws:iam::${local.global.management_account_id}:root"
+          },
+          "Action":${local.policies.actions.key_usage},
+          "Resource": "*"
+        },
+        {
+          "Sid": "Allow GitHub bootstrap usage of the KMS key.",
+          "Effect": "Allow",
+          "Principal": {
+              "AWS": "${local.global.github_actions_state_role_arn}"
+          },
+          "Action": ${local.policies.actions.key_usage},
+          "Resource": "*"
+        }
+    ]
+}
+EOF
+}