Skip to content

Commit

Permalink
add cloudforms policies into iam-general-policies
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Mar 31, 2023
1 parent 9de8735 commit e154689
Show file tree
Hide file tree
Showing 7 changed files with 191 additions and 2 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,3 +254,10 @@
- creation/testing
- terraform-state
- fix policy

* 2.4.0 -- 2023-03-31
- iam-general-policies: add policies from INF.service.cloudforms.tf
- cloudforms
- cloudforms_ami
- This will lead to a change in the distributed INF.service.cloudforms.tf, as well as an upgrade/import operation each account

2 changes: 1 addition & 1 deletion common/version.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
locals {
_module_version = "2.3.0"
_module_version = "2.4.0"
}
1 change: 1 addition & 0 deletions iam-account-settings/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ No modules.
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |

## Inputs

Expand Down
3 changes: 3 additions & 0 deletions iam-account-settings/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,10 @@ locals {
#---
# IAM account specific configurations
#---
#data "aws_iam_account_alias" "alias" { }

resource "aws_iam_account_alias" "alias" {
# count = data.aws_iam_account_alias.alias.account_alias != var.account_alias ? 1 : 0
account_alias = var.account_alias
}

Expand Down
2 changes: 2 additions & 0 deletions iam-general-policies/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,8 @@ No modules.
| [aws_iam_policy.general](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.cloudforms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cloudforms_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.deny_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.deny_readonly_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand Down
16 changes: 15 additions & 1 deletion iam-general-policies/custom_policies.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
locals {
pocals {
policies = {
"manage_keys" = {
name = "manage-access-keys"
Expand Down Expand Up @@ -56,6 +56,20 @@ locals {
policy = data.aws_iam_policy_document.network_admin.json
create_policy = true
}
"cloudforms" = {
name = "cloudforms"
path = "/"
description = "Policy for INF CSVD CloudForms"
policy = data.aws_iam_policy_document.cloudforms.json
create_policy = true
}
"cloudforms_ami" = {
name = "cloudforms-shared-ami_ami"
path = "/"
description = "Policy for INF CSVD CloudForms Access shared AMIs"
policy = data.aws_iam_policy_document.cloudforms_ami.json
create_policy = true
}

#---
# sts
Expand Down
162 changes: 162 additions & 0 deletions iam-general-policies/policy.cloudforms.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,162 @@
data "aws_iam_policy_document" "cloudforms" {
# from AmazonEC2FullAccess
statement {
sid = "AmazonEC2FullAccess"
effect = "Allow"
actions = ["ec2:*", "elasticloadbalancing:*", "cloudwatch:*", "autoscaling:*"]
resources = ["*"]
}

statement {
sid = "AmazonEC2FullAccessService"
effect = "Allow"
actions = ["iam:CreateServiceLinkedRole"]
resources = ["*"]

condition {
test = "StringEquals"
variable = "iam:AWSServiceName"

values = [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
]
}
}

# from AWSConfigUserAccess
statement {
sid = "AWSConfigUserAccess"
effect = "Allow"
resources = ["*"]

actions = [
"config:Get*",
"config:Describe*",
"config:Deliver*",
"config:List*",
"tag:GetResources",
"tag:GetTagKeys",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"sns:List*",
"sqs:List*",
]
}

# from IAMReadOnlyAccess
statement {
sid = "IAMReadOnlyAccess"
effect = "Allow"
resources = ["*"]

actions = [
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:Get*",
"iam:List*",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
]
}

# from IAMUserSSHKeys
statement {
sid = "IAMUserSSHKeys"
effect = "Allow"
resources = ["arn:${data.aws_arn.current.partition}:iam::*:user/$${aws:username}"]

actions = [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey",
]
}

# from AWSCloudFormationReadOnlyAccess
statement {
sid = "AWSCloudFormationReadOnlyAccess"
effect = "Allow"
resources = ["*"]

actions = [
"cloudformation:Describe*",
"cloudformation:EstimateTemplateCost",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:ValidateTemplate",
]
}

# for SQS
statement {
sid = "AWSManageCloudformsSQS"
effect = "Allow"
resources = [for r in values(var.region_map) : format("arn:%v:sqs:%v:%v:manageiq-awsconfig-queue-*", data.aws_arn.current.partition, r, var.account_id)]
actions = ["sqs:*"]
}

# for SNS
statement {
sid = "AWSCloudformsSNS"
effect = "Allow"
resources = [for r in values(var.region_map) : format("arn:%v:sns:%v:%v:AWSConfig_topic", data.aws_arn.current.partition, r, var.account_id)]
actions = ["sns:*"]
}

# from KMS read access to get the default kms key id for EBS
statement {
sid = "KMSReadOnlyAccess"
effect = "Allow"
resources = ["*"]

actions = [
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListAliases",
"kms:DescribeKey"
]
}
}

#---
# setup policy for cloudforms to access kms in remote ami
# this applies only to gov accounts at this time
#---
# "AliasName": "alias/k-kms-csvd-img-shared-key",
# these are not pulled with data as they require a diff account/profile to do so
# move this out into some settings file
locals {
cloudforms_ami_kms_keys = {
"aws" = []
"aws-us-gov" = [
"arn:aws-us-gov:kms:us-gov-west-1:107742151971:key/6b0f5037-a500-41f8-b13b-c57f0de9332f",
"arn:aws-us-gov:kms:us-gov-east-1:107742151971:key/7928e94e-b28e-4863-99aa-ef0ce193c634"
]
}
}

data "aws_iam_policy_document" "cloudforms_ami" {
# for access to remote AMI key
dynamic "statement" {
for_each = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? { data.aws_arn.current.partition = local.cloudforms_ami_kms_keys[data.aws_arn.current.partition] } : {}
iterator = c
content {
sid = "AWSCloudformsAMIKeyAccess"
effect = "Allow"
resources = c.value
actions = [
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:CreateGrant",
"kms:Decrypt",
]
}
}
}

0 comments on commit e154689

Please sign in to comment.