A module that enables automatic rotation of AWS iam credentials and setting them up in a TFC workspace to meet security/compliance standards.
Developers/End-users never need to access the AWS management console to deploy resources. An administrator initially deploys this module in a workspace with his credentials with appropriate policies. Afterwards the lambda function in this module is executed after deployment, creates a new AWS Access Key and sets them as sensitive environment variables in the TFC workspace. Hence, the developer/end-user never sees these credentials and can start leveraging the TFC workspace for infrastructure deployments.
In addition, the tfc_deployer_user_credential_renewal variable allows to customize the rotation interval (in days). A cron expression checks the validity of the key.
If e.g. tfc_deployer_user_credential_renewal=10 and the lambda function computes that the access key is older than 10 days it will be deleted and a new one is created.
- Terraform Cloud/Enterprise organization and workspace
- Terraform Cloud/Enterprise API token
- Automated rotation of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
- Deployed IAM user cannot modify itself (e.g. adding new polices). This must be done through an admin
- Customizable renewal time (in days) of credentials via a cron
- In case of any compromise renewal of credentials can be enforced on the fly
- Use the module and define the IAM user's permissions
# Define the new policy that needs to be added the IAM user
data "aws_iam_policy_document" "credentials_rotation" {
statement {
effect = "Allow"
actions = [
"ec2:*",
"iam:*",
"s3:*",
"events:*",
"lambda:*",
"dynamodb:*",
"logs:*",
"sns:*",
"kms:*",
"cloudformation:*",
"rds:*",
"execute-api:*",
"secretsmanager:*",
"autoscaling:*",
"apigateway:*"
]
resources = ["*"]
}
}
locals {
tfe_organization_name = "myOrga"
tfe_workspace_name = "tools-prod"
tfe_workspace_id = "ws-zumWwiRWbxziA"
}
# Create the policy
resource "aws_iam_policy" "credential_rotation" {
name = "${local.tfe_organization_name}-${local.tfe_workspace_name}-deployer-allow-policy"
policy = data.aws_iam_policy_document.credentials_rotation.json
}
module "tfc-iam-credentials-rotation" {
source = "terraform-aws-modules/tfc-iam-credentials-rotation/aws"
version = "1.0.0"
tfc_workspace_id = local.tfe_workspace_id
tfc_workspace_name = local.tfe_workspace_name
tfc_organization_name = local.tfe_organization_name
tfc_token_credential_rotation = "<tfe-api-token>"
tfc_deployer_user_policies = [aws_iam_policy.credential_rotation.arn]
tfc_deployer_user_credential_renewal = 5
}
-
Deploy the module with admin credentials (e.g. xxxxx-admin_adminstrator role) and do not forget to set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
-
If everything correctly worked you would see a similar result in the TFC UI
- If you want to enforce the recreation of IAM credentials, just set TFC
tfc_force_create_new_key="True"and start another TFE run
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 3.75.0 |
| Name | Version |
|---|---|
| archive | 2.2.0 |
| aws | 4.10.0 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_event_rule.tfc_deployer_cw_event_rule | resource |
| aws_cloudwatch_event_target.tfc_deployer_cw_event_target | resource |
| aws_cloudwatch_log_group.tfc_deployer_lambda_log_group | resource |
| aws_iam_policy.tfc_deployer_user_policy | resource |
| aws_iam_role.tfc_deployer_lambda_role | resource |
| aws_iam_user.tfc_deployer_user | resource |
| aws_iam_user_policy_attachment.tfc_deployer_user_policy | resource |
| aws_iam_user_policy_attachment.tfc_deployer_user_policy_additional | resource |
| aws_lambda_function.tfc_deployer_lambda | resource |
| aws_lambda_permission.tfc_deployer_lambda_permissions | resource |
| archive_file.tfc_deployer_lambda | data source |
| aws_caller_identity.this | data source |
| aws_iam_policy_document.tfc_deployer_lambda_policy_inline | data source |
| aws_iam_policy_document.tfc_deployer_user_policy | data source |
| aws_lambda_invocation.tfc_deployer_lambda_invocation | data source |
| aws_region.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| custom_ca_bundle_path | Path of custom ca bundle for AWS Lambda (must be uploaded with the zip file) | string |
"" |
no |
| default_tags | Default tags to apply to all resources | map(any) |
{} |
no |
| force_create_new_key | Enforce the creation of new IAM credentials | string |
"False" |
no |
| region | Region to deploy resources to | string |
"eu-central-1" |
no |
| ssl_verify | Activate/Deactivate ssl for lambda updating the credentials in tfc | string |
"True" |
no |
| tfc_deployer_schedule_expression | Cron expression when to check tfc credentials for validity | string |
"cron(0 20 * * ? *)" |
no |
| tfc_deployer_user_credential_renewal | Days after when the credentials in tfc have to be renewed | number |
10 |
no |
| tfc_deployer_user_policies | List of policy arns to attach to the IAM user | list(string) |
n/a | yes |
| tfc_organization_name | Name of the tfc organization | string |
n/a | yes |
| tfc_token_credential_rotation | API token to authenticate against tfc to enable credential rotation | string |
n/a | yes |
| tfc_url | URL of tfc | string |
"https://app.terraform.io" |
no |
| tfc_workspace_id | ID of the tfc workspace | string |
n/a | yes |
| tfc_workspace_name | Name fo the tfc workspace | string |
n/a | yes |
| Name | Description |
|---|---|
| tfc_deployer_lambda_function_arn | ARN of the lambda function that sets credentials in tfc |
| tfc_deployer_user_arn | ARN of the tfc deployer user |