v1.5.1: redo polcies, add output, add managed_policies

terraform-modules · Mar 2, 2021 · 50a78a6 · 50a78a6
1 parent 1c5c608
commit 50a78a6
Show file tree

Hide file tree

Showing 14 changed files with 414 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,3 +20,8 @@
 
 * v1.5 -- 20210226
   - module: add iam-general-policies
+
+* v1.5.1 -- 20210302
+  - iam-general-policies
+    - add `managed_policies` for AWS managed policy references
+    - change `policies` to `custom_policies`
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.5"
+  _module_version = "1.5.1"
 }
diff --git a/iam-general-policies/README.md b/iam-general-policies/README.md
@@ -0,0 +1,73 @@
+# aws-inf-setup :: iam-general-policies
+
+# Usage  
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "general" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+}
+```
+
+This one can be used if you need to customize stuff, though really, the defaults are all built  
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in  
+variable file generation.
+
+```hcl
+module "general_full" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+
+  # optional
+  account_alias         = "do2-govcloud"
+
+  # flowlogs is generally not needed and not recommended
+  component_tags        = {
+    "s3" = {
+      "SpecialTag1" = "something"
+      "SpecialTag2" = "somethingElse"
+    }
+  }
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Modules
+
+No Modules.
+
+## Resources
+
+| Name |
+|------|
+| [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) |
+| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| account\_alias | AWS Account Alias | `string` | `""` | no |
+| account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| component\_tags | Additional tags for Components (policy) | `map(map(string))` | <pre>{<br>  "policy": {}<br>}</pre> | no |
+| override\_prefixes | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| custom\_policies | Custom Policies |
+| custom\_policy\_documents | Custom Policy Documents (no IAM policy) |
+| managed\_policies | AWS Managed Policy name to ARN mapping |
diff --git a/iam-general-policies/custom_policies.tf b/iam-general-policies/custom_policies.tf
@@ -0,0 +1,49 @@
+locals {
+  policies = {
+    "manage_keys" = {
+      name          = "manage-access-keys"
+      path          = "/"
+      description   = "Manage self access keys"
+      policy        = data.aws_iam_policy_document.manage_keys.json
+      create_policy = true
+    }
+    "manage_credentials" = {
+      name          = "manage-credentials"
+      path          = "/"
+      description   = "Manage self access keys and password"
+      policy        = data.aws_iam_policy_document.manage_credentials.json
+      create_policy = true
+    }
+    "deny_billing" = {
+      name          = "deny-billing"
+      path          = "/"
+      description   = "Policy to deny access to billing and cost allocation"
+      policy        = data.aws_iam_policy_document.deny_billing.json
+      create_policy = true
+    }
+    "ec2_assume" = {
+      name          = "ec2_assume"
+      description   = "Policy document for EC2 sts:assumerole (instance role)"
+      policy        = data.aws_iam_policy_document.ec2_assume.json
+      create_policy = false
+    }
+    "sts_assume" = {
+      name          = "sts_assume"
+      description   = "Policy document for sts:assume"
+      policy        = data.aws_iam_policy_document.sts_assume.json
+      create_policy = false
+    }
+    "root_assume" = {
+      name          = "root_assume"
+      description   = "Policy document for sts:assume root"
+      policy        = data.aws_iam_policy_document.root_assume.json
+      create_policy = false
+    }
+    "lambda_assume" = {
+      name          = "lambda_assume"
+      description   = "Policy document for sts:assume lambda"
+      policy        = data.aws_iam_policy_document.lambda_assume.json
+      create_policy = false
+    }
+  }
+}
diff --git a/iam-general-policies/data.tf b/iam-general-policies/data.tf
@@ -0,0 +1 @@
+../common/data.tf
diff --git a/iam-general-policies/defaults.tf b/iam-general-policies/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
