add iam policy

CHANGELOG.md

@@ -4,3 +4,6 @@
   - initial creation
   - module: terraform-state
 
+
+* v1.1 -- 20210223
+  - add iam policy to terraform-state

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0"
+  _module_version = "1.1"
 }

terraform-state/README.md

@@ -5,6 +5,7 @@ This set up the needed components for the Terraform remote state:
 * S3 bucket
 * KMS key for the bucket
 * DynamoDB table for locking
+* IAM Policy
 
 # Usage  
 Here is a simple example, the one most commonly expected to be used.
@@ -67,6 +68,7 @@ No Modules.
 | [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) |
 | [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
 | [aws_dynamodb_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
 | [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
 | [aws_kms_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) |
 | [aws_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) |

terraform-state/main.tf

@@ -6,6 +6,7 @@
 * * S3 bucket
 * * KMS key for the bucket
 * * DynamoDB table for locking
+* * IAM Policy
 * 
 * # Usage
 * Here is a simple example, the one most commonly expected to be used.
@@ -55,6 +56,8 @@ locals {
   tfstate_key_arn = aws_kms_key.tfstate_key.arn
   tfstate_bucket  = var.tfstate_bucket != "" ? var.tfstate_bucket : format("%v-%v", var.tfstate_bucket_prefix, local.account_id)
 
+  tfstate_policy_name = format("%v%v", lookup(local._prefixes, "policy", ""), var.tfstate_bucket_prefix)
+
   base_tags = {
     "boc:tf_module_version" = local._module_version
     "boc:created_by"        = "terraform"
@@ -90,28 +93,11 @@ resource "aws_dynamodb_table" "tfstate" {
 }
 
 # create iam policy for it, to apply to roles/groups as needed
-
-data "aws_iam_policy_document" "tfstate" {
-  statement {
-    sid       = "TFRemoteStateList"
-    effect    = "Allow"
-    resources = [aws_s3_bucket.tfstate.arn]
-    actions   = ["s3:ListBucket"]
-  }
-
-  statement {
-    sid       = "TFRemoteState"
-    effect    = "Allow"
-    resources = ["${aws_s3_bucket.tfstate.arn}/*"]
-    actions   = ["s3:GetObject", "s3:PutObject"]
-  }
-
-  statement {
-    sid       = "TFRemoteStateDDB"
-    effect    = "Allow"
-    resources = [aws_dynamodb_table.tfstate.arn]
-    actions   = ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem"]
-  }
+resource "aws_iam_policy" "tfstate" {
+  name        = local.tfstate_policy_name
+  path        = "/"
+  description = "Access to tfstate resources"
+  policy      = data.aws_iam_policy_document.tfstate.json
 }
 
 #---
@@ -173,3 +159,4 @@ resource "aws_kms_alias" "tfstate_key" {
   name          = "alias/${var.kms_tfstate_key}"
   target_key_id = aws_kms_key.tfstate_key.key_id
 }
+

terraform-state/policy_data.tf

@@ -0,0 +1,59 @@
+data "aws_iam_policy_document" "tfstate" {
+  statement {
+    sid       = "TFRemoteStateList"
+    effect    = "Allow"
+    resources = [aws_s3_bucket.tfstate.arn]
+    actions   = ["s3:ListBucket"]
+  }
+
+  statement {
+    sid       = "TFRemoteState"
+    effect    = "Allow"
+    resources = ["${aws_s3_bucket.tfstate.arn}/*"]
+    actions   = ["s3:GetObject", "s3:PutObject"]
+  }
+
+  statement {
+    sid       = "TFRemoteStateDDB"
+    effect    = "Allow"
+    resources = [aws_dynamodb_table.tfstate.arn]
+    actions   = ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem"]
+  }
+}
+
+#---
+# access policy for tfstate key
+#---
+data "aws_iam_policy_document" "tfstate_kms" {
+  policy_id = "inf_kms_access"
+  statement {
+    sid       = "TFStateKMSManagement"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        #        aws_iam_role.inf-cloud-admin.arn,
+        format("arn:%v::iam::%v:root", data.aws_arn.current.partition, local.account_id),
+      ]
+    }
+  }
+  ## figure out the right settings, needs to be on the tfstate policy not the key
+  ##   statement {
+  ##     sid    = "TFStateKMSUse"
+  ##     effect = "Allow"
+  ##     actions = [
+  ##       "kms:Encrypt",
+  ##       "kms:Decrypt",
+  ##       "kms:ReEncrypt*",
+  ##       "kms:GenerateDataKey*",
+  ##       "kms:DescribeKey",
+  ##     ]
+  ##     resources = ["*"]
+  ##     principals {
+  ##       type        = "Service"
+  ##       identifiers = ["delivery.logs.amazonaws.com"]
+  ##     }
+  ##   }
+}