updating structure and documentation

Author: chelseyklein

.gitignore

@@ -0,0 +1,17 @@
+# Local .terraform directories
+**/.terraform/*
+
+# Ignore variables files
+*.auto.tfvars
+
+# Ignore override files
+*.tfoverride
+
+
+
+# Ignore environment-specific files
+.envrc
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

CONTRIBUTING.md

@@ -0,0 +1,30 @@
+## Local Development/Installation instructions
+
+1. Create personal AWS account
+2. Set up Terraform backend state storage in AWS
+  - create bucket
+  - create DynamoDB table
+2. Fork this repo
+  - clone the fork
+3. Install Terraform
+4. Install Terraform Docs
+5. Change Terraform backend 
+
+Step-by-step instructions help new contributors get a development environment up and running quickly.
+2. You'll want to find the balance between being specific enough for novices to follow, without being so specific that you reinvent the wheel by providing overly-basic instructions that can be found elsewhere.
+3. Feel free to adapt this section and its sub-sections to your own processes.
+4. Alternatively, you can move everything from *Installation instructions* through *Testing* to a separate **Contributing.md** file to keep your **ReadMe.md** more succinct.
+
+
+### Working with issues
+
+- Explain how to contribute to an existing issue.
+
+### Working with forks and branches
+
+- Explain your guidelines here.
+
+
+### Working with pull requests and reviews
+
+- Explain your process.

README.md

@@ -1,80 +1,26 @@
-Terraform directory structure
+# DevOps Security | AWS IAM Resources
 
-- 📁 [terraform](https://github.com/hackforla/ops-security/tree/cb/example/terraform)
-    - 📁  [aws-custom-policies](https://github.com/hackforla/ops-security/tree/cb/example/terraform/aws-custom-policies) - JSON configurations for customer-managed policies (AWS-managed policies are referenced by ARN and not needed here)
-        - 📁 [existing-policies](https://github.com/hackforla/ops-security/tree/cb/example/terraform/aws-custom-policies/existing-policies) - a few of our current policy configurations for reference
-    - 📁 [modules](https://github.com/hackforla/ops-security/tree/cb/example/terraform/modules) - reusable Terraform configurations
-    - 📄 [aws-custom-policies.tf](https://github.com/hackforla/ops-security/tree/cb/example/terraform/modules/aws-groups) - maintain custom policies here
-    - 📄 [aws-groups.tf](https://github.com/hackforla/ops-security/tree/cb/example/terraform/modules/aws-groups) - maintain groups here
-    - 📄 [aws-users.tf](https://github.com/hackforla/ops-security/tree/cb/example/terraform/modules/aws-users) - maintain users here
-
----
-# Project title and description
-
-Include a project description that explains **what** your project is and **why** it exists. Aim for no more than 3-5 concise sentences. For example, you might say:
-
-{Project Name} is a project of Hack for LA. Hack for LA is a brigade of a Code for America that exists to {your mission}. {Project Name} helps {target users} accomplish {goal of project}. The {app/site/thing you're building}'s main features include {very brief feature descriptions}.
-
-### Project context
-
-Civic projects often exist within a larger context that may include multiple stakeholders, historic relationships, associated research, or other details that are relevant but not *required* for direct contributions. Gathering these details in one place is useful, but the ReadMe isn't that place. Use this section to [link to a Google Doc](#) or other documentation repository where contributors can dig in if they so choose. This is also a good place to link to your Code of Conduct.
+DevOps Security is a code repository used to maintain Hack for L.A.'s AWS Identity Access Management (IAM) resources as code. This includes users, groups, policies, and roles.
 
 ### Technology used
 
-- Each platform or framework should get its own bullet.
-- Each platform should include an [active link](#) to the official documentation.
-
-
+- [Terraform]()
+- [Terraform Docs]()
+- [AWS CLI]()
 
 # How to contribute
 
 Explain the different ways people can contribute. For example:
 
-- Join the team {on Slack/at our weekly hack night/etc}.
-- To help with user research, {do ABC}.
-- To provide design support, {do XYZ}.
-- To contribute to the code, follow the instructions below.
+- Join the team on Slack or at our weekly CoP meetings.
+- To contribute to the codebase, follow the instructions below.
 
 Remember to provide direct links to each channel.
 
