From 0f0bdda5bafe4010975ea60ac890bfb6157341c9 Mon Sep 17 00:00:00 2001 From: Paul van Lierop Date: Wed, 29 Nov 2023 16:53:12 +0100 Subject: [PATCH 1/5] Change role creation for CI CD. Current role has always admin, poweruser or readonly --- ci_cd_role.tf | 31 +++++++++++++++++++++++++++++++ main.tf | 20 -------------------- variables.tf | 26 ++++++++++++++++++++------ 3 files changed, 51 insertions(+), 26 deletions(-) create mode 100644 ci_cd_role.tf diff --git a/ci_cd_role.tf b/ci_cd_role.tf new file mode 100644 index 0000000..ddddefd --- /dev/null +++ b/ci_cd_role.tf @@ -0,0 +1,31 @@ +# Nagios + +resource "aws_iam_role" "ci_cd_iam_role" { + count = var.create_ci_cd_role ? 1 : 0 + + name = "ci_cd_access_role" + assume_role_policy = data.aws_iam_policy_document.ci_cd_policy_document[0].json + + dynamic "inline_policy" { + for_each = var.ci_cd_role_inline_policies + + content { + name = inline_policy.key + policy = inline_policy.value + } + } +} + +data "aws_iam_policy_document" "ci_cd_policy_document" { + count = var.create_ci_cd_role ? 1 : 0 + + statement { + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = var.trusted_roles_ci_cd + } + } +} + + diff --git a/main.tf b/main.tf index 3c489d2..97d383b 100644 --- a/main.tf +++ b/main.tf @@ -9,16 +9,6 @@ data "aws_iam_policy_document" "assume_role" { identifiers = var.trusted_role_arns } } - statement { - effect = "Allow" - - actions = ["sts:AssumeRole"] - - principals { - type = "AWS" - identifiers = var.trusted_roles_ci_cd - } - } } data "aws_iam_policy_document" "assume_role_with_mfa" { @@ -44,16 +34,6 @@ data "aws_iam_policy_document" "assume_role_with_mfa" { values = [var.mfa_age] } } - statement { - effect = "Allow" - - actions = ["sts:AssumeRole"] - - principals { - type = "AWS" - identifiers = var.trusted_roles_ci_cd - } - } } # Admin diff --git a/variables.tf b/variables.tf index f9e82f0..0cebcce 100644 --- a/variables.tf +++ b/variables.tf @@ -3,11 +3,6 @@ variable "trusted_role_arns" { default = [] } -variable "trusted_roles_ci_cd" { - description = "ARNs of AWS entities who can assume these roles for CI/CD" - default = [] -} - variable "mfa_age" { description = "Max age of valid MFA (in seconds) for roles which require MFA" @@ -125,7 +120,7 @@ variable "create_cloudwatch_share_role" { variable "nagios_role_arn" { description = "arn of principal which assumes nagios role" - default = "" + default = [] } variable "create_nagios_role" { @@ -151,3 +146,22 @@ variable "create_sla_reporter_role" { description = "Create role used by SLA report generator" default = false } + +# github + +variable "create_ci_cd_role" { + description = "Wheter ci_cd_role has to be created" + default = false + type = bool +} + +variable "trusted_roles_ci_cd" { + description = "ARNs of AWS entities who can assume these roles for CI/CD" + default = [] +} + +variable "ci_cd_role_inline_policies" { + default = {} + description = "Inline policies map with policy name as key and json as value." + type = map(string) +} From a90647125dc34c3c76aa481c6da48506c717303d Mon Sep 17 00:00:00 2001 From: Paul van Lierop Date: Wed, 13 Dec 2023 11:12:35 +0100 Subject: [PATCH 2/5] add managed policies option --- ci_cd_role.tf | 1 + variables.tf | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ci_cd_role.tf b/ci_cd_role.tf index ddddefd..49acdd5 100644 --- a/ci_cd_role.tf +++ b/ci_cd_role.tf @@ -5,6 +5,7 @@ resource "aws_iam_role" "ci_cd_iam_role" { name = "ci_cd_access_role" assume_role_policy = data.aws_iam_policy_document.ci_cd_policy_document[0].json + managed_policy_arns = var.ci_cd_role_managed_policies dynamic "inline_policy" { for_each = var.ci_cd_role_inline_policies