diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f146357..28e692d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -9,10 +9,10 @@ repos: exclude: common/*.tf exclude: version.tf exclude: examples - - id: terraform_tflint - args: [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"] - exclude: cloudtrail_orig - exclude: examples +# - id: terraform_tflint +# args: [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"] +# exclude: cloudtrail_orig +# exclude: examples - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.0.1 hooks: diff --git a/CHANGELOG.md b/CHANGELOG.md index dee3fd1..bfa0934 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,142 +1,148 @@ # Versions -* v1.0 -- 20210218 +## Version 1.x + +* 1.0 -- 20210218 - initial creation - module: terraform-state -* v1.1 -- 20210223 +* 1.1 -- 20210223 - add iam policy to terraform-state -* v1.2 -- 20210223 +* 1.2 -- 20210223 - module: access-logging -* v1.3 -- 20210223 +* 1.3 -- 20210223 - module: rename access-logging to s3-access-logs - module: add s3-flow-logs -* v1.4 -- 20210223 +* 1.4 -- 20210223 - module: add iam-saml -* v1.5 -- 20210226 +* 1.5 -- 20210226 - module: add iam-general-policies -* v1.5.1 -- 20210302 +* 1.5.1 -- 20210302 - iam-general-policies - add `managed_policies` for AWS managed policy references - change `policies` to `custom_policies` -* v1.6.0 -- 20210302 +* 1.6.0 -- 20210302 - module: iam-cloud-admin -* v1.7.0 -- 20210316 +* 1.7.0 -- 20210316 - module: ses-domain -* v1.7.1 -- 20210318 +* 1.7.1 -- 20210318 - iam-general-policies - add `ip-restriction` -* v1.7.2 -- 20210322 +* 1.7.2 -- 20210322 - iam-general-policies - add IAMUserChangePassword -* v1.7.3 -- 20210324 +* 1.7.3 -- 20210324 - iam-general-policies - fix bad arn -* v1.7.4 -- 20210326 +* 1.7.4 -- 20210326 - ses-domain - add code to enable move to production, runs aws cli script -* v1.7.5 -- 20210329 +* 1.7.5 -- 20210329 - ses-domain - add code to enable mail_from - change `ses_enable_production` to `enable_production` -* v1.8.0 -- 20210329 +* 1.8.0 -- 20210329 - iam-account-settings created -* v1.8.1 -- 20210329 +* 1.8.1 -- 20210329 - ses-domain - add code for setting up sns event notification for bounce, complaint -* v1.8.2 -- 20210401 +* 1.8.2 -- 20210401 - iam-saml - use empty_metadata.xml in saml resource until real one is built by null_resource -* v1.8.3 -- 20210401 +* 1.8.3 -- 20210401 - ldap-ou-create - new, used to setup the OU for creation of LDAP roles for SAML -* v1.8.4 -- 20210401 +* 1.8.4 -- 20210401 - ses-domain - use data resource to get alias -* v1.9.0 -- 20210405 +* 1.9.0 -- 20210405 - ldap-get-attribute - add new submodule to retrieve an attribute value from a search - move it out to its own module -* v1.10.0 -- 20210407 +* 1.10.0 -- 20210407 - vpc-remove-defaults created -* v1.10.1 -- 20210408 +* 1.10.1 -- 20210408 - vpc-remove-defaults - add `region` and `profile` variables -* v1.10.2 -- 20210413 +* 1.10.2 -- 20210413 - ses-domain - update use case text to be more descriptive -* v1.10.3 -- 20210414 +* 1.10.3 -- 20210414 - iam-general-policies - add deny-readonly-data -* v1.10.4 -- 20210421 +* 1.10.4 -- 20210421 - s3-access-logs - add 120s delay before applying bucket policy - s3-flow-logs - add 120s delay before applying bucket policy -* v1.10.5 -- 20210511 +* 1.10.5 -- 20210511 - iam-general-policies - add additional policy for network admin -* v1.11.0 -- 20210517 +* 1.11.0 -- 20210517 - cloudtrail - create submodule -* v1.12.0 -- 20210521 +* 1.12.0 -- 20210521 - config - create submodule - s3-config - create submodule -* v1.13.0 -- 202010528 +* 1.13.0 -- 202010528 - splunk-description - create submodule -* v1.13.1 -- 20210608 +* 1.13.1 -- 20210608 - add lifecycle ignore tags["boc:tf_module_version"] -* v1.13.2 -- 20210713 +* 1.13.2 -- 20210713 - general - change ip_restriction to be a dynamic condition block to also include VpcSourceIp -* v1.13.3 -- 20211122 +* 1.13.3 -- 20211122 - config - fix by commenting policy_id from sqs policies -* v1.14.0 -- 20211115 +* 1.14.0 -- 20211115 - cloudtrail-key - create module to setup a KMS key per region for cloudtrail - cloudtrail - create module to setup needed resources for cloudtrail, cloudwatch logs, sns, sqs, and splunk -* v1.14.1 -- 20211126 +* 1.14.1 -- 20211126 - cloudltrail - make multi-region default for org cloudtrail -* v1.14.2 -- 20220118 +* 1.14.2 -- 20220118 - s3-access-logs - set bucket owner to BucketOwnerEnforced + +* 1.15.0 -- 2022-04-20 + - terraform-state + - add policy for p-inf-terraform-{read,write} diff --git a/common/version.tf b/common/version.tf index c0d1fff..9f302fe 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.14.2" + _module_version = "1.15.0" } diff --git a/terraform-state/README.md b/terraform-state/README.md index 1332445..4aaa42a 100644 --- a/terraform-state/README.md +++ b/terraform-state/README.md @@ -67,6 +67,8 @@ No modules. |------|------| | [aws_dynamodb_table.