cisagov · cisagovbot · Mar 4, 2025 · Mar 4, 2025 · Mar 4, 2025 · Mar 4, 2025
@@ -170,6 +170,9 @@ jobs:
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
   test:
+    # TODO:  Figure out a plan to test in all environments, not just dev-a.
+    # See cisagov/skeleton-ansible-role-with-test-user#183 for more details.
+    environment: dev-a
     name: >-
       test (${{ matrix.scenario }}) -
       ${{ matrix.platform }}-${{ matrix.architecture }}
@@ -272,7 +275,12 @@ jobs:
           sudo apt-get install apparmor-utils
           sudo aa-disable /usr/sbin/unix_chkpwd
         if: ${{ startsWith(matrix.platform, 'fedora') }}
-      - name: Run molecule tests
+      - # This is an example of how to pass GHA secrets to Molecule
+        # via an environment variable.  See also
+        # molecule/default/converge.yml in this repository.
+        # env:
+        #   THIRD_PARTY_BUCKET: ${{ secrets.THIRD_PARTY_BUCKET }}
+        name: Run molecule tests
         run: >-
           molecule test
           --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}

@@ -10,3 +10,5 @@ __pycache__
 ## Terraform ##
 .terraform
 .terraform.lock.hcl
+*.tfconfig
+*.tfvars
@@ -7,46 +7,90 @@ An Ansible role for setting up SSH access for the development team.
 
 ## Pre-requisites ##
 
-In order to execute the Molecule tests for this Ansible role in GitHub
-Actions, a build user must exist in AWS. The accompanying Terraform
-code will create the user with the appropriate name and
-permissions. This only needs to be run once per project, per AWS
-account. This user can also be used to run the Molecule tests on your
-local machine.
-
-Before the build user can be created, you will need a profile in your
-AWS credentials file that allows you to read and write your remote
-Terraform state.  (You almost certainly do not want to use local
-Terraform state for this long-lived build user.)  If the build user is
-to be created in the CISA COOL environment, for example, then you will
-need the `cool-terraform-backend` profile.
-
-The easiest way to set up the Terraform remote state profile is to
-make use of our
-[`aws-profile-sync`](https://github.com/cisagov/aws-profile-sync)
-utility. Follow the usage instructions in that repository before
-continuing with the next steps, and note that you will need to know
-where your team stores their remote profile data in order to use
+In order to execute the Molecule tests for this Ansible role in GitHub Actions,
+a test user must exist in AWS. The accompanying Terraform code will create the
+user with the appropriate name and permissions. This only needs to be run once
+per project, per AWS account. This user can also be used to run the Molecule
+tests on your local machine.
+
+Before the test user can be created, you will need a profile in your AWS
+credentials file that allows you to read and write your remote Terraform state.
+(You almost certainly do not want to use local Terraform state for this
+long-lived test user.)  If the test user is to be created in the CISA COOL
+environment, for example, then you will need the `cool-terraform-backend`
+profile.
+
+The easiest way to set up the Terraform remote state profile is to make use of
+our [`aws-profile-sync`](https://github.com/cisagov/aws-profile-sync) utility.
+Follow the usage instructions in that repository before continuing with the next
+steps, and note that you will need to know where your team stores their remote
+profile data in order to use
 [`aws-profile-sync`](https://github.com/cisagov/aws-profile-sync).
 
-To create the build user, follow these instructions:
+### Creating a test user ###
 
-```console
-cd terraform
-terraform init --upgrade=true
-terraform apply
-```
+You will need to create a test user for each environment that you use.  The
+following steps show how to create a test user for an environment named "dev".
+You will need to repeat this process for any additional environments.
+
+1. Change into the `terraform` directory:
+
+   ```console
+   cd terraform
+   ```
+
+1. Create a backend configuration file named `dev.tfconfig` containing the
+name of the bucket where "dev" environment Terraform state is stored - this file
+is required to initialize the Terraform backend in each environment:
+
+    ```hcl
+    bucket = "my-dev-terraform-state-bucket"
+    ```
+
+1. Initialize the Terraform backend for the "dev" environment using your backend
+   configuration file:
+
+    ```console
+    terraform init -backend-config=dev.tfconfig
+    ```
+
+    > [!NOTE]
+    > When performing this step for additional environments (i.e. not your first
+    > environment), use the `-reconfigure` flag:
+    >
+    > ```console
+    > terraform init -backend-config=other-env.tfconfig -reconfigure
+    > ```
+
+1. Create a Terraform variables file named `dev.tfvars` containing all
+required variables (currently only `terraform_state_bucket`):
+
+    ```hcl
+    terraform_state_bucket = "my-dev-terraform-state-bucket"
+    ```
+
+1. Create a Terraform workspace for the "dev" environment:
+
+    ```console
+   terraform workspace new dev
+   ```
+
+1. Initialize and upgrade the Terraform workspace, then apply the configuration
+   to create the test user in the "dev" environment:
+
+    ```console
+    terraform init -upgrade=true
+    terraform apply -var-file=dev.tfvars
+    ```
 
