From 2ec0837f46c4e73f9d15e0d7639ac93bd6a2ea63 Mon Sep 17 00:00:00 2001 From: Thirumalesh Aaraveti Date: Wed, 11 Sep 2024 11:25:14 +0530 Subject: [PATCH] Create the cloud-governance infra: User, Policy, Bucket --- .../CloudGovernanceDeletePolicy.json | 136 +++++++++--------- .../CloudGovernanceInfra.tar | Bin 0 -> 50688 bytes .../CloudGovernanceReadPolicy.json | 85 ++++++----- .../aws/CloudGovernanceInfra/IAM/main.tf | 30 ++++ .../aws/CloudGovernanceInfra/IAM/output.tf | 8 ++ .../aws/CloudGovernanceInfra/IAM/variables.tf | 29 ++++ iam/clouds/aws/CloudGovernanceInfra/README.md | 57 ++++++++ .../aws/CloudGovernanceInfra/S3/main.tf | 7 + .../aws/CloudGovernanceInfra/S3/output.tf | 3 + .../aws/CloudGovernanceInfra/S3/variables.tf | 10 ++ iam/clouds/aws/CloudGovernanceInfra/main.tf | 11 ++ iam/clouds/aws/CloudGovernanceInfra/output.tf | 8 ++ .../aws/CloudGovernanceInfra/variables.tf | 31 ++++ jenkins/tenant/aws/README.md | 20 +-- 14 files changed, 327 insertions(+), 108 deletions(-) rename iam/clouds/aws/{ => CloudGovernanceInfra}/CloudGovernanceDeletePolicy.json (84%) create mode 100644 iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceInfra.tar rename iam/clouds/aws/{ => CloudGovernanceInfra}/CloudGovernanceReadPolicy.json (79%) create mode 100644 iam/clouds/aws/CloudGovernanceInfra/IAM/main.tf create mode 100644 iam/clouds/aws/CloudGovernanceInfra/IAM/output.tf create mode 100644 iam/clouds/aws/CloudGovernanceInfra/IAM/variables.tf create mode 100644 iam/clouds/aws/CloudGovernanceInfra/README.md create mode 100644 iam/clouds/aws/CloudGovernanceInfra/S3/main.tf create mode 100644 iam/clouds/aws/CloudGovernanceInfra/S3/output.tf create mode 100644 iam/clouds/aws/CloudGovernanceInfra/S3/variables.tf create mode 100644 iam/clouds/aws/CloudGovernanceInfra/main.tf create mode 100644 iam/clouds/aws/CloudGovernanceInfra/output.tf create mode 100644 iam/clouds/aws/CloudGovernanceInfra/variables.tf diff --git a/iam/clouds/aws/CloudGovernanceDeletePolicy.json b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json similarity index 84% rename from iam/clouds/aws/CloudGovernanceDeletePolicy.json rename to iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json index f2fa18701..98cc39a8d 100644 --- a/iam/clouds/aws/CloudGovernanceDeletePolicy.json +++ b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json @@ -6,7 +6,13 @@ "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", - "ce:GetCostForecast" + "ce:GetCostForecast", + "tag:GetResources", + "tag:TagResources", + "support:DescribeTrustedAdvisorCheckResult", + "support:DescribeTrustedAdvisorChecks", + "resource-explorer-2:ListViews", + "resource-explorer-2:Search" ], "Resource": "*" }, @@ -39,52 +45,49 @@ "Sid": "EC2ResourceLevel", "Effect": "Allow", "Action": [ - "ec2:DeregisterImage", - "ec2:DeleteSubnet", + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "ec2:AssociateDhcpOptions", + "ec2:DeleteDhcpOptions", + "ec2:DeleteInternetGateway", + "ec2:DeleteNatGateway", + "ec2:DeleteNetworkAcl", + "ec2:DeleteNetworkInterface", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", - "ec2:DescribeAddresses", - "ec2:DescribeInstances", + "ec2:DeleteSubnet", + "ec2:DeleteVolume", + "ec2:DeleteVpc", "ec2:DeleteVpcEndpoints", "ec2:DeleteVpcPeeringConnection", - "autoscaling:DescribeLaunchConfigurations", - "ec2:DescribeRegions", - "ec2:CreateImage", - "ec2:CreateVpc", + "ec2:DeregisterImage", + "ec2:DescribeAddresses", "ec2:DescribeDhcpOptions", - "ec2:DescribeSnapshots", - "ec2:DeleteRouteTable", + "ec2:DescribeImages", + "ec2:DescribeInstanceTypes", + "ec2:DescribeInstances", "ec2:DescribeInternetGateways", - "ec2:DeleteVolume", - "ec2:DescribeNetworkInterfaces", - "autoscaling:DescribeAutoScalingGroups", - "ec2:DescribeVolumes", - "ec2:DeleteInternetGateway", + "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRegions", + "ec2:DescribeReservedInstances", "ec2:DescribeRouteTables", - "ec2:DeleteNetworkAcl", - "ec2:ReleaseAddress", - "ec2:AssociateDhcpOptions", - "ec2:TerminateInstances", - "ec2:DetachNetworkInterface", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcPeeringConnections", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", "ec2:DetachInternetGateway", - "ec2:DescribeNatGateways", - "ec2:StopInstances", + "ec2:DetachNetworkInterface", "ec2:DisassociateRouteTable", - "ec2:DescribeSecurityGroups", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeImages", - "ec2:DescribeVpcs", - "ec2:DeleteSecurityGroup", - "ec2:DescribeInstanceTypes", - "ec2:DeleteDhcpOptions", - "ec2:DeleteNatGateway", - "ec2:DescribeVpcEndpoints", - "ec2:DeleteVpc", - "ec2:DescribeSubnets" + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:ReleaseAddress", + "ec2:RevokeSecurityGroupIngress" ], "Resource": "*" }, @@ -95,7 +98,8 @@ "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:AddTags", - "elasticloadbalancing:DescribeLoadBalancers" + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:RemoveTags" ], "Resource": "*" }, @@ -103,32 +107,28 @@ "Sid": "IAM", "Effect": "Allow", "Action": [ - "iam:GetRole", - "iam:DeleteAccessKey", - "iam:DeleteGroup", - "iam:TagRole", + "iam:DeleteInstanceProfile", + "iam:DeletePolicy", + "iam:DeleteRole", + "iam:DeleteRolePolicy", "iam:DeleteUserPolicy", - "iam:ListRoles", - "iam:DeleteUser", - "iam:ListUserPolicies", - "iam:CreateUser", - "iam:TagUser", - "sts:AssumeRole", - "iam:RemoveUserFromGroup", - "iam:GetUserPolicy", - "iam:ListAttachedRolePolicies", - "iam:ListUsers", + "iam:DetachRolePolicy", + "iam:GetRole", "iam:GetUser", + "iam:GetUserPolicy", "iam:ListAccessKeys", - "iam:ListRolePolicies", "iam:ListAccountAliases", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:DeletePolicy", - "iam:DeleteRolePolicy", + "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", + "iam:ListRolePolicies", + "iam:ListRoles", + "iam:ListUserPolicies", + "iam:ListUsers", "iam:RemoveRoleFromInstanceProfile", - "sts:GetCallerIdentity" + "iam:TagRole", + "iam:TagUser", + "iam:UntagRole", + "iam:UntagUser" ], "Resource": "*" }, @@ -142,17 +142,16 @@ "Sid": "S3Bucket", "Effect": "Allow", "Action": [ - "s3:PutObject", + "s3:DeleteBucket", + "s3:DeleteObject", + "s3:GetBucketLocation", + "s3:GetBucketTagging", "s3:GetObject", "s3:ListAllMyBuckets", - "s3:CreateBucket", "s3:ListBucket", + "s3:PutObject", "s3:PutObjectTagging", - "s3:DeleteObject", - "s3:DeleteBucket", - "s3:putBucketTagging", - "s3:GetBucketTagging", - "s3:GetBucketLocation" + "s3:putBucketTagging" ], "Resource": "*" }, @@ -173,6 +172,15 @@ "cloudwatch:GetMetricData" ], "Resource": "*" + }, + { + "Sid": "RDS", + "Effect": "Allow", + "Action": [ + "rds:AddTagsToResource", + "rds:DescribeDBInstances" + ], + "Resource": "*" } ] } diff --git a/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceInfra.tar b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceInfra.tar new file mode 100644 index 0000000000000000000000000000000000000000..f2c3f86f412e1b2a66a2e91e2c96547d7b45bdd0 GIT binary patch literal 50688 zcmeGlU2ogS(JfFEb^F>r^Mrf2J47_UX&cCcA}cu~cH*;~T!Z2&(A3)IMG{qhI5Cp^ zgZ_X%w|}rdp)*`AzeI|XH*rYUXVUyJ@# zG$Z*RUMcXbOR8bns%>kkrAvycS(>^fDSU@Tp~qq51TZuwy7Gc}>NNEU)h;fY3gLY+ z6NODmT2k|275(lnzu)@p*4DA(N-u}fU#0X1-);Q?el__02mIpy|AF5XetKtTr)f28 z@h|xOW2M<|^7nss{i*EC=My5&1OJ-LoS93upo00QzyDYH_diFKrsChb#K4L3{zu}B zNwC9j9RSf-F8``hk$*!s>@Dg2T~4$K)>kh7x*|;@Z%Q7kwq_Z&ZD_WvD!OHw#-6%u z+S1YCliq3n$HUhH`MncGfm|o9k9$A$dM|!@Pj(Ob-mg!0w~ak%2#t>3ENfJd@$Dw^ zi1&Ok08+ohw}<4@xK#dOeW=L4W|$!VChvhE{I6X8k^b_?kE3}U$F_9ii&bx5rIn$Bjx+DxoZ^@19PW*V>y@cJGAla_z z(y}g=dE@O*+uIE8aL_*;oYla^eWtZxhr|s?1Y--yEc7Dp8pjs}F@Y|5Vd%?-OZES$ zW&NMeI?(q0*E0Q|$v>F?meBt< z!7~;8-_~_Q)@(xsoovq#`u`?KaIbx!{PU6ed|EB?uNt_)_NsE!|OeQ24 z0f<@TMK>L(1M;G3NK&5yNAjo($_a~kUtWRs(mVU{`$y2b>-zC5g04G{Bpi^8hDv2TaylA0 zul+rAg>Yxi6s?EOw;$%<`UVx1EZiVp>|FIxiZTX_4Nb8 z`J{vzfd|lWuciroJBtOBkoZ0gBgid0e7R^hCT|f<**Hf|fV{_$Ob1`zFvW=sE$T;} zTdZ|-%5B!du=AeV2K;4MoYejUKJuLN2?@Cvfi3HQA^yiQbX^7e&s1$gtpEI0{Q_iR z{}qt&^*xsDKR)X~tNbf=w*O1z-?DYs{}J&&{P|JaE5-j95O^W$d#bKmyTbj$AN}{< z1Ij-isn4g@BLAuhVP?