cool-images-vmimport

Terraform code to create resources needed to use the AWS VM Import/Export feature in the Images (Production) and Images (Staging) accounts in the COOL. This includes the vmimport service role and Images-VMImportExportAccess role for each account.

The vmimport service role is required by the VM Import/Export feature as specified in the Required service role section of the documentation.

The Images-VMImportExportAccess role is created to provide an assumable role with sufficient permissions to use the AWS CLI to perform VM Import/Export tasks as specified in the Required permissions for IAM users section of the documentation.

Pre-requisites

• Terraform installed on your system.
• An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
• An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
• Access to all of the Terraform remote states specified in remote_states.tf.
• The following COOL accounts and roles must have been created:
  • Images (Production and Staging): cisagov/cool-accounts/images
  • Terraform: cisagov/cool-accounts/terraform
  • Users: cisagov/cool-accounts/users
• Terraform in cisagov/cool-images-assessment-images must have been applied.

Requirements

Name	Version
terraform	~> 1.1
aws	~> 4.9

Providers

Name	Version
aws	~> 4.9
aws.images_production	~> 4.9
aws.images_staging	~> 4.9
aws.users	~> 4.9
terraform	n/a

Modules

Name	Source	Version
read_terraform_state	github.com/cisagov/terraform-state-read-role-tf-module	n/a

Resources

Name	Type
aws_iam_policy.vmimport_production	resource
aws_iam_policy.vmimport_staging	resource
aws_iam_policy.vmimportexportaccess_production	resource
aws_iam_policy.vmimportexportaccess_staging	resource
aws_iam_role.vmimport_production	resource
aws_iam_role.vmimport_staging	resource
aws_iam_role.vmimportexportaccess_production	resource
aws_iam_role.vmimportexportaccess_staging	resource
aws_iam_role_policy_attachment.vmimport_production	resource
aws_iam_role_policy_attachment.vmimport_staging	resource
aws_iam_role_policy_attachment.vmimportexportaccess_production	resource
aws_iam_role_policy_attachment.vmimportexportaccess_staging	resource
aws_caller_identity.default	data source
aws_caller_identity.users	data source
aws_iam_policy_document.vmimport_assume_role	data source
aws_iam_policy_document.vmimport_production	data source
aws_iam_policy_document.vmimport_staging	data source
aws_iam_policy_document.vmimportexportaccess_assume_role	data source
aws_iam_policy_document.vmimportexportaccess_production	data source
aws_iam_policy_document.vmimportexportaccess_staging	data source
terraform_remote_state.assessment_images	data source
terraform_remote_state.images_production	data source
terraform_remote_state.images_staging	data source
terraform_remote_state.terraform	data source
terraform_remote_state.users	data source

Inputs

Name	Description	Type	Default	Required
aws_region	The AWS region to deploy into (e.g. us-east-1).	string	"us-east-1"	no
read_terraform_state_role_name	The name to associate with the IAM role and attached policy that allows read-only access to the cool-images-vmimport state in the S3 bucket where Terraform state is stored.	string	"ReadImagesVMImportTerraformState"	no
tags	Tags to apply to all AWS resources created.	map(string)	{}	no
vmimport_policy_description	The description to associate with the IAM policy that allows the permissions necessary for the vmimport service role to allow VM import/export functionality.	string	"Allows permissions necessary for the AWS VM Import/Export feature to function using the specified resources."	no
vmimport_policy_name	The name to associate with the IAM policy that allows the permissions necessary for the vmimport service role to allow VM import/export functionality.	string	"Images-ServiceRoleAccess-vmimport"	no
vmimport_role_description	The description to associate with the vmimport service role.	string	"The service role that is required by the AWS VM Import/Export feature to function in this account."	no
vmimportexportaccess_role_description	The description to associate with the IAM role and attached policy that allows the permissions necessary to use the VM Import/Export feature with the AWS CLI.	string	"Allows permissions necessary to use the AWS VM Import/Export feature with the AWS CLI."	no
vmimportexportaccess_role_name	The name to associate with the IAM role and attached policy that allows the permissions necessary to use the VM Import/Export feature with the AWS CLI.	string	"Images-VMImportExportAccess"	no

Outputs

Name	Description
read_terraform_state	The IAM policies and role that allow read-only access to the cool-images-vmimport state in the Terraform state bucket.
vmimport_role_production	The ARN for the vmimport service role in the Images (Production) account.
vmimport_role_staging	The ARN for the vmimport service role in the Images (Staging) account.
vmimportexportaccess_role_production	The IAM role that can be assumed to manage VM Import/Export tasks in the Images (Production) account.
vmimportexportaccess_role_staging	The IAM role that can be assumed to manage VM Import/Export tasks in the Images (Staging) account.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is only the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.