-Once the user is created you will need to update the [repository's
-secrets](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)
-with the new encrypted environment variables. This should be done
-using the
+Once the test user is created you will need to update the
+[repository's secrets](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)
+with the new encrypted environment variables. This should be done using the
 [`terraform-to-secrets`](https://github.com/cisagov/development-guide/tree/develop/project_setup#terraform-iam-credentials-to-github-secrets-)
-tool available in the [development
-guide](https://github.com/cisagov/development-guide). Instructions for
-how to use this tool can be found in the ["Terraform IAM Credentials
-to GitHub Secrets"
-section](https://github.com/cisagov/development-guide/tree/develop/project_setup#terraform-iam-credentials-to-github-secrets-).
+tool available in the
+[development guide](https://github.com/cisagov/development-guide). Instructions
+for how to use this tool can be found in the
+["Terraform IAM Credentials to GitHub Secrets" section](https://github.com/cisagov/development-guide/tree/develop/project_setup#terraform-iam-credentials-to-github-secrets-).
 of the Project Setup README.
 
 If you have appropriate permissions for the repository you can view
@@ -62,12 +106,14 @@ None.
 
 None.
 
+<!-- markdownlint-disable line-length -->
 <!--
 | Variable | Description | Default | Required |
 |----------|-------------|---------|----------|
-| optional_variable | Describe its purpose. | `default_value` | No |
-| required_variable | Describe its purpose. | n/a | Yes |
+| skeleton_with_test_user_bucket_name | The name of the AWS S3 bucket where the third-party files are stored. | None | Yes |
+| skeleton_with_test_user_license_object_name | The name of the AWS S3 object that is the third-party license. | `closed_source_tool.license` | No |
 -->
+<!-- markdownlint-enable line-length -->
 
 ## Dependencies ##
 

@@ -1,6 +1,10 @@
 terraform {
   backend "s3" {
-    bucket         = "cisa-cool-terraform-state"
+    # Use a partial configuration to avoid hardcoding the bucket name. This
+    # allows the bucket name to be set on a per-environment basis via the
+    # -backend-config command line option or other methods.  For details, see:
+    # https://developer.hashicorp.com/terraform/language/backend#partial-configuration
+    bucket         = ""
     dynamodb_table = "terraform-state-lock"
     encrypt        = true
     key            = "ansible-role-dev-ssh-access/terraform.tfstate"

@@ -1,20 +1,15 @@
 output "access_key" {
-  value       = module.user.access_key
   description = "The IAM access key associated with the CI IAM user created by this module."
   sensitive   = true
+  value       = module.user.access_key
 }
 
-output "production_role" {
-  value       = module.user.production_role
-  description = "The IAM role that the CI user can assume to read SSM parameters in the production account."
-}
-
-output "staging_role" {
-  value       = module.user.staging_role
-  description = "The IAM role that the CI user can assume to read SSM parameters in the staging account."
+output "role" {
+  description = "The IAM role that the CI user can assume to read SSM parameters in the Images account."
+  value       = module.user.role
 }
 
 output "user" {
-  value       = module.user.user
   description = "The CI IAM user created by this module."
+  value       = module.user.user
 }
@@ -10,39 +10,11 @@ provider "aws" {
 }
 
