From 8357dda0217c2396370398de9a8c24cf8bf508aa Mon Sep 17 00:00:00 2001 From: Matt Conway Date: Fri, 22 Oct 2021 09:47:33 -0400 Subject: [PATCH] Initial iam permissions to allow for cloudtruth push feature --- README.md | 1 + main.tf | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 8 ++++++ 3 files changed, 82 insertions(+) diff --git a/README.md b/README.md index 5845fe3..cacac66 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ module "grant-cloudtruth-access" { | s3\_policy | A custom policy to use for s3 instead of the one this module would define | `string` | `""` | no | | s3\_resources | The s3 resources to explicitly grant access to, defaults to all, and listing
all buckets is always allowed (for bucket chooser in UI) even if access
isn't granted here | `list(string)` | 
[
  "*"
]
| no | | services\_enabled | The AWS services to grant cloudtruth access to, allowed values are s3, ssm, secrets | `list(string)` | n/a | yes | +| services\_write\_enabled | The AWS services to grant cloudtruth write access to, allowed values are s3, ssm, secrets | `list(string)` | `[]` | no | | ssm\_policy | A custom policy to use for ssm instead of the one this module would define | `string` | `""` | no | | ssm\_resources | The ssm resources to explicitly grant access to, defaults to all, and listing
all is always allowed (for chooser in UI) even if access
isn't granted here | `list(string)` | 
[
  "*"
]
| no | | secrets\_policy | A custom policy to use for secrets manager instead of the one this module would define | `string` | `""` | no | diff --git a/main.tf b/main.tf index 1b1a395..abdc924 100644 --- a/main.tf +++ b/main.tf @@ -52,6 +52,19 @@ data "aws_iam_policy_document" "s3" { } +// This policy allows cloudtruth to write to your S3 buckets +// +data "aws_iam_policy_document" "s3-write" { + + statement { + sid = "BucketWrite" + actions = ["s3:PutObject"] + effect = "Allow" + resources = var.s3_resources + } + +} + // This policy allows cloudtruth to list and read your AWS SSM Parameter Store // data "aws_iam_policy_document" "ssm" { @@ -68,6 +81,7 @@ data "aws_iam_policy_document" "ssm" { statement { sid = "ParameterAccess" actions = [ + "ssm:DescribeParameters", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" @@ -78,6 +92,34 @@ data "aws_iam_policy_document" "ssm" { } +// This policy allows cloudtruth to write to your AWS SSM Parameter Store +// +data "aws_iam_policy_document" "ssm-write" { + + statement { + sid = "TagAccess" + actions = [ + "tag:GetResources" + ] + effect = "Allow" + resources = ["*"] + } + + statement { + sid = "ParameterWrite" + actions = [ + "ssm:AddTagsToResource", + "ssm:DeleteParameter", + "ssm:ListTagsForResource", + "ssm:PutParameter", + "ssm:RemoveTagsFromResource" + ] + effect = "Allow" + resources = var.ssm_resources + } + +} + // This policy allows cloudtruth to list and read your AWS Secret Store // data "aws_iam_policy_document" "secrets" { @@ -103,12 +145,35 @@ data "aws_iam_policy_document" "secrets" { } +// This policy allows cloudtruth to write to your AWS Secret Store +// +data "aws_iam_policy_document" "secrets-write" { + + statement { + sid = "SecretWrite" + actions = [ + "secretsmanager:CreateSecret", + "secretsmanager:DeleteSecret", + "secretsmanager:TagResource", + "secretsmanager:UpdateSecret" + ] + effect = "Allow" + resources = var.secrets_resources + } + +} + locals { policy_lookup = { s3 = var.s3_policy != "" ? var.s3_policy : data.aws_iam_policy_document.s3.json ssm = var.ssm_policy != "" ? var.ssm_policy : data.aws_iam_policy_document.ssm.json secrets = var.secrets_policy != "" ? var.secrets_policy : data.aws_iam_policy_document.secrets.json } + write_policy_lookup = { + s3 = data.aws_iam_policy_document.s3-write.json + ssm = data.aws_iam_policy_document.ssm-write.json + secrets = data.aws_iam_policy_document.secrets-write.json + } } resource "aws_iam_role_policy" "cloudtruth-policies" { @@ -118,3 +183,11 @@ resource "aws_iam_role_policy" "cloudtruth-policies" { role = aws_iam_role.cloudtruth-access.id policy = local.policy_lookup[each.key] } + +resource "aws_iam_role_policy" "cloudtruth-write-policies" { + for_each = toset(var.services_write_enabled) + + name = "allow-cloudtruth-write-to-${each.key}" + role = aws_iam_role.cloudtruth-access.id + policy = local.write_policy_lookup[each.key] +} diff --git a/variables.tf b/variables.tf index ae53aa1..c466b74 100644 --- a/variables.tf +++ b/variables.tf @@ -19,6 +19,14 @@ variable "services_enabled" { type = list(string) } +variable "services_write_enabled" { + description = <<-EOD + The AWS services to grant cloudtruth write access to, allowed values are s3, ssm, secrets + EOD + type = list(string) + default = [] +} + variable "s3_resources" { description = <<-EOD The s3 resources to explicitly grant access to, defaults to all, and listing