remove tflint

add policy for p-inf-terraform-{read,write

.pre-commit-config.yaml

@@ -9,10 +9,10 @@ repos:
       exclude: common/*.tf
       exclude: version.tf
       exclude: examples
-    - id: terraform_tflint 
-      args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
-      exclude: cloudtrail_orig
-      exclude: examples
+#    - id: terraform_tflint 
+#      args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
+#      exclude: cloudtrail_orig
+#      exclude: examples
 - repo: https://github.com/pre-commit/pre-commit-hooks
   rev: v4.0.1
   hooks:

CHANGELOG.md

@@ -1,142 +1,148 @@
 # Versions
 
-* v1.0 -- 20210218
+## Version 1.x
+
+* 1.0 -- 20210218
   - initial creation
   - module: terraform-state
 
 
-* v1.1 -- 20210223
+* 1.1 -- 20210223
   - add iam policy to terraform-state
 
-* v1.2 -- 20210223
+* 1.2 -- 20210223
   - module: access-logging
 
-* v1.3 -- 20210223
+* 1.3 -- 20210223
   - module: rename access-logging to s3-access-logs
   - module: add s3-flow-logs
 
-* v1.4 -- 20210223
+* 1.4 -- 20210223
   - module: add iam-saml
 
-* v1.5 -- 20210226
+* 1.5 -- 20210226
   - module: add iam-general-policies
 
-* v1.5.1 -- 20210302
+* 1.5.1 -- 20210302
   - iam-general-policies
     - add `managed_policies` for AWS managed policy references
     - change `policies` to `custom_policies`
 
-* v1.6.0 -- 20210302
+* 1.6.0 -- 20210302
   - module: iam-cloud-admin
 
-* v1.7.0 -- 20210316
+* 1.7.0 -- 20210316
   - module: ses-domain
 
-* v1.7.1 -- 20210318
+* 1.7.1 -- 20210318
   - iam-general-policies
     - add `ip-restriction`
 
-* v1.7.2 -- 20210322
+* 1.7.2 -- 20210322
   - iam-general-policies
     - add IAMUserChangePassword
 
-* v1.7.3 -- 20210324
+* 1.7.3 -- 20210324
   - iam-general-policies
     - fix bad arn
 
-* v1.7.4 -- 20210326
+* 1.7.4 -- 20210326
   - ses-domain
     - add code to enable move to production, runs aws cli script
 
-* v1.7.5 -- 20210329
+* 1.7.5 -- 20210329
   - ses-domain
     - add code to enable mail_from
     - change `ses_enable_production` to `enable_production`
 
-* v1.8.0 -- 20210329
+* 1.8.0 -- 20210329
   - iam-account-settings created
 
-* v1.8.1 -- 20210329
+* 1.8.1 -- 20210329
   - ses-domain
     - add code for setting up sns event notification for bounce, complaint
 
-* v1.8.2 -- 20210401
+* 1.8.2 -- 20210401
   - iam-saml
     - use empty_metadata.xml in saml resource until real one is built by null_resource
 
-* v1.8.3 -- 20210401
+* 1.8.3 -- 20210401
   - ldap-ou-create
     - new, used to setup the OU for creation of LDAP roles for SAML
 
-* v1.8.4 -- 20210401
+* 1.8.4 -- 20210401
   - ses-domain
     - use data resource to get alias
 
-* v1.9.0 -- 20210405
+* 1.9.0 -- 20210405
   - ldap-get-attribute
     - add new submodule to retrieve an attribute value from a search
     - move it out to its own module
 
-* v1.10.0 -- 20210407
+* 1.10.0 -- 20210407
   - vpc-remove-defaults created
 
-* v1.10.1 -- 20210408
+* 1.10.1 -- 20210408
   - vpc-remove-defaults
     - add `region` and `profile` variables
 
-* v1.10.2 -- 20210413
+* 1.10.2 -- 20210413
   - ses-domain
     - update use case text to be more descriptive
 
-* v1.10.3 -- 20210414
+* 1.10.3 -- 20210414
   - iam-general-policies
     - add deny-readonly-data
 
-* v1.10.4 -- 20210421
+* 1.10.4 -- 20210421
   - s3-access-logs
     - add 120s delay before applying bucket policy
   - s3-flow-logs
     - add 120s delay before applying bucket policy
 
-* v1.10.5 -- 20210511
+* 1.10.5 -- 20210511
   - iam-general-policies
     - add additional policy for network admin
 
-* v1.11.0 -- 20210517
+* 1.11.0 -- 20210517
   - cloudtrail
     - create submodule
 
-* v1.12.0 -- 20210521
+* 1.12.0 -- 20210521
   - config
     - create submodule
   - s3-config
     - create submodule
 
-* v1.13.0 -- 202010528
+* 1.13.0 -- 202010528
   - splunk-description
     - create submodule
 
-* v1.13.1 -- 20210608
+* 1.13.1 -- 20210608
   - add lifecycle ignore tags["boc:tf_module_version"]
 
-* v1.13.2 -- 20210713
+* 1.13.2 -- 20210713
   - general
     - change ip_restriction to be a dynamic condition block to also include VpcSourceIp
 