 
-
-## Installation instructions
-
-1. Step-by-step instructions help new contributors get a development environment up and running quickly.
-2. You'll want to find the balance between being specific enough for novices to follow, without being so specific that you reinvent the wheel by providing overly-basic instructions that can be found elsewhere.
-3. Feel free to adapt this section and its sub-sections to your own processes.
-4. Alternatively, you can move everything from *Installation instructions* through *Testing* to a separate **Contributing.md** file to keep your **ReadMe.md** more succinct.
-
-
-### Working with issues
-
-- Explain how to submit a bug.
-- Explain how to submit a feature request.
-- Explain how to contribute to an existing issue.
-
-To create a new issue, please use the blank issue template (available when you click New Issue).  If you want to create an issue for other projects to use, please create the issue in your own repository and send a slack message to one of your hack night hosts with the link.
-
-
-### Working with forks and branches
-
-- Explain your guidelines here.
-
-
-### Working with pull requests and reviews
-
-- Explain your process.
-
-
-### Testing
-
-- Provide instructions.
-
-
-
 # Contact info
 
-Include at least one way (or more, if possible) to reach your team with questions or comments.
+This repo is maintained by the Ops team. Reach out to our [CoP leads](https://github.com/hackforla/ops/wiki/Community#ops-community-of-practice-cop-leads) on Slack with questions or attend a [community meeting](https://github.com/hackforla/ops/wiki/CoP-Meetings)
 
 
 ### Licensing

terraform/.terraform.lock.hcl

@@ -0,0 +1,9 @@
+Terraform directory structure
+
+- 📁 [terraform](https://github.com/hackforla/ops-security/tree/cb/example/terraform)
+    - 📁  [aws-custom-policies](https://github.com/hackforla/ops-security/tree/cb/example/terraform/aws-custom-policies) - JSON configurations for customer-managed policies (AWS-managed policies are referenced by ARN and not needed here)
+        - 📁 [existing-policies](https://github.com/hackforla/ops-security/tree/cb/example/terraform/aws-custom-policies/existing-policies) - a few of our current policy configurations for reference
+    - 📁 [modules](https://github.com/hackforla/ops-security/tree/cb/example/terraform/modules) - reusable Terraform configurations
+    - 📄 [aws-custom-policies.tf](https://github.com/hackforla/ops-security/tree/cb/example/terraform/modules/aws-groups) - maintain custom policies here
+    - 📄 [aws-groups.tf](https://github.com/hackforla/ops-security/tree/cb/example/terraform/modules/aws-groups) - maintain groups here
+    - 📄 [aws-users.tf](https://github.com/hackforla/ops-security/tree/cb/example/terraform/modules/aws-users) - maintain users here

terraform/README.md

@@ -1,13 +1,13 @@
-module "aws_iam_policies" {
-  source   = "./modules/policies"
-  policies = {
-    "ManageAccessKeys" = {
-      description = "Policy for creating, listing, and updating Access Keys"
-      filename    = "manage-access-keys-policy.json"
-    },
-    "FullAccessPolicy" = {
-      description = "Full access to specific resources"
-      filename    = "full-access-policy.json"
-    }
-  }
-}
+# module "aws_iam_policies" {
+#   source   = "./modules/policies"
+#   policies = {
+#     "ManageAccessKeys" = {
+#       description = "Policy for creating, listing, and updating Access Keys"
+#       filename    = "manage-access-keys-policy.json"
+#     },
+#     "FullAccessPolicy" = {
+#       description = "Full access to specific resources"
+#       filename    = "full-access-policy.json"
+#     }
+#   }
+# }

terraform/aws-custom-policies.tf

@@ -1,42 +1,42 @@
-// Create groups and attach policies
+// Create read only group
 module "iam_read_only_group" {
-  source = "./modules/groups"
+  source = "./modules/aws-groups"
 
   group_name = "read-only-group"
-  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+  policy_arn = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
 }
 
