From 27169d5d1b8317a0e3853117f53506e84653706b Mon Sep 17 00:00:00 2001 From: Rik Tonnard Date: Fri, 18 Mar 2022 10:00:11 +0100 Subject: [PATCH] Remove use of template provider The template provider is deprecated and it is now advised to use the templatefile function instead. Since all templates were AWS IAM Policy Documents, the aws_iam_policy_document data source is used instead. --- aws_config.tf | 41 ++++++-- cloudtrail.tf | 25 +++-- policies/aws_config_assume_role_policy.tpl | 13 --- policies/aws_config_policy.tpl | 25 ----- policies/cloudwatch_assume_role_policy.tpl | 13 --- policies/cloudwatch_policy.tpl | 23 ---- policies/force-mfa.json | 109 ------------------- policy-mfa.tf | 117 ++++++++++++++++++++- 8 files changed, 159 insertions(+), 207 deletions(-) delete mode 100644 policies/aws_config_assume_role_policy.tpl delete mode 100644 policies/aws_config_policy.tpl delete mode 100644 policies/cloudwatch_assume_role_policy.tpl delete mode 100644 policies/cloudwatch_policy.tpl delete mode 100644 policies/force-mfa.json diff --git a/aws_config.tf b/aws_config.tf index 4009408..ea4b47c 100644 --- a/aws_config.tf +++ b/aws_config.tf @@ -47,14 +47,21 @@ resource "aws_config_delivery_channel" "aws_config_delivery_channel" { ] } -data "template_file" "aws_config_iam_assume_role_policy_document" { - template = file("${path.module}/policies/aws_config_assume_role_policy.tpl") +data "aws_iam_policy_document" "aws_config_assume" { + statement { + principals { + type = "Service" + identifiers = ["config.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } } resource "aws_iam_role" "aws_config_iam_role" { count = var.enable_aws_config ? 1 : 0 name = "terraform-awsconfig-role" - assume_role_policy = data.template_file.aws_config_iam_assume_role_policy_document.rendered + assume_role_policy = data.aws_iam_policy_document.aws_config_assume.json } resource "aws_iam_role_policy_attachment" "aws_config_iam_policy_attachment" { @@ -63,13 +70,26 @@ resource "aws_iam_role_policy_attachment" "aws_config_iam_policy_attachment" { policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole" } -data "template_file" "aws_config_iam_policy_document" { - template = file("${path.module}/policies/aws_config_policy.tpl") - count = var.enable_aws_config ? 1 : 0 +data "aws_iam_policy_document" "aws_config" { + count = var.enable_aws_config ? 1 : 0 - vars = { - sns_topic_arn = aws_sns_topic.aws_config_updates_topic[0].arn - s3_bucket_arn = aws_s3_bucket.aws_config_configuration_bucket[0].arn + statement { + actions = ["config:Put*"] + resources = ["*"] + } + + statement { + actions = ["sns:*"] + resources = [one(aws_sns_topic.aws_config_updates_topic).arn] + } + + statement { + actions = ["s3:*"] + + resources = [ + one(aws_s3_bucket.aws_config_configuration_bucket).arn, + "${one(aws_s3_bucket.aws_config_configuration_bucket).arn}/*" + ] } } @@ -77,7 +97,7 @@ resource "aws_iam_role_policy" "aws_config_iam_policy" { count = var.enable_aws_config ? 1 : 0 name = "terraform-awsconfig-policy" role = aws_iam_role.aws_config_iam_role[0].id - policy = data.template_file.aws_config_iam_policy_document[0].rendered + policy = one(data.aws_iam_policy_document.aws_config).json } resource "null_resource" "sns_subscribe" { @@ -93,4 +113,3 @@ resource "null_resource" "sns_subscribe" { command = "aws sns subscribe --topic-arn ${aws_sns_topic.aws_config_updates_topic[0].arn} --protocol email --notification-endpoint ${element(var.aws_config_notification_emails, count.index)}" } } - diff --git a/cloudtrail.tf b/cloudtrail.tf index 1c51a47..4b4d0bc 100644 --- a/cloudtrail.tf +++ b/cloudtrail.tf @@ -54,14 +54,21 @@ resource "aws_cloudwatch_log_group" "log_group" { # # CloudTrail Cloudwatch IAM Role # -data "template_file" "cloudwatch_iam_assume_role_policy_document" { - template = file("${path.module}/policies/cloudwatch_assume_role_policy.tpl") +data "aws_iam_policy_document" "cloudwatch_assume" { + statement { + principals { + type = "Service" + identifiers = ["cloudtrial.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } } resource "aws_iam_role" "cloudwatch_iam_role" { count = var.enable_cloudwatch_logs ? 