-* v1.13.3 -- 20211122
+* 1.13.3 -- 20211122
   - config
     - fix by commenting policy_id from sqs policies
 
-* v1.14.0 -- 20211115
+* 1.14.0 -- 20211115
   - cloudtrail-key
     - create module to setup a KMS key per region for cloudtrail
   - cloudtrail
     - create module to setup needed resources for cloudtrail, cloudwatch logs, sns, sqs, and splunk
 
-* v1.14.1 -- 20211126
+* 1.14.1 -- 20211126
   - cloudltrail
     - make multi-region default for org cloudtrail
 
-* v1.14.2 -- 20220118
+* 1.14.2 -- 20220118
   - s3-access-logs
     - set bucket owner to BucketOwnerEnforced
+
+* 1.15.0 -- 2022-04-20
+  - terraform-state
+    - add policy for p-inf-terraform-{read,write}

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.14.2"
+  _module_version = "1.15.0"
 }

terraform-state/README.md

@@ -67,6 +67,8 @@ No modules.
 |------|------|
 | [aws_dynamodb_table.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_iam_policy.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.tfstate_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.tfstate_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_kms_alias.tfstate_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.tfstate_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_s3_bucket.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
@@ -75,6 +77,8 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.tfstate_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.tfstate_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.tfstate_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs

terraform-state/main.tf

@@ -105,6 +105,20 @@ resource "aws_iam_policy" "tfstate" {
   policy      = data.aws_iam_policy_document.tfstate.json
 }
 
+resource "aws_iam_policy" "tfstate_read" {
+  name        = format("%v-%v", local.tfstate_policy_name, "read")
+  path        = "/"
+  description = "Access to tfstate resources (read)"
+  policy      = data.aws_iam_policy_document.tfstate_read.json
+}
+
+resource "aws_iam_policy" "tfstate_write" {
+  name        = format("%v-%v", local.tfstate_policy_name, "write")
+  path        = "/"
+  description = "Access to tfstate resources (write)"
+  policy      = data.aws_iam_policy_document.tfstate_write.json
+}
+
 #---
 # s3
 #---

terraform-state/policy_data.tf

@@ -39,21 +39,93 @@ data "aws_iam_policy_document" "tfstate_kms" {
       ]
     }
   }
-  ## figure out the right settings, needs to be on the tfstate policy not the key
-  ##   statement {
-  ##     sid    = "TFStateKMSUse"
-  ##     effect = "Allow"
-  ##     actions = [
-  ##       "kms:Encrypt",
-  ##       "kms:Decrypt",
-  ##       "kms:ReEncrypt*",
-  ##       "kms:GenerateDataKey*",
-  ##       "kms:DescribeKey",
-  ##     ]
-  ##     resources = ["*"]
-  ##     principals {
-  ##       type        = "Service"
-  ##       identifiers = ["delivery.logs.amazonaws.com"]
-  ##     }
-  ##   }
+}
+
+#---
+# read access
+#---
+data "aws_iam_policy_document" "tfstate_read" {
+  statement {
+    sid       = "TFRemoteStateList"
+    effect    = "Allow"
+    actions   = ["s3:ListBucket*"]
+    resources = [aws_s3_bucket.tfstate.arn]
+  }
+  statement {
+    sid    = "TFRemoteStateS3"
+    effect = "Allow"
+    actions = [
+      "s3:List*",
+      "s3:GetObject",
+      #      "s3:PutObject",
+    ]
+    resources = ["${aws_s3_bucket.tfstate.arn}/*"]
+  }
+  # need to lock table to read, I think. if so, add Put and Delete back
+  statement {
+    sid    = "TFRemoteStateDDB"
+    effect = "Allow"
+    actions = [
+      "dynamodb:GetItem",
+      #      "dynamodb:PutItem",
+      #      "dynamodb:DeleteItem",
+    ]
+    resources = [aws_dynamodb_table.tfstate.arn]
+  }
+  statement {
+    sid    = "TFStateKMSUse"
+    effect = "Allow"
+    actions = [
+      #      "kms:Encrypt",
+      "kms:Decrypt",
+      #      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+    resources = [aws_kms_key.tfstate_key.arn]
+  }
+}
+
+#---
+# write access
+#---
+data "aws_iam_policy_document" "tfstate_write" {
+  statement {
+    sid       = "TFRemoteStateList"
+    effect    = "Allow"
+    actions   = ["s3:ListBucket*"]
+    resources = [aws_s3_bucket.tfstate.arn]
+  }
+  statement {
+    sid    = "TFRemoteStateS3"
+    effect = "Allow"
+    actions = [
+      "s3:List*",
+      "s3:GetObject",
+      "s3:PutObject",
+    ]
+    resources = ["${aws_s3_bucket.tfstate.arn}/*"]
+  }
+  statement {
+    sid    = "TFRemoteStateDDB"
+    effect = "Allow"
+    actions = [
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem",
+    ]
+    resources = [aws_dynamodb_table.tfstate.arn]
+  }
+  statement {
+    sid    = "TFStateKMSUse"
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+    resources = [aws_kms_key.tfstate_key.arn]
+  }
 }