$#L**X=(Zv35jzEr2jP_CoO)O@iP=z?UnUhqH2aP<80&jK+ zdit1zZs5%$Y9wMi=@n}HkuL@DOp30E)JL1>S>_%>D+Ihr9$0DE2u+y8+#7=n2mZ&O z+?HWukiG%q3|mSP2?9SDO~L!*TqZW#3AI|2zDnbU>YvaSC{L?k9<4jGlf*#9xrHR@ zZcc)!7lttIP`dDg>Qp5(8*tQPa^b`iux8;0CQ`x3Da71T&}-qQFcInTQmE3$k9F2z zU8@5!ArZ+(Q-kkgFPu7&dqu{~nnauJku;3wb3Xt>UV4qr!f?Nej(nbvszudqo9TuY z|1Ifu0;X_czUK_FxTCQSY-lZ=(hU+uVc?B8>=Gx8x>^n83uO<`WRyoko#XP7fQI#d zY5Zq?{=+aVEjj;TDq{WTO%@7Y*ngYB^8@WAkNxAf4z$XD=Ko{zZ)lqE|80b0%Kksg zGE7z8)pjjw*D%ESkByMvUOO4;+>d`G=RTL6|Ah4+wf~s>Yq0+y&VOuzF@XNOkAEQj zSB(E+^fzE1O6>n{g8o}V|Jw+fA8IEc|G5gtDG{ulH=OSN^e|Gx>IY102R+fsH# z{MRN(aIbxU{Bx4}d|GYtuWIc4NA~^KG~xfx5y#z9?_J+%v{MM0m_Sf8O@G&zLfz>&yHKqvY?3y$Fv{(p=8e^W8V z{{IrH-C>c?|L+i)|9_xL`ah?2p#A$__5WIyBKH3`!b}bN|L&dv5!qt@ekk4PHp;>0K;>%uCRs?}yRg z{d@u{e~`4nN}a*Q1#u%R?@cEDyS$+1;+bD4pwN=aF4=!ZA_UZ%jbGs*->g1>%1fU@ zA1<7;ES5&jB{n`y^Gt=+vNPwhwk)JaSN9K+)6D1OEP$IJ$hbGY_Ci1CUlI2$w1X48 zMSv?bDh+`7NxCFOP*>YO^1|q~MM9P26S#1Cl~(zM)$XwAAaZ}8#h+*) zJy@NSX3*DqG)vYIxh9jW!}X{`Tn(^}KT zVLwmIweQW~k}bIWY3GM*q%fDp>H);Ak#2-}i&ktgBhfoQc-!?L(O7T+3C31zm(+*G z-AkD2JLhJ_X5%Y&-u07%^5L>3`{B%)hgW{ItWp6_*K>Epnq&gf;<;UKzG4H0A;+Dp z+QNy}!wTeZjsr*)*S!P+t~xH5a+l1;b00{t;=scA9A>j(w7uH1>y|Xhx+ni%83ac8>*y|*-)CWSbf>+grgeD=5AxbAm#D}8qp>A_1rxn1T%2} zMQ8Ad#g8fbG-No!6prvU3l5QI7mG1}$2sYZ$MD$+Nlj0*!ctn(DoF>801ndy{R|R` zv{qVDp~O**^>U_au9ERpTa}Ep8Y|K)5KD?75y&+eGaNKm%(%3%N{LaMYo)x}Tp?lC z#^SoKJJXIRH#ar~u3W;mlvV0DcNxH%GR!^My1rng*7d;)9k%2(uM)@p*t@u?!s@{# zc-}dzELFKW1s%x=nOH5BUi)uJiIRu2OBBHDi^9Zs4Gr(ecg9bg32IHZRlZXlVFHlO z6G-%HgZf@AbX;VpT2XC6>Ab*3b(LZ5S*af5zv4*Bj8O;uluRM_P^(VbqCG=mp^S*@ zY0Pk2MyfG0>4$_xN#By zGn}MzNMF}?g~kq;Ai(9%$xVrHIFYmz)A;r#9>`98jU?wR8D|6b>g!c-9fGx3Hx2Bx z4HTBwjwM5C!x*r9p&?~Qg!we^rDr2uTR+p2& zb73{ehPZ+hbmp`T+T_6W}*MdzreKI+|p}=#L&}LX%JJORls)d)muO9|n=19S@ z;?H1$WQXu9aJ*a>Ux5z_v~V#QT!aAjk9_}aJRiU%&jqdk6cnofDw5tl>${i?`e#g8 zmeKbXgMNnqkmSb%zWFZhg~8}Nw?w{V?3J1akdFLwKI^9k!&{C!7>E1m$Mwu-HfRP5 zP>mJXSM}ftTZ~pjHn7nzB2t&%ZtUhEFZloSjD2_H{a@?;Cy4un{BLjzlnU{G;{LY{ z@PqLGZve>;w~I#q{~fLa%l&@}2s?}awNv?r^#9=h6ZyaS^G(_RZ(A1Re=~L!+uqw% zMf@*+{NHyEiK3imYQ96M&u6w={#8X$S^n=-{#Dz?``^U(KgS`jCv+JL|37#`g#RDn z3_5ku8M)gHb`wgbFO~@Ze`A1x@c-9Ec?kdi%5hP3?tCu(f3_hcT*53Mi!OT9qgC|) zF06qJeZnP-kz$#>-<;ny3T)8~E*6XlE&zvB+(7%n8q)@a*BGS;Di&Ym4PU!<9$e(|@gz z|Hm?QMT7f)b#eZ8Q(Pnbf1ASegX|~w|M6P~mhb-;{eMjUO>zErL)=pF{~3FRC4(1c z*VcDcQ{?~I5EbsP8-7xsuR4c%h*|FZADj`x2H|6h(nUQbg9(VY-D#hV=Cgpl{c z*+t;c>_4F&2X1x)aB_{Uyn|8kU@YLRyXkGTcs(m#ar^CuIo!4?yYI%IcE0@piG}1s zCA?PPQxZ|eT4(qC!j|je?Z4$NuyvtQ;Tl}L?6*9JG>$eor(Br<3{u`1>NtXOwxh2% zB`NpIzkqSuqyx!N}3YonxR?