-module "iam_project_admin_group" {
-  source = "./modules/groups"
-
-  group_name = "project-admin-group"
-  policy_arn = [ # here we can pass a list of policies that are aws managed or customer managed
-    "arn:aws:iam::aws:policy/SomeAWSPolicy",
-    module.iam_policies.policy_arns["ManageAccessKeys"]
-  ]
-}
-
-module "iam_ops_mentor_group" {
-  source = "./modules/groups"
-
-  group_name = "project-admin-group"
-  policy_arn = [ # here we can pass a list of policies that are aws managed or customer managed
-    "arn:aws:iam::aws:policy/SomeAWSPolicy",
-    "arn:aws:iam::aws:policy/SomeAWSPolicy",
-    "arn:aws:iam::aws:policy/SomeAWSPolicy",
-    "arn:aws:iam::aws:policy/SomeAWSPolicy",
-  ]
-}
-
-// Assign users to groups
-resource "aws_iam_group_membership" "project_admin_group_membership" {
-  name = "project_admin_group_membership"  # A unique name for the group membership
-
-  users = [
-    module.iam_user_gwenstacy.user_name,
-    module.iam_user_miles_morales.user_name,
-    "chelseybeck"
-  ]
-
-  group = module.iam_project_admin_group.group_name
-}
+// Create project admin group - this group is dependent on tagging resources
+# module "iam_project_admin_group" {
+#   source = "./modules/groups"
+
+#   group_name = "project-admin-group"
+#   policy_arn = [ # here we can pass a list of policies that are aws managed or customer managed
+#     "arn:aws:iam::aws:policy/SomeAWSPolicy",
+#     module.iam_policies.policy_arns["ManageAccessKeys"]
+#   ]
+# }
+
+// Create mentor group - need to discuss these permissions
+# module "iam_ops_mentor_group" {
+#   source = "./modules/groups"
+
+#   group_name = "ops-mentor-group"
+#   policy_arn = [ # here we can pass a list of policies that are aws managed or customer managed
+#     "arn:aws:iam::aws:policy/AdministratorAccess",
+#     "arn:aws:iam::035866691871:policy/ManageAccessKeys",
+#   ]
+# }
+
+// Create IAM management group -- 
+# module "iam_services_supervisor_group" {
+#   source = "./modules/groups"
+
+#   group_name = "iam-services-supervisor-group"
+#   policy_arn = [ # here we can pass a list of policies that are aws managed or customer managed
+#     "arn:aws:iam::aws:policy/AdministratorAccess",
+#     "arn:aws:iam::035866691871:policy/ManageAccessKeys",
+#   ]
+# }
+
+// Cost management group = "Cost-Management"

terraform/aws-groups.tf

@@ -0,0 +1,6 @@
+# module "iam_role_example" {
+#   source                = "./modules/roles"
+#   role_name             = "example_role"
+#   assume_role_principal = "ec2.amazonaws.com"
+#   policy_arn            = "arn:aws:iam::aws:policy/ExamplePolicy"
+# }

terraform/aws-roles.tf

@@ -1,21 +1,11 @@
 module "iam_user_gwenstacy" {
-  source = "./modules/users"
+  source = "./modules/aws-users"
 
   user_name = "gwenstacy"
   user_tags = {
     "Environment" = "Development"
     "Project"     = "spiderverse"
   }
-  pgp_key = "user_provided_public_key_here"
+  user_groups = ["read-only-group"]
+  # pgp_key = "keybase:chelseybeck"
 }
-
-module "iam_user_milesmorales" {
-  source = "./modules/users"
-
-  user_name = "miles_morales"
-  user_tags = {
-    "Environment" = "Production"
-    "Project"     = "spiderverse"
-  }
-  pgp_key = "user_provided_public_key_here"
-}

terraform/aws-users.tf

@@ -1,9 +1,9 @@
 terraform {
   backend "s3" {
-    bucket         = "my-terraform-state-bucket"   # Replace with S3 bucket name
-    key            = "path/to/terraform.tfstate" # Path to the state file within the bucket
-    region         = "us-west-2"                    # AWS region of the S3 bucket
-    dynamodb_table = "my-terraform-state-lock"     # DynamoDB table name for state locking
+    bucket         = "hfla-ops-terraform-state"          # Replace with S3 bucket name
+    key            = "devops-security/terraform.tfstate" # Path to the state file within the bucket
+    region         = "us-west-2"                         # AWS region of the S3 bucket
+    dynamodb_table = "hfla_ops_terraform_table"          # DynamoDB table name for state locking
     encrypt        = true
   }
 }