1 : 0 name = var.cloudwatch_iam_role_name - assume_role_policy = data.template_file.cloudwatch_iam_assume_role_policy_document.rendered + assume_role_policy = data.aws_iam_policy_document.cloudwatch_assume.json } resource "aws_iam_role_policy_attachment" "cloudwatch_iam_policy_attachment" { @@ -70,19 +77,19 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_iam_policy_attachment" { policy_arn = aws_iam_policy.cloudwatch_iam_policy[0].arn } -data "template_file" "cloudwatch_iam_policy_document" { - count = var.enable_cloudwatch_logs ? 1 : 0 - template = file("${path.module}/policies/cloudwatch_policy.tpl") +data "aws_iam_policy_document" "cloudwatch" { + count = var.enable_cloudwatch_logs ? 1 : 0 - vars = { - log_group_arn = aws_cloudwatch_log_group.log_group[0].arn + statement { + actions = ["logs:CreateLogStream", "logs:PutLogEvents"] + resources = ["${one(aws_cloudwatch_log_group.log_group).arn}:*"] } } resource "aws_iam_policy" "cloudwatch_iam_policy" { count = var.enable_cloudwatch_logs ? 1 : 0 name = var.cloudwatch_iam_policy_name - policy = data.template_file.cloudwatch_iam_policy_document[0].rendered + policy = one(data.aws_iam_policy_document.cloudwatch).rendered } # diff --git a/policies/aws_config_assume_role_policy.tpl b/policies/aws_config_assume_role_policy.tpl deleted file mode 100644 index 9ba7215..0000000 --- a/policies/aws_config_assume_role_policy.tpl +++ /dev/null @@ -1,13 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Principal": { - "Service": "config.amazonaws.com" - }, - "Effect": "Allow", - "Sid": "" - } - ] -} \ No newline at end of file diff --git a/policies/aws_config_policy.tpl b/policies/aws_config_policy.tpl deleted file mode 100644 index cb7a097..0000000 --- a/policies/aws_config_policy.tpl +++ /dev/null @@ -1,25 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": "config:Put*", - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:*" - ], - "Effect": "Allow", - "Resource": [ - "${s3_bucket_arn}", - "${s3_bucket_arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": "sns:*", - "Resource": "${sns_topic_arn}" - } - ] -} \ No newline at end of file diff --git a/policies/cloudwatch_assume_role_policy.tpl b/policies/cloudwatch_assume_role_policy.tpl deleted file mode 100644 index 8906d65..0000000 --- a/policies/cloudwatch_assume_role_policy.tpl +++ /dev/null @@ -1,13 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/policies/cloudwatch_policy.tpl b/policies/cloudwatch_policy.tpl deleted file mode 100644 index 4e5b0d4..0000000 --- a/policies/cloudwatch_policy.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream" - ], - "Resource": [ - "${log_group_arn}:*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:PutLogEvents" - ], - "Resource": [ - "${log_group_arn}:*" - ] - } - ] -} diff --git a/policies/force-mfa.json b/policies/force-mfa.json deleted file mode 100644 index 16641be..0000000 --- a/policies/force-mfa.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowAllUsersToListAccounts", - "Effect": "Allow", - "Action": [ - "iam:ListAccountAliases", - "iam:ListUsers", - "iam:GetAccountPasswordPolicy", - "iam:GetAccountSummary" - ], - "Resource": "*" - }, - { - "Sid": "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation", - "Effect": "Allow", - "Action": [ - "iam:ChangePassword", - "iam:CreateAccessKey", - "iam:CreateLoginProfile", - "iam:DeleteAccessKey", - "iam:DeleteLoginProfile", - "iam:GetLoginProfile", - "iam:ListAccessKeys", - "iam:UpdateAccessKey", - "iam:UpdateLoginProfile", - "iam:ListSigningCertificates", - "iam:DeleteSigningCertificate", - "iam:UpdateSigningCertificate", - "iam:UploadSigningCertificate", - "iam:ListSSHPublicKeys", - "iam:GetSSHPublicKey", - "iam:DeleteSSHPublicKey", - "iam:UpdateSSHPublicKey", - "iam:UploadSSHPublicKey" - ], - "Resource": "arn:aws:iam::*:user/$${aws:username}" - }, - { - "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA", - "Effect": "Allow", - "Action": [ - "iam:ListVirtualMFADevices", - "iam:ListMFADevices" - ], - "Resource": [ - "arn:aws:iam::*:mfa/*", - "arn:aws:iam::*:user/$${aws:username}" - ] - }, - { - "Sid": "AllowIndividualUserToManageTheirOwnMFA", - "Effect": "Allow", - "Action": [ - "iam:CreateVirtualMFADevice", - "iam:DeleteVirtualMFADevice", - "iam:EnableMFADevice", - "iam:ResyncMFADevice" - ], - "Resource": [ - "arn:aws:iam::*:mfa/$${aws:username}", - "arn:aws:iam::*:user/$${aws:username}" - ] - }, - { - "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA", - "Effect": "Allow", - "Action": [ - "iam:DeactivateMFADevice" - ], - "Resource": [ - "arn:aws:iam::*:mfa/$${aws:username}", - "arn:aws:iam::*:user/$${aws:username}" - ], - "Condition": { - "Bool": { - "aws:MultiFactorAuthPresent": "true" - } - } - }, - { - "Sid": "BlockMostAccessUnlessSignedInWithMFA", - "Effect": "Deny", - "NotAction": [ - "iam:CreateVirtualMFADevice", - "iam:DeleteVirtualMFADevice", - "iam:ListVirtualMFADevices", - "iam:EnableMFADevice", - "iam:ResyncMFADevice", - "iam:ListAccountAliases", - "iam:ListUsers", - "iam:ListSSHPublicKeys", - "iam:ListAccessKeys", - "iam:ListServiceSpecificCredentials", - "iam:ListMFADevices", - "iam:GetAccountSummary", - "iam:ChangePassword", - "sts:GetSessionToken" - ], - "Resource": "*", - "Condition": { - "BoolIfExists": { - "aws:MultiFactorAuthPresent": "false" - } - } - } - ] -} diff --git a/policy-mfa.tf b/policy-mfa.tf index 1a223c7..a3eb6a0 100644 --- a/policy-mfa.tf +++ b/policy-mfa.tf @@ -1,7 +1,116 @@ -data "template_file" "force_mfa" { - count = var.enable_mfa ? 1 : 0 +data "aws_iam_policy_document" "force_mfa" { + statement { + sid = "AllowAllUsersToListAccounts" + resources = ["*"] + + actions = [ + "iam:ListAccountAliases", + "iam:ListUsers", + "iam:GetAccountPasswordPolicy", + "iam:GetAccountSummary" + ] + } + + statement { + sid = "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation" + resources = ["arn:aws:iam::*:user/$${aws:username}"] + + actions = [ + "iam:ChangePassword", + "iam:CreateAccessKey", + "iam:CreateLoginProfile", + "iam:DeleteAccessKey", + "iam:DeleteLoginProfile", + "iam:GetLoginProfile", + "iam:ListAccessKeys", + "iam:UpdateAccessKey", + "iam:UpdateLoginProfile", + "iam:ListSigningCertificates", + "iam:DeleteSigningCertificate", + "iam:UpdateSigningCertificate", + "iam:UploadSigningCertificate", + "iam:ListSSHPublicKeys", + "iam:GetSSHPublicKey", + "iam:DeleteSSHPublicKey", + "iam:UpdateSSHPublicKey", + "iam:UploadSSHPublicKey" + ] + } + + statement { + sid = "AllowIndividualUserToListOnlyTheirOwnMFA" + + actions = [ + "iam:ListVirtualMFADevices", + "iam:ListMFADevices" + ] + + resources = [ + "arn:aws:iam::*:mfa/*", + "arn:aws:iam::*:user/$${aws:username}" + ] + } + + statement { + sid = "AllowIndividualUserToManageTheirOwnMFA" + + actions = [ + "iam:CreateVirtualMFADevice", + "iam:DeleteVirtualMFADevice", + "iam:EnableMFADevice", + "iam:ResyncMFADevice" + ] + + resources = [ + "arn:aws:iam::*:mfa/$${aws:username}", + "arn:aws:iam::*:user/$${aws:username}" + ] + } + + statement { + sid = "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA" + actions = ["iam:DeactivateMFADevice"] + + resources = [ + "arn:aws:iam::*:mfa/$${aws:username}", + "arn:aws:iam::*:user/$${aws:username}" + ] + + condition { + test = "Bool" + variable = "aws:MultiFactorAuthPresent" + values = ["true"] + } + } + + statement { + sid = "BlockMostAccessUnlessSignedInWithMFA" + effect = "Deny" + resources = ["*"] + + not_actions = [ + "iam:CreateVirtualMFADevice", + "iam:DeleteVirtualMFADevice", + "iam:ListVirtualMFADevices", + "iam:EnableMFADevice", + "iam:ResyncMFADevice", + "iam:ListAccountAliases", + "iam:ListUsers", + "iam:ListSSHPublicKeys", + "iam:ListAccessKeys", + "iam:ListServiceSpecificCredentials", + "iam:ListMFADevices", + "iam:GetAccountSummary", + "iam:ChangePassword", + "sts:GetSessionToken" + ] - template = file("${path.module}/policies/force-mfa.json") + condition { + test = "BoolIfExists" + variable = "aws:MultiFactorAuthPresent" + values = ["false"] + } + } } resource "aws_iam_policy" "mfa" { @@ -11,6 +120,6 @@ resource "aws_iam_policy" "mfa" { path = "/" description = "Policy to enforce MFA" - policy = data.template_file.force_mfa[0].rendered + policy = data.aws_iam_policy_document.force_mfa.json }