diff --git a/iam-general-policies/main.tf b/iam-general-policies/main.tf
@@ -0,0 +1,81 @@
+/*
+* # aws-inf-setup :: iam-general-policies
+* 
+* # Usage
+* Here is a simple example, the one most commonly expected to be used.
+*
+* ```hcl
+* module "general" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+* }
+* ```
+*
+* This one can be used if you need to customize stuff, though really, the defaults are all built 
+* for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+* variable file generation.
+*
+* ```hcl
+* module "general_full" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+* 
+*   # optional
+*   account_alias         = "do2-govcloud"
+*
+*   # flowlogs is generally not needed and not recommended
+*   component_tags        = {
+*     "s3" = {
+*       "SpecialTag1" = "something"
+*       "SpecialTag2" = "somethingElse"
+*     }
+*   }
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  base_tags = {
+    "Organization"          = "census:aditcio:csvd"
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+#    "{key}" = {
+#       name          = "manage-access-keys"
+#       path          = "/"
+#       description   = "Manage self access keys"
+#       policy        = data.aws_iam_policy_document.manage_keys.json
+#       create_policy = true
+#     }
+
+locals {
+  iam_policies = { for k, v in local.custom_policies : k => v if(v["create_policy"] == true && v["policy"] != "") }
+  out_policies = { for k, v in local.iam_policies : k => {
+    "name"          = v["name"]
+    "path"          = v["path"]
+    "description"   = v["description"]
+    "policy"        = v["policy"]
+    "create_policy" = v["create_policy"]
+    "policy_arn"    = aws_iam_polic.general[k]
+    }
+  }
+}
+
+# see custom_policies.tf for local.custom_policies
+resource "aws_iam_policy" "general" {
+  for_each    = local.iam_policies
+  name        = format("%vinf-%v", lookup(local._prefixes, "policy", ""), each.value["name"])
+  path        = lookup(each.value, "path", "/")
+  description = lookup(each.value, "description", "${each.key} policy")
+  policy      = each.value["policy"]
+
+  #  tags = merge(
+  #    var.tags,
+  #    local.base_tags,
+  #    lookup(var.component_tags, "policy", {}),
+  #    map("Name",format("%vinf-%v", lookup(local._prefixes, "policy", ""), each.value["name"]))
+  #  )
+}
diff --git a/iam-general-policies/managed_policies.tf b/iam-general-policies/managed_policies.tf
@@ -0,0 +1,26 @@
+locals {
+  managed_policies = {
+    "AdministratorAccess" = {
+      arn = format("arn:%v:iam::aws:policy/%v", data.aws_arn.current.partition, "AdministratorAccess")
+    }
+    "ReadOnlyAccess" = {
+      arn = format("arn:%v:iam::aws:policy/%v", data.aws_arn.current.partition, "ReadOnlyAccess")
+    }
+    "AmazonVPCFullAccess" = {
+      arn = format("arn:%v:iam::aws:policy/%v", data.aws_arn.current.partition, "AmazonVPCFullAccess")
+    }
+    "AWSSupportAccess" = {
+      arn = format("arn:%v:iam::aws:policy/%v", data.aws_arn.current.partition, "AWSSupportAccess")
+    }
+    "CloudWatchAWSSupportAccess" = {
+      arn = format("arn:%v:iam::aws:policy/%v", data.aws_arn.current.partition, "CloudWatchAWSSupportAccess")
+    }
+
+    "Billing" = {
+      arn = format("arn:%v:iam::aws:policy/%v", data.aws_arn.current.partition, "job-function/Billing")
+    }
+    "NetworkAdministrator" = {
+      arn = format("arn:%v:iam::aws:policy/%v", data.aws_arn.current.partition, "job-function/NetworkAdministrator")
+    }
+  }
+}
diff --git a/iam-general-policies/outputs.tf b/iam-general-policies/outputs.tf
@@ -0,0 +1,34 @@
+# name = {
+#  arn
+# }
+
+output "managed_policies" {
+  description = "AWS Managed Policy name to ARN mapping"
+  values      = local.managed_policies
+}
+
+# name = {
+#  name
+#  path
+#  description
+#  policy (document)
+#  create_policy
+#  policy_arn
+# }
+
+output "custom_policies" {
+  description = "Custom Policies"
+  values      = local.out_poicies
+}
+
+# name = {
+#  name
+#  description
+#  policy (document)
+#  create_policy
+# }
+
+output "custom_policy_documents" {
+  description = "Custom Policy Documents (no IAM policy)"
+  values      = { for k, v in local.custom_policies : k => v if(v["create_policy"] == false && v["policy"] != "") }
+}