-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmetastructure.yml
152 lines (149 loc) · 5.66 KB
/
metastructure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# ******************* DO NOT EDIT THIS NOTICE *****************
# This legal notice is added to every supported source code
# file at every commit. See the README for more info!
# *************************************************************
config_override_path: src/metastructure.local.yml
organization:
id: my-organization-id
aws_region: us-east-1
key_accounts:
log_archive: log_archive
master: master
terraform_state: shared_services
tokens:
domain: gmail.com
owner: my-email
namespace: namespace-000
audit_log: audit-logs
s3_access_log: s3-access-logs
accounts:
dev:
name: Development Account
email: '{{organization.tokens.owner}}+{{organization.tokens.namespace}}-dev@{{organization.tokens.domain}}'
organizational_unit: dev
log_archive:
name: Log Archive Account
email: '{{organization.tokens.owner}}+{{organization.tokens.namespace}}-log_archive@{{organization.tokens.domain}}'
organizational_unit: security
master:
name: Master Account
email: '{{organization.tokens.owner}}+{{organization.tokens.namespace}}-master@{{organization.tokens.domain}}'
prod:
name: Production Account
email: '{{organization.tokens.owner}}+{{organization.tokens.namespace}}-prod@{{organization.tokens.domain}}'
organizational_unit: prod
test:
name: Testing Account
email: '{{organization.tokens.owner}}+{{organization.tokens.namespace}}-test@{{organization.tokens.domain}}'
organizational_unit: test
shared_services:
name: Shared Services Account
email: '{{organization.tokens.owner}}+{{organization.tokens.namespace}}-shared_services@{{organization.tokens.domain}}'
organizational_unit: infrastructure
organizational_units:
dev:
name: Dev Workloads OU
parent: workloads
infrastructure:
name: Infrastructure OU
prod:
name: Prod Workloads OU
parent: workloads
security:
name: Security OU
test:
name: Test Workloads OU
parent: workloads
workloads:
name: Workloads OU
sso:
start_url: https://my-sso-domain.awsapps.com/start#/
groups:
terraform_admin:
name: TerraformAdmin
description: Terraform administrators can create & manage all resources in all accounts.
account_permission_sets: terraform_admin
terraform_deployment:
name: TerraformDeployment
description: Terraform deployment users can create & manage all unprotected resources in all accounts.
account_permission_sets: terraform_deployment
permission_sets:
terraform_admin:
name: TerraformAdmin
description: Permits creation & management of all resources.
policies:
- AdministratorAccess
- sso_terraform_state_writer
terraform_deployment:
name: TerraformDeployment
description: Permits creation & management of all unprotected resources.
policies:
- unprotected_resource_writer
- sso_terraform_state_writer
# Maps customer-managed policy name to policy document token.
policies:
sso_terraform_state_writer:
name: SSOTerraformStateWriter
description: Permits writing to the Terraform state bucket & state lock table.
unprotected_resource_writer:
name: UnprotectedResourceWriter
description: Permits creation & management of unprotected resources.
users:
test:
email: '{{organization.tokens.owner}}@{{organization.tokens.domain}}'
display_name: Test User
groups: terraform_admin
name:
given_name: Test
family_name: User
applications:
api:
environments:
bali:
account: dev
dev:
account: dev
prod:
account: prod
release:
account: test
seattle:
account: dev
terraform:
aws_version: '>= 5.56.1'
paths: src
state:
bucket: '{{#if organization.tokens.namespace}}{{organization.tokens.namespace}}-{{/if}}terraform-state'
key: terraform.tfstate
lock_table: terraform-state-lock
terraform_version: '>= 1.9.0'
workspaces:
bootstrap:
# For info on overriding CLI defaults, see https://github.com/karmaniverous/metastructure/wiki/Running-Metastructure#cli-overrides
cli_defaults:
# Remove assume_role & aws_profile (or override them with null) to enable SSO.
assume_role: OrganizationAccountAccessRole
aws_profile: META-000-BOOTSTRAP
# Uncomment permission_set (or override it elsewhere) to enable SSO.
# permission_set: terraform_admin
# Remove use_local state (or override it with false) to migrate to remote state.
use_local_state: true
cli_defaults_path: src/bootstrap/workspace.local.yml
path: src/bootstrap
shared_config_path: src/bootstrap/_shared_config.local
generators:
src/bootstrap/_accounts.tf: src/bootstrap/templates/accounts.hbs
src/bootstrap/_backend.tf: src/templates/backend.hbs
src/bootstrap/_organizational_units.tf: src/bootstrap/templates/organizational_units.hbs
src/bootstrap/_outputs.tf: src/bootstrap/templates/outputs.hbs
src/bootstrap/_providers.tf: src/templates/providers.hbs
src/bootstrap/_s3_access_logs.tf: src/bootstrap/templates/s3_access_logs.hbs
src/bootstrap/_shared_config.local: src/templates/shared_config.hbs
src/bootstrap/_sso_terraform_state_writer.tf: src/bootstrap/templates/sso_policies/terraform_state_writer.hbs
src/bootstrap/_sso_unprotected_resource_writer.tf: src/bootstrap/templates/sso_policies/unprotected_resource_writer.hbs
src/bootstrap/_sso.tf: src/bootstrap/templates/sso.hbs
src/bootstrap/_terraform.tf: src/templates/terraform.hbs
src/modules/global/_outputs.tf: src/modules/global/outputs.hbs
partials:
header_generated: src/partials/header_generated.hbs
provider: src/partials/provider.hbs