From e15468974fc704104a917c23d6966217ddbbab8a Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 31 Mar 2023 09:54:14 -0400
Subject: [PATCH] add cloudforms policies into iam-general-policies

---
 CHANGELOG.md                              |   7 +
 common/version.tf                         |   2 +-
 iam-account-settings/README.md            |   1 +
 iam-account-settings/main.tf              |   3 +
 iam-general-policies/README.md            |   2 +
 iam-general-policies/custom_policies.tf   |  16 ++-
 iam-general-policies/policy.cloudforms.tf | 162 ++++++++++++++++++++++
 7 files changed, 191 insertions(+), 2 deletions(-)
 create mode 100644 iam-general-policies/policy.cloudforms.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c0feed7..2788b01 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -254,3 +254,10 @@
     - creation/testing
   - terraform-state
     - fix policy
+
+* 2.4.0 -- 2023-03-31
+  - iam-general-policies: add policies from INF.service.cloudforms.tf
+    - cloudforms
+    - cloudforms_ami
+ - This will lead to a change in the distributed INF.service.cloudforms.tf, as well as an upgrade/import operation each account
+   
diff --git a/common/version.tf b/common/version.tf
index 03d330b..f403a49 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.3.0"
+  _module_version = "2.4.0"
 }
diff --git a/iam-account-settings/README.md b/iam-account-settings/README.md
index 1942268..30377e7 100644
--- a/iam-account-settings/README.md
+++ b/iam-account-settings/README.md
@@ -35,6 +35,7 @@ No modules.
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
 
 ## Inputs
 
diff --git a/iam-account-settings/main.tf b/iam-account-settings/main.tf
index 730bcc6..8a88a6c 100644
--- a/iam-account-settings/main.tf
+++ b/iam-account-settings/main.tf
@@ -29,7 +29,10 @@ locals {
 #---
 # IAM account specific configurations
 #---
+#data "aws_iam_account_alias" "alias" { }
+
 resource "aws_iam_account_alias" "alias" {
+  #  count = data.aws_iam_account_alias.alias.account_alias != var.account_alias ? 1 : 0
   account_alias = var.account_alias
 }
 
diff --git a/iam-general-policies/README.md b/iam-general-policies/README.md
index e577bbf..20b98d7 100644
--- a/iam-general-policies/README.md
+++ b/iam-general-policies/README.md
@@ -110,6 +110,8 @@ No modules.
 | [aws_iam_policy.general](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.cloudforms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudforms_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.deny_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.deny_readonly_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/iam-general-policies/custom_policies.tf b/iam-general-policies/custom_policies.tf
index a9db177..2637021 100644
--- a/iam-general-policies/custom_policies.tf
+++ b/iam-general-policies/custom_policies.tf
@@ -1,4 +1,4 @@
-locals {
+pocals {
   policies = {
     "manage_keys" = {
       name          = "manage-access-keys"
@@ -56,6 +56,20 @@ locals {
       policy        = data.aws_iam_policy_document.network_admin.json
       create_policy = true
     }
+    "cloudforms" = {
+      name          = "cloudforms"
+      path          = "/"
+      description   = "Policy for INF CSVD CloudForms"
+      policy        = data.aws_iam_policy_document.cloudforms.json
+      create_policy = true
+    }
+    "cloudforms_ami" = {
+      name          = "cloudforms-shared-ami_ami"
+      path          = "/"
+      description   = "Policy for INF CSVD CloudForms Access shared AMIs"
+      policy        = data.aws_iam_policy_document.cloudforms_ami.json
+      create_policy = true
+    }
 