 # The provider used to create the role that can be assumed to do
-# everything the CI user needs to do in the staging account.
+# everything the CI user needs to do in the Images account.
 provider "aws" {
-  alias = "images_staging_provisionaccount"
+  alias = "images_provisionaccount"
   assume_role {
-    role_arn     = data.terraform_remote_state.images_staging.outputs.provisionaccount_role.arn
-    session_name = local.caller_user_name
-  }
-  default_tags {
-    tags = var.tags
-  }
-  region = var.aws_region
-}
-
-# The provider used to create the role that can be assumed to do
-# everything the CI user needs to do in the production account.
-provider "aws" {
-  alias = "images_production_provisionaccount"
-  assume_role {
-    role_arn     = data.terraform_remote_state.images_production.outputs.provisionaccount_role.arn
-    session_name = local.caller_user_name
-  }
-  default_tags {
-    tags = var.tags
-  }
-  region = var.aws_region
-}
-
-# The provider used to create policies and roles that can read
-# parameters from AWS SSM Parameter Store in staging.
-provider "aws" {
-  alias = "images_staging_ssm"
-  assume_role {
-    role_arn     = data.terraform_remote_state.images_staging_ssm.outputs.provisionparameterstorereadroles_role.arn
+    role_arn     = data.terraform_remote_state.images.outputs.provisionaccount_role.arn
     session_name = local.caller_user_name
   }
   default_tags {
@@ -52,11 +24,11 @@ provider "aws" {
 }
 
 # The provider used to create policies and roles that can read
-# parameters from AWS SSM Parameter Store in production.
+# parameters from AWS SSM Parameter Store in the Images account.
 provider "aws" {
-  alias = "images_production_ssm"
+  alias = "images_ssm"
   assume_role {
-    role_arn     = data.terraform_remote_state.images_production_ssm.outputs.provisionparameterstorereadroles_role.arn
+    role_arn     = data.terraform_remote_state.images_ssm.outputs.provisionparameterstorereadroles_role.arn
     session_name = local.caller_user_name
   }
   default_tags {

@@ -4,77 +4,47 @@
 # data for this configuration.
 # ------------------------------------------------------------------------------
 
-data "terraform_remote_state" "images_staging" {
+data "terraform_remote_state" "images" {
   backend = "s3"
 
   config = {
-    bucket         = "cisa-cool-terraform-state"
+    bucket         = var.terraform_state_bucket
     dynamodb_table = "terraform-state-lock"
     encrypt        = true
     key            = "cool-accounts/images.tfstate"
     profile        = "cool-terraform-readstate"
     region         = "us-east-1"
   }
 
-  workspace = "staging"
+  workspace = terraform.workspace
 }
 
-data "terraform_remote_state" "images_production" {
+data "terraform_remote_state" "images_ssm" {
   backend = "s3"
 
   config = {
-    bucket         = "cisa-cool-terraform-state"
-    dynamodb_table = "terraform-state-lock"
-    encrypt        = true
-    key            = "cool-accounts/images.tfstate"
-    profile        = "cool-terraform-readstate"
-    region         = "us-east-1"
-  }
-
-  workspace = "production"
-}
-
-data "terraform_remote_state" "images_staging_ssm" {
-  backend = "s3"
-
-  config = {
-    bucket         = "cisa-cool-terraform-state"
-    dynamodb_table = "terraform-state-lock"
-    encrypt        = true
-    key            = "cool-images-parameterstore/terraform.tfstate"
-    profile        = "cool-terraform-readstate"
-    region         = "us-east-1"
-  }
-
-  workspace = "staging"
-}
-
-data "terraform_remote_state" "images_production_ssm" {
-  backend = "s3"
-
-  config = {
-    bucket         = "cisa-cool-terraform-state"
+    bucket         = var.terraform_state_bucket
     dynamodb_table = "terraform-state-lock"
     encrypt        = true
     key            = "cool-images-parameterstore/terraform.tfstate"
     profile        = "cool-terraform-readstate"
     region         = "us-east-1"
   }
 
-  workspace = "production"
+  workspace = terraform.workspace
 }
 
 data "terraform_remote_state" "users" {
   backend = "s3"
 
   config = {
-    bucket         = "cisa-cool-terraform-state"
+    bucket         = var.terraform_state_bucket
     dynamodb_table = "terraform-state-lock"
     encrypt        = true
     key            = "cool-accounts/users.tfstate"
     profile        = "cool-terraform-readstate"
     region         = "us-east-1"
   }
 
-  workspace = "production"
+  workspace = terraform.workspace
 }
@@ -3,11 +3,9 @@ module "user" {
   source = "github.com/cisagov/molecule-iam-user-tf-module"
 
   providers = {
-    aws                                    = aws.users
-    aws.images-production-provisionaccount = aws.images_production_provisionaccount
-    aws.images-staging-provisionaccount    = aws.images_staging_provisionaccount
-    aws.images-production-ssm              = aws.images_production_ssm
-    aws.images-staging-ssm                 = aws.images_staging_ssm
+    aws                         = aws.users
+    aws.images-provisionaccount = aws.images_provisionaccount
+    aws.images-ssm              = aws.images_ssm
   }
 
   entity         = "ansible-role-dev-ssh-access"