feat: adding the initial module

Author: gambol99

.github/workflows/release.yml

@@ -0,0 +1,12 @@
+---
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  release:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-release.yml@main
+    name: GitHub Release

.github/workflows/terraform.yml

@@ -0,0 +1,16 @@
+---
+name: Terraform
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  module-validation:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main
+    name: Module Validation
+    with:
+      working-directory: .

.gitignore

@@ -0,0 +1,32 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# Other
+.DS_Store
+todo.md
+

.terraform.lock.hcl

@@ -0,0 +1,48 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.42.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudformation_stack.management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource |
+| [aws_cloudformation_stack_set.boundary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
+| [aws_cloudformation_stack_set_instance.root](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
+| [aws_organizations_organization.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_capabilities"></a> [capabilities](#input\_capabilities) | The capabilities required to deploy the cloudformation template | `list(string)` | <pre>[<br>  "CAPABILITY_NAMED_IAM",<br>  "CAPABILITY_AUTO_EXPAND",<br>  "CAPABILITY_IAM"<br>]</pre> | no |
+| <a name="input_description"></a> [description](#input\_description) | The description of the cloudformation stack | `string` | n/a | yes |
+| <a name="input_enable_management_account"></a> [enable\_management\_account](#input\_enable\_management\_account) | Enable the deployment to the management account | `bool` | `false` | no |
+| <a name="input_max_concurrent_count"></a> [max\_concurrent\_count](#input\_max\_concurrent\_count) | The maximum number of concurrent deployments | `number` | `10` | no |
+| <a name="input_name"></a> [name](#input\_name) | The name of the cloudformation stack | `string` | n/a | yes |
+| <a name="input_parameters"></a> [parameters](#input\_parameters) | The parameters to pass to the cloudformation template | `map(string)` | `{}` | no |
+| <a name="input_region"></a> [region](#input\_region) | The region to deploy the cloudformation template | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | The tags to apply to the cloudformation stack | `map(string)` | n/a | yes |
+| <a name="input_template"></a> [template](#input\_template) | The body of the cloudformation template to deploy | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_stack_instance_id"></a> [stack\_instance\_id](#output\_stack\_instance\_id) | The arn for the cloudformation stack instance when deployed to management account |
+| <a name="output_stack_set_arn"></a> [stack\_set\_arn](#output\_stack\_set\_arn) | The arn for the cloudformation stack set |
+<!-- END_TF_DOCS -->

README.md

@@ -0,0 +1,45 @@
+
+data "aws_organizations_organization" "current" {}
+
+## Create the default iam boundary used the pipelines
+# tfsec:ignore:aws-iam-no-policy-wildcards
+resource "aws_cloudformation_stack_set" "boundary" {
+  name             = var.name
+  capabilities     = var.capabilities
+  description      = var.description
+  parameters       = var.parameters
+  permission_model = "SERVICE_MANAGED"
+  template_body    = var.template
+  tags             = var.tags
+
+  operation_preferences {
+    failure_tolerance_count = 0
+    max_concurrent_count    = var.max_concurrent_count
+  }
+
+  auto_deployment {
+    enabled                          = true
+    retain_stacks_on_account_removal = true
+  }
+}
+
+## Deploy the permissive boundary to the organizational root 
+resource "aws_cloudformation_stack_set_instance" "root" {
+  deployment_targets {
+    organizational_unit_ids = [data.aws_organizations_organization.current.roots[0].id]
+  }
+  region         = var.region
+  stack_set_name = aws_cloudformation_stack_set.boundary.name
+}
+
+## Deployment of same stacko the management account
+resource "aws_cloudformation_stack" "management" {
+  count = var.enable_management_account ? 1 : 0
+
+  capabilities  = var.capabilities
+  name          = var.name
+  on_failure    = "ROLLBACK"
+  parameters    = var.parameters
+  tags          = var.tags
+  template_body = var.template
+}

main.tf

@@ -0,0 +1,11 @@
+output "stack_set_arn" {
+  description = "The arn for the cloudformation stack set"
+  value       = aws_cloudformation_stack_set.boundary.arn
+}
+
+output "stack_instance_id" {
+  description = "The arn for the cloudformation stack instance when deployed to management account"
+  value       = var.enable_management_account ? aws_cloudformation_stack.management[0].id : null
+}
+
+

outputs.tf

@@ -0,0 +1,49 @@
+variable "capabilities" {
+  description = "The capabilities required to deploy the cloudformation template"
+  type        = list(string)
+  default     = ["CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND", "CAPABILITY_IAM"]
+}
+
+variable "description" {
+  description = "The description of the cloudformation stack"
+  type        = string
+}
+
+variable "enable_management_account" {
+  description = "Enable the deployment to the management account"
+  type        = bool
+  default     = false
+}
+
+variable "max_concurrent_count" {
+  description = "The maximum number of concurrent deployments"
+  type        = number
+  default     = 10
+}
+
+variable "name" {
+  description = "The name of the cloudformation stack"
+  type        = string
+}
+
+variable "parameters" {
+  description = "The parameters to pass to the cloudformation template"
+  type        = map(string)
+  default     = {}
+}
+
+variable "region" {
+  description = "The region to deploy the cloudformation template"
+  type        = string
+}
+
+variable "tags" {
+  description = "The tags to apply to the cloudformation stack"
+  type        = map(string)
+}
+
+variable "template" {
+  description = "The body of the cloudformation template to deploy"
+  type        = string
+}
+

variables.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}