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource | | [aws_iam_policy.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.tfstate_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.tfstate_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_kms_alias.tfstate_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_key.tfstate_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_s3_bucket.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | @@ -75,6 +77,8 @@ No modules. | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfstate_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.tfstate_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.tfstate_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs diff --git a/terraform-state/main.tf b/terraform-state/main.tf index 9c4b9c5..fed1c0c 100644 --- a/terraform-state/main.tf +++ b/terraform-state/main.tf @@ -105,6 +105,20 @@ resource "aws_iam_policy" "tfstate" { policy = data.aws_iam_policy_document.tfstate.json } +resource "aws_iam_policy" "tfstate_read" { + name = format("%v-%v", local.tfstate_policy_name, "read") + path = "/" + description = "Access to tfstate resources (read)" + policy = data.aws_iam_policy_document.tfstate_read.json +} + +resource "aws_iam_policy" "tfstate_write" { + name = format("%v-%v", local.tfstate_policy_name, "write") + path = "/" + description = "Access to tfstate resources (write)" + policy = data.aws_iam_policy_document.tfstate_write.json +} + #--- # s3 #--- diff --git a/terraform-state/policy_data.tf b/terraform-state/policy_data.tf index 6fa9136..00b58e9 100644 --- a/terraform-state/policy_data.tf +++ b/terraform-state/policy_data.tf @@ -39,21 +39,93 @@ data "aws_iam_policy_document" "tfstate_kms" { ] } } - ## figure out the right settings, needs to be on the tfstate policy not the key - ## statement { - ## sid = "TFStateKMSUse" - ## effect = "Allow" - ## actions = [ - ## "kms:Encrypt", - ## "kms:Decrypt", - ## "kms:ReEncrypt*", - ## "kms:GenerateDataKey*", - ## "kms:DescribeKey", - ## ] - ## resources = ["*"] - ## principals { - ## type = "Service" - ## identifiers = ["delivery.logs.amazonaws.com"] - ## } - ## } +} + +#--- +# read access +#--- +data "aws_iam_policy_document" "tfstate_read" { + statement { + sid = "TFRemoteStateList" + effect = "Allow" + actions = ["s3:ListBucket*"] + resources = [aws_s3_bucket.tfstate.arn] + } + statement { + sid = "TFRemoteStateS3" + effect = "Allow" + actions = [ + "s3:List*", + "s3:GetObject", + # "s3:PutObject", + ] + resources = ["${aws_s3_bucket.tfstate.arn}/*"] + } + # need to lock table to read, I think. if so, add Put and Delete back + statement { + sid = "TFRemoteStateDDB" + effect = "Allow" + actions = [ + "dynamodb:GetItem", + # "dynamodb:PutItem", + # "dynamodb:DeleteItem", + ] + resources = [aws_dynamodb_table.tfstate.arn] + } + statement { + sid = "TFStateKMSUse" + effect = "Allow" + actions = [ + # "kms:Encrypt", + "kms:Decrypt", + # "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + ] + resources = [aws_kms_key.tfstate_key.arn] + } +} + +#--- +# write access +#--- +data "aws_iam_policy_document" "tfstate_write" { + statement { + sid = "TFRemoteStateList" + effect = "Allow" + actions = ["s3:ListBucket*"] + resources = [aws_s3_bucket.tfstate.arn] + } + statement { + sid = "TFRemoteStateS3" + effect = "Allow" + actions = [ + "s3:List*", + "s3:GetObject", + "s3:PutObject", + ] + resources = ["${aws_s3_bucket.tfstate.arn}/*"] + } + statement { + sid = "TFRemoteStateDDB" + effect = "Allow" + actions = [ + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:DeleteItem", + ] + resources = [aws_dynamodb_table.tfstate.arn] + } + statement { + sid = "TFStateKMSUse" + effect = "Allow" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + ] + resources = [aws_kms_key.tfstate_key.arn] + } }