diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9195cfc..793b04c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -128,6 +128,7 @@ jobs: - name: Run tfsec (all severities) and save JSON run: tfsec --format json --out tfsec_results.json ${{ matrix.dir }} + continue-on-error: true - name: Terraform Init run: terraform init diff --git a/management-team-account/state/S3/main.tf b/management-team-account/state/S3/main.tf index e41e553..741acf0 100644 --- a/management-team-account/state/S3/main.tf +++ b/management-team-account/state/S3/main.tf @@ -58,6 +58,42 @@ resource "aws_s3_bucket_public_access_block" "state_org_block" { restrict_public_buckets = true } +# operation 계정에서 organization 상태 파일을 참조할 수 있도록 read-only 접근 허용 + +data "terraform_remote_state" "org" { + backend = "s3" + config = { + bucket = "cloudfence-management-state" + key = "organization/organizations.tfstate" + region = "ap-northeast-2" + } +} + +resource "aws_s3_bucket_policy" "allow_operation_read_state" { + bucket = "cloudfence-management-state" + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid : "AllowOperationAccountReadState", + Effect : "Allow", + Principal = { + AWS = "arn:aws:iam::${data.terraform_remote_state.org.outputs.operation_account_id}:root" + }, + Action = [ + "s3:GetObject", + "s3:ListBucket" + ], + Resource = [ + "arn:aws:s3:::cloudfence-management-state", + "arn:aws:s3:::cloudfence-management-state/organization/organizations.tfstate" + ] + } + ] + }) +} + # S3 버킷 서버 측 암호화 resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" { bucket = aws_s3_bucket.state_org.id diff --git a/modules/S3_kms/main.tf b/modules/S3_kms/main.tf index 2f9ddf5..b101c5d 100644 --- a/modules/S3_kms/main.tf +++ b/modules/S3_kms/main.tf @@ -1,3 +1,12 @@ +data "terraform_remote_state" "org" { + backend = "s3" + config = { + bucket = "cloudfence-management-state" + key = "organization/organizations.tfstate" + region = "ap-northeast-2" + } +} + data "aws_caller_identity" "current" {} resource "aws_kms_key" "this" { @@ -36,6 +45,21 @@ resource "aws_kms_key" "this" { "aws:SourceAccount" = data.aws_caller_identity.current.account_id } } + }, + { + Sid : "AllowRootAccountToUseKey", + Effect : "Allow", + Principal : { + AWS : [ + "arn:aws:iam::${data.terraform_remote_state.org.outputs.operation_account_id}:root", + "arn:aws:iam::${data.terraform_remote_state.org.outputs.management_account_id}:root" + ] + }, + Action : [ + "kms:Decrypt", + "kms:DescribeKey" + ], + Resource : "*" } ] }) diff --git a/operation-team-account/state/S3/main.tf b/operation-team-account/state/S3/main.tf index d843767..6deb195 100644 --- a/operation-team-account/state/S3/main.tf +++ b/operation-team-account/state/S3/main.tf @@ -10,6 +10,15 @@ provider "aws" { region = "ap-northeast-2" } +data "terraform_remote_state" "org" { + backend = "s3" + config = { + bucket = "cloudfence-management-state" + key = "organization/organizations.tfstate" + region = "ap-northeast-2" + } +} + # KMS 모듈 호출 module "s3_kms" { source = "../../../modules/S3_kms" @@ -58,6 +67,32 @@ resource "aws_s3_bucket_public_access_block" "state_org_block" { restrict_public_buckets = true } +# management 계정에 대한 readonly 권한 추가 +resource "aws_s3_bucket_policy" "allow_management_read" { + bucket = aws_s3_bucket.state_org.id + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "AllowManagementAccountReadAccess", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${data.terraform_remote_state.org.outputs.management_account_id}:root" + }, + Action = [ + "s3:GetObject", + "s3:ListBucket" + ], + Resource = [ + "arn:aws:s3:::cloudfence-operation-state", + "arn:aws:s3:::cloudfence-operation-state/*" + ] + } + ] + }) +} + # S3 버킷 서버 측 암호화 resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" { bucket = aws_s3_bucket.state_org.id @@ -68,4 +103,4 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" { kms_master_key_id = module.s3_kms.kms_key_arn } } -} +} \ No newline at end of file