initial commit

aws-ad-connector/README.md

@@ -0,0 +1,7 @@
+# bea-adc
+Module to deploy network resources and ad connector for use with AWS SSO
+
+## Input variables
+The variable adc-service-account-password needs to be supplied via environment variable. This prevents terraform
+from saving the password in tfstate or in the source code.
+

aws-ad-connector/locals.tf

@@ -0,0 +1,15 @@
+data "aws_caller_identity" "this" {}
+
+locals {
+  default-tags = merge({
+    ServiceProvider = "None"
+    Environment     = var.environment
+    Project         = var.project
+    Application     = var.application
+    TerraformMode   = "managed"
+    TerraformDir    = trimprefix(path.cwd, "/my/work/xpk-git/")
+    CreatedBy       = data.aws_caller_identity.this.arn
+    BuildDate       = formatdate("YYYYMMDD", timestamp())
+  })
+  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
+}

aws-ad-connector/main.tf

@@ -0,0 +1,48 @@
+module "vpc-subnets" {
+  source = "../../modules/networking/vpc_subnets"
+
+  application                      = var.application
+  aws-region                       = var.aws-region
+  customer-name                    = var.customer-name
+  default-tags                     = local.default-tags
+  environment                      = var.environment
+  project                          = var.project
+  vpc-cidr                         = var.vpc-cidr
+  number-of-private-subnets-per-az = var.number-of-private-subnets-per-az
+  number-of-public-subnets-per-az  = var.number-of-public-subnets-per-az
+  create-nat-gateway               = false
+  enable-flow-log                  = true
+  vpcflowlog-retain-days           = 90
+  vpcflowlog-cwl-loggroup-key-arn  = ""
+  create-free-vpc-endpoints        = false
+}
+
+# S3 flow log needs to be created separately. it's not supported by vpc_subnets module
+resource "aws_flow_log" "vpc-log-s3" {
+  log_destination      = var.vpc-flowlog-bucket-arn
+  log_destination_type = "s3"
+  traffic_type         = "ALL"
+  vpc_id               = module.vpc-subnets.vpc_id
+}
+
+/*
+After adc is deployed by terraform, the following tasks need to be performed manually.
+They cannot be managed by terraform
+1. Edit security group created for adconnector. SG name is d-???_controllers
+2. Enable client LDAPS communication
+3. Setup maintenance notification through SNS
+4. Enable SSO application. Setting enable_sso in member account results in error. alias is deliberately not set
+*/
+
+module "adconnector" {
+  source = "../../modules/security_identity_compliance/ds-adconnector"
+
+  adc-dns-ips                  = var.adc-dns-ips
+  adc-domainname               = var.adc-domainname
+  adc-service-account-password = var.adc-service-account-password
+  adc-service-account-username = var.adc-service-account-username
+  adc-size                     = var.adc-size
+  adc-subnet-ids               = module.vpc-subnets.private-subnet-ids
+  adc-vpc-id                   = module.vpc-subnets.vpc_id
+  default-tags                 = local.default-tags
+}

aws-ad-connector/outputs.tf

@@ -0,0 +1,11 @@
+output "directory-id" {
+  value = module.adconnector.directory-id
+}
+
+output "security-group-id" {
+  value = module.adconnector.security-group-id
+}
+
+output "customer-dns-ip" {
+  value = module.adconnector.customer-dns-ip
+}

aws-ad-connector/provider.tf

@@ -0,0 +1,13 @@
+provider "aws" {
+  region = var.aws-region
+}
+
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.25"
+    }
+  }
+}

aws-ad-connector/terraform.tfvars

@@ -0,0 +1,15 @@
+aws-region                       = "ap-east-1"
+aws-region-short                 = "ape1"
+customer-name                    = "acme"
+environment                      = "preview"
+project                          = "sso"
+application                      = "sso"
+vpc-cidr                         = "10.37.54.0/24"
+number-of-public-subnets-per-az  = 0
+number-of-private-subnets-per-az = 1
+vpc-flowlog-bucket-arn           = "arn:aws:s3:::prd-vpc-flow-logs-894849410890"
+adc-domainname                   = "acme.com"
+adc-size                         = "Large"
+adc-dns-ips                      = ["10.135.72.66", "10.135.72.67"]
+adc-service-account-username     = "AWSSSOPRD"
+adc-enable-sso                   = true

aws-ad-connector/variables.tf

@@ -0,0 +1,22 @@
+variable "aws-region" {}
+variable "aws-region-short" {}
+variable "customer-name" {}
+variable "environment" {}
+variable "project" {}
+variable "application" {}
+variable "vpc-cidr" {}
+variable "number-of-private-subnets-per-az" {}
+variable "number-of-public-subnets-per-az" {}
+variable vpc-flowlog-bucket-arn {}
+variable "adc-domainname" {}
+variable "adc-size" {}
+variable "adc-dns-ips" {}
+variable "adc-service-account-username" {}
+variable "adc-service-account-password" {
+  type        = string
+  sensitive   = true
+  description = "Please supply ad svc account with environment variable (i.e. export TG_VAR_adc-service-account-password=xxx"
+  default     = ""
+}
+variable "adc-enable-sso" {}
+