add aws deployment

Author: arielb135

src/integrations/aws_integration_automation/examples/account_integration.tf

@@ -0,0 +1,53 @@
+# Example: AWS Account Integration with Jit
+# This example shows how to integrate a single AWS account with Jit
+
+terraform {
+  required_version = ">= 1.5"
+  
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}
+
+# Configure the AWS Provider
+provider "aws" {
+  region = "us-east-1"
+}
+
+# Single Account Integration Module
+module "jit_aws_account_integration" {
+  source = "../"
+  
+  # Jit API Configuration
+  jit_client_id = var.jit_client_id  # Set via environment variable or terraform.tfvars
+  jit_secret    = var.jit_secret     # Set via environment variable or terraform.tfvars
+  jit_region    = "us"               # Use "eu" for European API endpoint
+  
+  # Integration Configuration
+  integration_type        = "account"
+  aws_regions_to_monitor = ["us-east-1", "us-west-2"]
+  
+  # Stack Configuration
+  stack_name            = "JitAccountIntegration"
+  account_name         = "Production Account"        # Optional: Display name in Jit platform
+  resource_name_prefix = "JitProd"                  # Optional: Prefix for CloudFormation resources
+  
+  # CloudFormation Configuration
+  capabilities = ["CAPABILITY_NAMED_IAM"]
+}
+
+# Variables that should be defined in your root module or terraform.tfvars
+variable "jit_client_id" {
+  description = "Jit API Client ID"
+  type        = string
+  sensitive   = true
+}
+
+variable "jit_secret" {
+  description = "Jit API Secret"
+  type        = string
+  sensitive   = true
+}

src/integrations/aws_integration_automation/locals.tf

@@ -0,0 +1,32 @@
+locals {
+  # JIT API Configuration
+  jit_api_endpoint = var.jit_region == "us" ? "https://api.jit.io" : "https://api.eu.jit.io"
+  
+  # CloudFormation template URLs based on integration type
+  cloudformation_template_url = var.integration_type == "org" ? "https://jit-aws-prod.s3.amazonaws.com/jit_aws_org_integration_stack.json" : "https://jit-aws-prod.s3.amazonaws.com/jit_aws_integration_stack.json"
+  
+  # Resource name prefix with integration-specific defaults
+  resource_name_prefix = var.resource_name_prefix != null ? var.resource_name_prefix : (var.integration_type == "org" ? "JitOrg" : "Jit")
+  
+  # Base extra parameters for state token request
+  base_extra_params = {
+    regions_to_monitor = var.aws_regions_to_monitor
+    integration_type   = var.integration_type
+  }
+  
+  # Additional parameters for organization integration
+  org_extra_params = var.integration_type == "org" ? {
+    organizationRootId       = var.organization_root_id
+    shouldIncludeRootAccount = var.should_include_root_account
+  } : {}
+  
+  # State token request body with correct structure
+  state_token_request_body = {
+    vendor    = "aws"
+    token_ttl = 1440
+    extra     = merge(
+      local.base_extra_params,
+      local.org_extra_params
+    )
+  }
+} 

src/integrations/aws_integration_automation/main.tf

@@ -0,0 +1,141 @@
+# Authentication with JIT API to get access token
+data "http" "jit_auth" {
+  url    = "${local.jit_api_endpoint}/authentication/login"
+  method = "POST"
+  
+  request_headers = {
+    "Accept"       = "application/json"
+    "Content-Type" = "application/json"
+  }
+  
+  request_body = jsonencode({
+    clientId = var.jit_client_id
+    secret   = var.jit_secret
+  })
+  
+  lifecycle {
+    postcondition {
+      condition     = self.status_code == 200
+      error_message = "JIT authentication failed with status ${self.status_code}"
+    }
+  }
+}
+
+# Create state token using shell script resource
+resource "shell_script" "jit_state_token" {
+  triggers = {
+    client_id        = var.jit_client_id
+    integration_type = var.integration_type
+    regions          = join(",", var.aws_regions_to_monitor)
+    org_root_id      = var.organization_root_id
+  }
+  
+  environment = {
+    JIT_API_ENDPOINT      = local.jit_api_endpoint
+    STATE_TOKEN_BODY      = jsonencode(local.state_token_request_body)
+  }
+
+  sensitive_environment = {
+    JIT_AUTH_RESPONSE = data.http.jit_auth.response_body
+  }
+  
+  lifecycle_commands {
+    create = <<-EOT
+      ACCESS_TOKEN=$(echo "$JIT_AUTH_RESPONSE" | jq -r '.accessToken')
+      TOKEN=$(curl -s -X POST "$JIT_API_ENDPOINT/oauth/state-token" \
+        -H "Authorization: Bearer $ACCESS_TOKEN" \
+        -H "Accept: application/json" \
+        -H "Content-Type: application/json" \
+        -d "$STATE_TOKEN_BODY" \
+        | jq -r '.token')
+      echo "{\"token\": \"$TOKEN\"}"
+    EOT
+    
+    delete = "echo 'State token cleanup - no action needed'"
+  }
+  
+  lifecycle {
+    ignore_changes = [environment, sensitive_environment]
+  }
+  
+  interpreter = ["/bin/bash", "-c"]
+  
+  depends_on = [data.http.jit_auth]
+}
+
+# CloudFormation Stack for single account integration
+resource "aws_cloudformation_stack" "jit_integration_account" {
+  count = var.integration_type == "account" ? 1 : 0
+  
+  name          = var.stack_name
+  template_url  = local.cloudformation_template_url
+  capabilities  = var.capabilities
+  
+  parameters = {
+    "ExternalId"                = shell_script.jit_state_token.output["token"]
+    "ResourceNamePrefix"        = local.resource_name_prefix
+    "AccountName"               = var.account_name
+    "ShouldIncludeRootAccount"  = tostring(var.should_include_root_account)
+  }
+  
+  lifecycle {
+    prevent_destroy = true
+  }
+  
+  depends_on = [
+    data.http.jit_auth,
+    shell_script.jit_state_token
+  ]
+}
+
+# CloudFormation StackSet for organization integration
+resource "aws_cloudformation_stack_set" "jit_integration_org" {
+  count = var.integration_type == "org" ? 1 : 0
+  
+  name          = var.stack_name
+  template_url  = local.cloudformation_template_url
+  capabilities  = var.capabilities
+  
+  parameters = {
+    "ExternalId"                = shell_script.jit_state_token.output["token"]
+    "ResourceNamePrefix"        = local.resource_name_prefix
+    "OrganizationRootId"        = var.organization_root_id
+    "ShouldIncludeRootAccount" = tostring(var.should_include_root_account)
+  }
+  
+  # Auto deployment configuration for organization
+  auto_deployment {
+    enabled                          = true
+    retain_stacks_on_account_removal = false
+  }
+  
+  # Permission model for organization deployment
+  permission_model = "SERVICE_MANAGED"
+  
+  lifecycle {
+    prevent_destroy = true
+  }
+  
+  depends_on = [
+    data.http.jit_auth,
+    shell_script.jit_state_token
+  ]
+}
+
+# StackSet instances for organization integration (deploys to all accounts in org)
+resource "aws_cloudformation_stack_set_instance" "jit_integration_org_instance" {
+  count = var.integration_type == "org" ? 1 : 0
+  
+  stack_set_name         = aws_cloudformation_stack_set.jit_integration_org[0].name
+  deployment_targets {
+    organizational_unit_ids = [var.organization_root_id]
+  }
+  
+  operation_preferences {
+    region_concurrency_type = "PARALLEL"
+    max_concurrent_percentage = 100
+    failure_tolerance_percentage = 10
+  }
+  
+  depends_on = [aws_cloudformation_stack_set.jit_integration_org]
+}