     #---
     # sts
diff --git a/iam-general-policies/policy.cloudforms.tf b/iam-general-policies/policy.cloudforms.tf
new file mode 100644
index 0000000..c587fdd
--- /dev/null
+++ b/iam-general-policies/policy.cloudforms.tf
@@ -0,0 +1,162 @@
+data "aws_iam_policy_document" "cloudforms" {
+  # from AmazonEC2FullAccess
+  statement {
+    sid       = "AmazonEC2FullAccess"
+    effect    = "Allow"
+    actions   = ["ec2:*", "elasticloadbalancing:*", "cloudwatch:*", "autoscaling:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid       = "AmazonEC2FullAccessService"
+    effect    = "Allow"
+    actions   = ["iam:CreateServiceLinkedRole"]
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "iam:AWSServiceName"
+
+      values = [
+        "autoscaling.amazonaws.com",
+        "ec2scheduled.amazonaws.com",
+        "elasticloadbalancing.amazonaws.com",
+        "spot.amazonaws.com",
+        "spotfleet.amazonaws.com",
+      ]
+    }
+  }
+
+  # from AWSConfigUserAccess
+  statement {
+    sid       = "AWSConfigUserAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "config:Get*",
+      "config:Describe*",
+      "config:Deliver*",
+      "config:List*",
+      "tag:GetResources",
+      "tag:GetTagKeys",
+      "cloudtrail:DescribeTrails",
+      "cloudtrail:GetTrailStatus",
+      "cloudtrail:LookupEvents",
+      "sns:List*",
+      "sqs:List*",
+    ]
+  }
+
+  # from IAMReadOnlyAccess
+  statement {
+    sid       = "IAMReadOnlyAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "iam:GenerateCredentialReport",
+      "iam:GenerateServiceLastAccessedDetails",
+      "iam:Get*",
+      "iam:List*",
+      "iam:SimulateCustomPolicy",
+      "iam:SimulatePrincipalPolicy",
+    ]
+  }
+
+  # from IAMUserSSHKeys
+  statement {
+    sid       = "IAMUserSSHKeys"
+    effect    = "Allow"
+    resources = ["arn:${data.aws_arn.current.partition}:iam::*:user/$${aws:username}"]
+
+    actions = [
+      "iam:DeleteSSHPublicKey",
+      "iam:GetSSHPublicKey",
+      "iam:ListSSHPublicKeys",
+      "iam:UpdateSSHPublicKey",
+      "iam:UploadSSHPublicKey",
+    ]
+  }
+
+  # from AWSCloudFormationReadOnlyAccess
+  statement {
+    sid       = "AWSCloudFormationReadOnlyAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "cloudformation:Describe*",
+      "cloudformation:EstimateTemplateCost",
+      "cloudformation:Get*",
+      "cloudformation:List*",
+      "cloudformation:ValidateTemplate",
+    ]
+  }
+
+  # for SQS
+  statement {
+    sid       = "AWSManageCloudformsSQS"
+    effect    = "Allow"
+    resources = [for r in values(var.region_map) : format("arn:%v:sqs:%v:%v:manageiq-awsconfig-queue-*", data.aws_arn.current.partition, r, var.account_id)]
+    actions   = ["sqs:*"]
+  }
+
+  # for SNS
+  statement {
+    sid       = "AWSCloudformsSNS"
+    effect    = "Allow"
+    resources = [for r in values(var.region_map) : format("arn:%v:sns:%v:%v:AWSConfig_topic", data.aws_arn.current.partition, r, var.account_id)]
+    actions   = ["sns:*"]
+  }
+
+  # from KMS read access to get the default kms key id for EBS
+  statement {
+    sid       = "KMSReadOnlyAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "kms:ListKeys",
+      "kms:ListKeyPolicies",
+      "kms:ListAliases",
+      "kms:DescribeKey"
+    ]
+  }
+}
+
+#---
+# setup policy for cloudforms to access kms in remote ami
+# this applies only to gov accounts at this time
+#---
+# "AliasName": "alias/k-kms-csvd-img-shared-key",
+# these are not pulled with data as they require a diff account/profile to do so
+# move this out into some settings file
+locals {
+  cloudforms_ami_kms_keys = {
+    "aws" = []
+    "aws-us-gov" = [
+      "arn:aws-us-gov:kms:us-gov-west-1:107742151971:key/6b0f5037-a500-41f8-b13b-c57f0de9332f",
+      "arn:aws-us-gov:kms:us-gov-east-1:107742151971:key/7928e94e-b28e-4863-99aa-ef0ce193c634"
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "cloudforms_ami" {
+  # for access to remote AMI key
+  dynamic "statement" {
+    for_each = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? { data.aws_arn.current.partition = local.cloudforms_ami_kms_keys[data.aws_arn.current.partition] } : {}
+    iterator = c
+    content {
+      sid       = "AWSCloudformsAMIKeyAccess"
+      effect    = "Allow"
+      resources = c.value
+      actions = [
+        "kms:DescribeKey",
+        "kms:ReEncrypt*",
+        "kms:CreateGrant",
+        "kms:Decrypt",
+      ]
+    }
+  }
+}