add role and policy

terraform-modules · Jan 21, 2022 · c5f0f7d · c5f0f7d
1 parent fd4d138
commit c5f0f7d
Show file tree

Hide file tree

Showing 6 changed files with 100 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -13,7 +13,9 @@
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_role"></a> [role](#module\_role) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | n/a |
 
 ## Resources
 
@@ -22,6 +24,9 @@ No modules.
 | [aws_dynamodb_table.table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy.lambda_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
@@ -31,7 +36,9 @@ No modules.
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
-| <a name="input_dynamodb_table"></a> [dynamodb\_table](#input\_dynamodb\_table) | Different DynamoDB table to override default of var.name) | `string` | `null` | no |
+| <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| <a name="input_dynamodb_table_name"></a> [dynamodb\_table\_name](#input\_dynamodb\_table\_name) | Different DynamoDB table name to override default of var.name) | `string` | `null` | no |
+| <a name="input_lambda_name"></a> [lambda\_name](#input\_lambda\_name) | Different Lambda name to override default of var.name) | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to use within all the created resources (default: inf-dynamic-route53) | `string` | `"inf-dynamic-route53"` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |

diff --git a/dynamodb.tf b/dynamodb.tf
@@ -1,9 +1,9 @@
 locals {
-  dynamodb_table = var.dynamodb_table != null ? var.dynamodb_table : local.name
+  dynamodb_table_name = var.dynamodb_table_name != null ? var.dynamodb_table_name : local.name
 }
 
 resource "aws_dynamodb_table" "table" {
-  name           = local.dynamodb_table
+  name           = local.dynamodb_table_name
   hash_key       = "InstanceId"
   billing_mode   = "PROVISIONED"
   read_capacity  = 4
@@ -22,7 +22,7 @@ resource "aws_dynamodb_table" "table" {
     local.base_tags,
     var.tags,
     lookup(var.component_tags, "ddb", {}),
-    map("Name", local.dynamodb_table),
+    map("Name", local.dynamodb_table_name),
   )
 
   lifecycle {

diff --git a/role.tf b/role.tf
@@ -0,0 +1,75 @@
+locals {
+  lambda_name     = var.lambda_name != null ? var.lambda_name : local.name
+  lambda_policies = ["AWSLambdaBasicExecutionRole"]
+}
+
+module "role" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
+
+  role_description       = "Lambda role for Dynamic Route53"
+  role_name              = local.lambda_name
+  enable_ldap_creation   = false
+  assume_policy_document = data.aws_iam_policy_document.lambda_assume.json
+  attached_policies      = [for k, v in data.aws_iam_policy.lambda_policies : k.arn]
+  inline_policies        = [{ name = var.name, policy = data.aws_iam_policy_document.lambda_policy.json }]
+}
+
+data "aws_iam_policy" "lambda_policies" {
+  for_each = toset(local.lambda_policies)
+  name     = each.key
+}
+
+data "aws_iam_policy_document" "lambda_policy" {
+  statement {
+    sid    = "AllowRoute53"
+    effect = "Allow"
+    actions = [
+      "route53:ListHostedZones*",
+      "route53:ListResourceRecordSets",
+      "route53:GetHostedZone*",
+      "route53:ChangeResourceRecordSets",
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid       = "EC2"
+    effect    = "Allow"
+    actions   = ["ec2:Describe*"]
+    resources = ["*"]
+  }
+  statement {
+    sid       = "DynamoDBGlobal"
+    effect    = "Allow"
+    actions   = ["dynamodb:ListTables"]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "DynamoDBTable"
+    effect = "Allow"
+    actions = [
+      "dynamodb:BatchGet*",
+      "dynamodb:DeleteItem",
+      "dynamodb:Describe*",
+      "dynamodb:Get*",
+      "dynamodb:List*",
+      "dynamodb:PutItem",
+      "dynamodb:Query",
+      "dynamodb:Scan",
+      "dynamodb:UpdateItem",
+    ]
+    resources = [aws_dynamodb_table.table.arn]
+  }
+}
+
+data "aws_iam_policy_document" "lambda_assume" {
+  statement {
+    sid     = "LambdaAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+  }
+}
diff --git a/variables.create.tf b/variables.create.tf
@@ -0,0 +1,5 @@
+variable "create" {
+  description = "Flag to indicate whether to create the resources or not (default: true)"
+  type        = bool
+  default     = true
+}
diff --git a/variables.tf b/variables.tf
@@ -4,9 +4,14 @@ variable "name" {
   default     = "inf-dynamic-route53"
 }
 
+variable "dynamodb_table_name" {
+  description = "Different DynamoDB table name to override default of var.name)"
+  type        = string
+  default     = null
+}
 
-variable "dynamodb_table" {
-  description = "Different DynamoDB table to override default of var.name)"
+variable "lambda_name" {
+  description = "Different Lambda name to override default of var.name)"
   type        = string
   default     = null
 }

diff --git a/version.tf b/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.0"
+  _module_version = "0.0.2"
 }