src/integrations/aws_integration_automation/variables.tf

@@ -0,0 +1,84 @@
+variable "jit_client_id" {
+  description = "Client ID for Jit API authentication"
+  type        = string
+  sensitive   = true
+}
+
+variable "jit_secret" {
+  description = "Secret for Jit API authentication"
+  type        = string
+  sensitive   = true
+}
+
+variable "jit_region" {
+  description = "Jit API region - determines which endpoint to use"
+  type        = string
+  default     = "us"
+  validation {
+    condition     = contains(["us", "eu"], var.jit_region)
+    error_message = "The jit_region must be either 'us' or 'eu'."
+  }
+}
+
+variable "integration_type" {
+  description = "Type of AWS integration: 'account' for single account, 'org' for organization"
+  type        = string
+  validation {
+    condition     = contains(["account", "org"], var.integration_type)
+    error_message = "The integration_type must be either 'account' or 'org'."
+  }
+}
+
+variable "aws_regions_to_monitor" {
+  description = "List of AWS regions to monitor"
+  type        = list(string)
+  default     = ["us-east-1"]
+}
+
+variable "stack_name" {
+  description = "Name for the CloudFormation stack or stackset"
+  type        = string
+  default     = "JitIntegrationStack"
+}
+
+variable "account_name" {
+  description = "Optional account name alias to be used in Jit platform. If not provided, the account ID will be displayed."
+  type        = string
+  default     = ""
+}
+
+variable "resource_name_prefix" {
+  description = "Prefix to use for the resources created by the CloudFormation template"
+  type        = string
+  default     = null
+  validation {
+    condition = var.resource_name_prefix == null || (
+      length(var.resource_name_prefix) >= 1 && 
+      length(var.resource_name_prefix) <= 40 && 
+      can(regex("^[a-zA-Z0-9-_]*$", var.resource_name_prefix))
+    )
+    error_message = "The resource_name_prefix must be 1-40 characters and contain only alphanumeric characters, hyphens, and underscores."
+  }
+}
+
+variable "organization_root_id" {
+  description = "AWS Organization Root ID (required for org integration type). Must start with 'r-'"
+  type        = string
+  default     = ""
+  validation {
+    condition = var.organization_root_id == "" || can(regex("^r-[a-z0-9]{4,32}$", var.organization_root_id))
+    error_message = "The organization_root_id must be a valid organization root ID starting with 'r-' followed by 4-32 alphanumeric characters."
+  }
+}
+
+variable "should_include_root_account" {
+  description = "Whether to include the root account in organization integration"
+  type        = bool
+  default     = false
+}
+
+variable "capabilities" {
+  description = "CloudFormation capabilities required for stack creation"
+  type        = list(string)
+  default     = ["CAPABILITY_NAMED_IAM"]
+} 

src/integrations/aws_integration_automation/versions.tf

@@ -0,0 +1,25 @@
+terraform {
+  required_version = ">= 1.5"
+  
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+    
+    http = {
+      source  = "hashicorp/http"
+      version = ">= 3.0"
+    }
+    
+    local = {
+      source  = "hashicorp/local"
+      version = ">= 2.0"
+    }
+    
+    shell = {
+      source  = "scottwinkler/shell"
+      version = ">= 1.7.0"
+    }
+  }
+}