Skip to content

Commit

Permalink
KMS/IAM/S3 Updated
Browse files Browse the repository at this point in the history
  • Loading branch information
@lolli001
lolli001 committed Jul 23, 2024
1 parent f2f7bb4 commit 16c7a75
Show file tree
Hide file tree
Showing 3 changed files with 153 additions and 18 deletions.
113 changes: 95 additions & 18 deletions iam_policy.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,13 @@ resource "aws_iam_role" "rhel_x86_codepipeline_role" {
name = "rhel-x86-image-pipeline-demo-codepipeline-role"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Version = "2012-10-17",
Statement = [
{
Effect = "Allow"
Effect = "Allow",
Principal = {
Service = "codepipeline.amazonaws.com"
}
},
Action = "sts:AssumeRole"
}
]
Expand All @@ -18,11 +18,12 @@ resource "aws_iam_role" "rhel_x86_codepipeline_role" {
resource "aws_iam_policy" "rhel_x86_codepipeline_permissions" {
name = "rhel-x86-codepipeline-permissions"
description = "IAM policy for RHEL x86 CodePipeline to access necessary AWS services"
policy = jsonencode({
Version = "2012-10-17"

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow"
Effect = "Allow",
Action = [
"codecommit:GetBranch",
"codecommit:GetCommit",
Expand All @@ -36,15 +37,15 @@ resource "aws_iam_policy" "rhel_x86_codepipeline_permissions" {
"codecommit:CreateCommit",
"codecommit:BatchGetRepositories",
"codecommit:BatchGetCommits"
]
],
Resource = [
"arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:linux-image-pipeline",
"arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:image-pipeline-ansible-playbooks",
"arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:image-pipeline-goss-testing"
]
},
{
Effect = "Allow"
Effect = "Allow",
Action = [
"ec2:DescribeInstances",
"ec2:DescribeImages",
Expand All @@ -61,36 +62,36 @@ resource "aws_iam_policy" "rhel_x86_codepipeline_permissions" {
"ec2:CreateImage",
"ec2:CreateSnapshot",
"ec2:RegisterImage"
]
],
Resource = "*"
},
{
Effect = "Allow"
Effect = "Allow",
Action = [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
]
],
Resource = [
"arn:aws-us-gov:s3:::your-bucket-name",
"arn:aws-us-gov:s3:::your-bucket-name/*"
"arn:aws-us-gov:s3:::${aws_s3_bucket.rhel_x86_codepipeline_bucket.bucket}",
"arn:aws-us-gov:s3:::${aws_s3_bucket.rhel_x86_codepipeline_bucket.bucket}/*"
]
},
{
Effect = "Allow"
Effect = "Allow",
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:DescribeKey"
]
Resource = "arn:aws-us-gov:kms:us-gov-west-1:229685449397:key/02684d21-d541-4d83-8e0b-e8c95877d8cb"
],
Resource = aws_kms_key.rhel_x86_codepipeline_key.arn
},
{
Effect = "Allow"
Effect = "Allow",
Action = [
"iam:PassRole"
]
],
Resource = "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role"
}
]
Expand All @@ -101,3 +102,79 @@ resource "aws_iam_role_policy_attachment" "rhel_x86_codepipeline_role_attachment
role = aws_iam_role.rhel_x86_codepipeline_role.name
policy_arn = aws_iam_policy.rhel_x86_codepipeline_permissions.arn
}

resource "aws_iam_role" "rhel_x86_ec2_role" {
name = "rhel-x86-image-pipeline-demo-ec2-role"

assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Principal = {
Service = "ec2.amazonaws.com"
},
Action = "sts:AssumeRole"
}
]
})
}

resource "aws_iam_policy" "rhel_x86_ec2_permissions" {
name = "rhel-x86-ec2-permissions"
description = "IAM policy for RHEL x86 EC2 to access necessary AWS services"

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:CreateTags",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateImage",
"ec2:CreateSnapshot",
"ec2:RegisterImage"
],
Resource = "*"
},
{
Effect = "Allow",
Action = [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
Resource = [
"arn:aws-us-gov:s3:::${aws_s3_bucket.rhel_x86_codepipeline_bucket.bucket}",
"arn:aws-us-gov:s3:::${aws_s3_bucket.rhel_x86_codepipeline_bucket.bucket}/*"
]
},
{
Effect = "Allow",
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:DescribeKey"
],
Resource = aws_kms_key.rhel_x86_codepipeline_key.arn
}
]
})
}

resource "aws_iam_role_policy_attachment" "rhel_x86_ec2_role_attachment" {
role = aws_iam_role.rhel_x86_ec2_role.name
policy_arn = aws_iam_policy.rhel_x86_ec2_permissions.arn
}
44 changes: 44 additions & 0 deletions kms.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
resource "aws_kms_key" "rhel_x86_codepipeline_key" {
description = "KMS key for RHEL x86 CodePipeline"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow use of the key for EC2 and CodePipeline",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role",
"arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-ec2-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow admin actions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws-us-gov:iam::229685449397:root"
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
EOF
}

resource "aws_kms_alias" "rhel_x86_codepipeline_alias" {
name = "alias/rhel-x86-codepipeline-key"
target_key_id = aws_kms_key.rhel_x86_codepipeline_key.id
}
14 changes: 14 additions & 0 deletions s3.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
resource "aws_s3_bucket" "rhel_x86_codepipeline_bucket" {
bucket = "rhel-x86-codepipeline-bucket-${random_string.suffix.result}"
}

resource "aws_s3_bucket_acl" "rhel_x86_codepipeline_bucket_acl" {
bucket = aws_s3_bucket.rhel_x86_codepipeline_bucket.bucket
acl = "private"
}

resource "random_string" "suffix" {
length = 8
special = false
upper = false
}

0 comments on commit 16c7a75

Please sign in to comment.