diff --git a/variables.tf b/variables.tf index 0cebcce..cea35fd 100644 --- a/variables.tf +++ b/variables.tf @@ -147,7 +147,7 @@ variable "create_sla_reporter_role" { default = false } -# github +# CI_CD variable "create_ci_cd_role" { description = "Wheter ci_cd_role has to be created" @@ -165,3 +165,9 @@ variable "ci_cd_role_inline_policies" { description = "Inline policies map with policy name as key and json as value." type = map(string) } + +variable "ci_cd_role_managed_policies" { + default = [] + description = "Managed policies list." + type = list(string) +} From 1cd9c65a1edbfe9ac1b993ae45bc65ccc4c4a16b Mon Sep 17 00:00:00 2001 From: Paul van Lierop Date: Wed, 13 Dec 2023 15:49:04 +0100 Subject: [PATCH 3/5] Add example to Readme --- README.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ ci_cd_role.tf | 4 ++-- 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0842268..69dd20a 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,53 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assume Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - typically, AWS accounts and users. +``` +module "iam-roles" { + source = "git@github.com:kabisa/terraform-iam-assumable-roles.git?ref=task/refactor_ci_cd_role" + + trusted_role_arns = [ + "arn:aws:iam::${local.dovetail-iam}:root", + "arn:aws:iam::${local.kabisa-iam}:root", + ] + + create_ci_cd_role = true + + trusted_roles_ci_cd = [ + "arn:aws:iam::{[account-id]}:role/github_actions_role", + ] + + ci_cd_role_managed_policies = [ + "arn:aws:iam::aws:policy/AmazonSSMFullAccess", + "arn:aws:iam::aws:policy/AmazonEC2FullAccess" + ] + + ci_cd_role_inline_policies = { + "example_inline_policy" : data.aws_iam_policy_document.example.json, + "example2" : data.aws_iam_policy_document.example2.json + } + + create_admin_role = true + create_poweruser_role = true + create_readonly_role = true +} + +data "aws_iam_policy_document" "example" { + statement { + actions = ["ssm:*", "ec2:*"] + effect = "Allow" + resources = ["*"] + } +} + +data "aws_iam_policy_document" "example2" { + statement { + actions = ["s3:*"] + effect = "Allow" + resources = ["*"] + } +} +``` + ## Inputs diff --git a/ci_cd_role.tf b/ci_cd_role.tf index 49acdd5..0f8c4be 100644 --- a/ci_cd_role.tf +++ b/ci_cd_role.tf @@ -3,8 +3,8 @@ resource "aws_iam_role" "ci_cd_iam_role" { count = var.create_ci_cd_role ? 1 : 0 - name = "ci_cd_access_role" - assume_role_policy = data.aws_iam_policy_document.ci_cd_policy_document[0].json + name = "ci_cd_access_role" + assume_role_policy = data.aws_iam_policy_document.ci_cd_policy_document[0].json managed_policy_arns = var.ci_cd_role_managed_policies dynamic "inline_policy" { From aab0ac5d3cc31ab532658fad5b3181c72693e290 Mon Sep 17 00:00:00 2001 From: Paul van Lierop Date: Wed, 13 Dec 2023 15:50:37 +0100 Subject: [PATCH 4/5] Remove comment --- ci_cd_role.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/ci_cd_role.tf b/ci_cd_role.tf index 0f8c4be..d330ae9 100644 --- a/ci_cd_role.tf +++ b/ci_cd_role.tf @@ -1,5 +1,3 @@ -# Nagios - resource "aws_iam_role" "ci_cd_iam_role" { count = var.create_ci_cd_role ? 1 : 0 From e8708703f1429b2ce9153501cccb731b18cba985 Mon Sep 17 00:00:00 2001 From: Paul van Lierop Date: Wed, 13 Dec 2023 15:52:54 +0100 Subject: [PATCH 5/5] Update Readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 69dd20a..1e3f8a6 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U ``` module "iam-roles" { - source = "git@github.com:kabisa/terraform-iam-assumable-roles.git?ref=task/refactor_ci_cd_role" + source = "git@github.com:kabisa/terraform-iam-assumable-roles.git?ref=[version]" trusted_role_arns = [ "arn:aws:iam::${local.dovetail-iam}:root",