{-pf#=CJeH`6EtjnXxzq@h>X6JrFY>Mlw1|S3 zpmNSS==J-9;jpHICg7z8;?NN%29QTA11zWH|1j=W`8QbpUki5rasS^iEfN3AiQ*No zLjSKIu3*Z=vg1FiC(>;I|zTe=GNzc~NHpBF3oKivDZE9(k)0d%+kK8D$cqT%B z!wvT_xo{wxW)ffhSenI?3A}_WhP`o;W+P22>iV-WSP=d!tp~$Pya;Sy(l@Y&-;q9k zgr#mHq!bGIUfQM$NMVz*@DqazQqp897 zu@_D;c?KCvbARHwH_{C5hIk|mY1UPE{o0wtB;2o}BcJD^YEiY@3f+1?4@U=sr@dE4 zXQR`>v%{A!)*&6VmT35X#;L&1aoB~FUQt)8AyA>L#6M-v(mG>UdXGk}1c}?WIWCO? Lw7|d@kAeRI!B7W* literal 0 HcmV?d00001 diff --git a/iam/clouds/aws/CloudGovernanceReadPolicy.json b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json similarity index 79% rename from iam/clouds/aws/CloudGovernanceReadPolicy.json rename to iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json index a67c8b894..3b6e75c90 100644 --- a/iam/clouds/aws/CloudGovernanceReadPolicy.json +++ b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json @@ -6,7 +6,13 @@ "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", - "ce:GetCostForecast" + "ce:GetCostForecast", + "tag:GetResources", + "tag:TagResources", + "support:DescribeTrustedAdvisorCheckResult", + "support:DescribeTrustedAdvisorChecks", + "resource-explorer-2:ListViews", + "resource-explorer-2:Search" ], "Resource": "*" }, @@ -14,6 +20,7 @@ "Sid": "EC2AccountLevel", "Effect": "Allow", "Action": [ + "ec2:DeleteTags", "ec2:CreateTags" ], "Resource": [ @@ -38,29 +45,28 @@ "Sid": "EC2ResourceLevel", "Effect": "Allow", "Action": [ - "ec2:DescribeAddresses", - "ec2:DescribeInstances", + "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", - "ec2:DescribeRegions", + "ec2:DescribeAddresses", "ec2:DescribeDhcpOptions", - "ec2:DescribeSnapshots", + "ec2:DescribeImages", + "ec2:DescribeInstanceTypes", + "ec2:DescribeInstances", "ec2:DescribeInternetGateways", - "ec2:DescribeNetworkInterfaces", - "autoscaling:DescribeAutoScalingGroups", - "ec2:DescribeVolumes", + "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRegions", + "ec2:DescribeReservedInstances", "ec2:DescribeRouteTables", - "ec2:ReleaseAddress", - "ec2:AssociateDhcpOptions", - "ec2:DescribeTags", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeNatGateways", "ec2:DescribeSecurityGroups", - "ec2:DescribeImages", - "ec2:DescribeVpcs", - "ec2:DescribeInstanceTypes", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", - "ec2:DescribeSubnets" + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeVpcs" ], "Resource": "*" }, @@ -70,7 +76,8 @@ "Action": [ "elasticloadbalancing:DescribeTags", "elasticloadbalancing:AddTags", - "elasticloadbalancing:DescribeLoadBalancers" + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:RemoveTags" ], "Resource": "*" }, @@ -79,20 +86,20 @@ "Effect": "Allow", "Action": [ "iam:GetRole", - "iam:TagRole", - "iam:ListRoles", - "iam:ListUserPolicies", - "iam:CreateUser", - "iam:TagUser", - "iam:GetUserPolicy", - "iam:ListAttachedRolePolicies", - "iam:ListUsers", "iam:GetUser", + "iam:GetUserPolicy", "iam:ListAccessKeys", - "iam:ListRolePolicies", "iam:ListAccountAliases", + "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", - "sts:GetCallerIdentity" + "iam:ListRolePolicies", + "iam:ListRoles", + "iam:ListUserPolicies", + "iam:ListUsers", + "iam:TagRole", + "iam:TagUser", + "iam:UntagRole", + "iam:UntagUser" ], "Resource": "*" }, @@ -106,15 +113,14 @@ "Sid": "S3Bucket", "Effect": "Allow", "Action": [ - "s3:PutObject", + "s3:GetBucketLocation", + "s3:GetBucketTagging", "s3:GetObject", "s3:ListAllMyBuckets", - "s3:CreateBucket", "s3:ListBucket", + "s3:PutObject", "s3:PutObjectTagging", - "s3:putBucketTagging", - "s3:GetBucketTagging", - "s3:GetBucketLocation" + "s3:putBucketTagging" ], "Resource": "*" }, @@ -131,8 +137,17 @@ "Sid": "CloudWatch", "Effect": "Allow", "Action": [ - "cloudwatch:GetMetricData", - "cloudwatch:GetMetricStatistics" + "cloudwatch:GetMetricStatistics", + "cloudwatch:GetMetricData" + ], + "Resource": "*" + }, + { + "Sid": "RDS", + "Effect": "Allow", + "Action": [ + "rds:AddTagsToResource", + "rds:DescribeDBInstances" ], "Resource": "*" } diff --git a/iam/clouds/aws/CloudGovernanceInfra/IAM/main.tf b/iam/clouds/aws/CloudGovernanceInfra/IAM/main.tf new file mode 100644 index 000000000..800701924 --- /dev/null +++ b/iam/clouds/aws/CloudGovernanceInfra/IAM/main.tf @@ -0,0 +1,30 @@ +provider "aws" { + region = var.AWS_DEFAULT_REGION +} + +data "aws_caller_identity" "current" {} + + +resource "local_file" "updated_policy" { + content = replace(file(var.IAM_POLICY_PATH), "account_id", data.aws_caller_identity.current.account_id) + filename = "${path.module}/updated_policy.json" +} + +resource "aws_iam_user" "cloud-governance-user" { + name = var.IAM_USERNAME +} + +resource "aws_iam_policy" "cloud-governance-user-policy" { + name = var.IAM_POLICY_NAME + path = "/" + policy = local_file.updated_policy.content +} + +resource "aws_iam_user_policy_attachment" "user_policy_attach" { + user = aws_iam_user.cloud-governance-user.name + policy_arn = aws_iam_policy.cloud-governance-user-policy.arn +} + +resource "aws_iam_access_key" "cloud-governance-access-key" { + user = aws_iam_user.cloud-governance-user.name +} diff --git a/iam/clouds/aws/CloudGovernanceInfra/IAM/output.tf b/iam/clouds/aws/CloudGovernanceInfra/IAM/output.tf new file mode 100644 index 000000000..f135e3ffc --- /dev/null +++ b/iam/clouds/aws/CloudGovernanceInfra/IAM/output.tf @@ -0,0 +1,8 @@ +output "ACCESS_KEY_ID" { + value = aws_iam_access_key.cloud-governance-access-key.id +} + +output "SECRET_KEY_ID" { + value = aws_iam_access_key.cloud-governance-access-key.secret + sensitive = true +} diff --git a/iam/clouds/aws/CloudGovernanceInfra/IAM/variables.tf b/iam/clouds/aws/CloudGovernanceInfra/IAM/variables.tf new file mode 100644 index 000000000..7518b626a --- /dev/null +++ b/iam/clouds/aws/CloudGovernanceInfra/IAM/variables.tf @@ -0,0 +1,29 @@ +variable "IAM_USERNAME" { + type = string + description = "IAM User to run the CloudGovernance" + validation { + condition = var.IAM_USERNAME != "" + error_message = "Provide the IAM_USERNAME" + } +} + +variable "IAM_POLICY_NAME" { + type = string + description = "IAM Policy to se the permissions for CloudGovernance user" + default = "CloudGovernanceReadPolicy" + validation { + condition = var.IAM_POLICY_NAME == "CloudGovernanceReadPolicy" || var.IAM_POLICY_NAME == "CloudGovernanceDeletePolicy" + error_message = "Mismatched policy name, Supported Values: CloudGovernanceReadPolicy, CloudGovernanceDeletePolicy" + } +} + +variable "IAM_POLICY_PATH" { + type = string + description = "IAM Policy Path" +} + +variable "AWS_DEFAULT_REGION" { + type = string + description = "AWS Region default to us-east-2" + default = "us-east-2" +} diff --git a/iam/clouds/aws/CloudGovernanceInfra/README.md b/iam/clouds/aws/CloudGovernanceInfra/README.md new file mode 100644 index 000000000..329c473c0 --- /dev/null +++ b/iam/clouds/aws/CloudGovernanceInfra/README.md @@ -0,0 +1,57 @@ +## Create CloudGovernance Infra in the cloud + +#### Requirements + +- IAM User: to access cloud resources. +- IAM Policy: Least privilege principle +- S3-Bucket: To store the logs of cloud-governance policy runs. + +### Pre-requisites + +- Install [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli). +- Install AWS CLI and configure IAM Access credentials. (aws configure) + +Steps to create Cloud Governance Infra resources: + +* Deploy S3 bucket (once for logs) +* Deploy IAM read role (dry_run==yes) IAM_POLICY_NAME=CloudGovernanceReadPolicy +* Deploy IAM delete role (dry_run==no => actions) IAM_POLICY_NAME=CloudGovernanceDeletePolicy + +- Download tar `CloudGovernanceInfra.tar` and untar the file. + +```shell +curl -L https://github.com/redhat-performance/cloud-governance/raw/main/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceInfra.tar | tar -xzvf - +``` + +- Create CloudGovernance Infra: S3_BUCKET. ( Only once) + +```shell +export ACCOUNT_NAME="" +export S3_BUCKET_NAME="${ACCOUNT_NAME}-" +terraform init +terraform apply -var=S3_BUCKET_NAME="$S3_BUCKET_NAME" -target=module.CreateBucket -auto-approve +``` + +- Create CloudGovernance Infra: User, Policy + +```shell +export IAM_USERNAME="cloud-governance-user" +export IAM_POLICY_NAME="CloudGovernanceReadPolicy" +terraform init +terraform apply -var=IAM_USERNAME="$IAM_USERNAME" -var=IAM_POLICY_NAME="$IAM_POLICY_NAME" -target=module.CreateIAMInfra -auto-approve +``` + +- To provide ACCESS_KEY_ID and SECRET_KEY_ID run below command + +```shell + terraform output SECRET_KEY_ID + terraform output ACCESS_KEY_ID + +``` + +- Destroy CloudGovernanceInfra + +```shell +terraform destroy -var=S3_BUCKET_NAME="$S3_BUCKET_NAME" -target=module.CreateBucket -auto-approve +terraform destroy -var=IAM_USERNAME="$IAM_USERNAME" -var=IAM_POLICY_NAME="$IAM_POLICY_NAME" -target=module.CreateIAMInfra -auto-approve +``` diff --git a/iam/clouds/aws/CloudGovernanceInfra/S3/main.tf b/iam/clouds/aws/CloudGovernanceInfra/S3/main.tf new file mode 100644 index 000000000..0a1ea64a8 --- /dev/null +++ b/iam/clouds/aws/CloudGovernanceInfra/S3/main.tf @@ -0,0 +1,7 @@ +provider "aws" { + region = var.AWS_DEFAULT_REGION +} + +resource "aws_s3_bucket" "cloud-governance-bucket" { + bucket = var.S3_BUCKET_NAME +} diff --git a/iam/clouds/aws/CloudGovernanceInfra/S3/output.tf b/iam/clouds/aws/CloudGovernanceInfra/S3/output.tf new file mode 100644 index 000000000..80d1af2fc --- /dev/null +++ b/iam/clouds/aws/CloudGovernanceInfra/S3/output.tf @@ -0,0 +1,3 @@ +output "S_BUCKET_NAME" { + value = aws_s3_bucket.cloud-governance-bucket.bucket +} diff --git a/iam/clouds/aws/CloudGovernanceInfra/S3/variables.tf b/iam/clouds/aws/CloudGovernanceInfra/S3/variables.tf new file mode 100644 index 000000000..b8d119d61 --- /dev/null +++ b/iam/clouds/aws/CloudGovernanceInfra/S3/variables.tf @@ -0,0 +1,10 @@ +variable "S3_BUCKET_NAME" { + type = string + description = "S3 BucketName to store logs" +} + +variable "AWS_DEFAULT_REGION" { + type = string + description = "AWS Region default to us-east-2" + default = "us-east-2" +} diff --git a/iam/clouds/aws/CloudGovernanceInfra/main.tf b/iam/clouds/aws/CloudGovernanceInfra/main.tf new file mode 100644 index 000000000..64033733e --- /dev/null +++ b/iam/clouds/aws/CloudGovernanceInfra/main.tf @@ -0,0 +1,11 @@ +module "CreateIAMInfra" { + source = "./IAM" + IAM_POLICY_PATH = "${path.cwd}/${var.IAM_POLICY_NAME}.json" + IAM_USERNAME = var.IAM_USERNAME + IAM_POLICY_NAME = var.IAM_POLICY_NAME +} + +module "CreateBucket" { + source = "./S3" + S3_BUCKET_NAME = var.S3_BUCKET_NAME +} diff --git a/iam/clouds/aws/CloudGovernanceInfra/output.tf b/iam/clouds/aws/CloudGovernanceInfra/output.tf new file mode 100644 index 000000000..1ca4c5dd0 --- /dev/null +++ b/iam/clouds/aws/CloudGovernanceInfra/output.tf @@ -0,0 +1,8 @@ +output "SECRET_KEY_ID" { + value = module.CreateIAMInfra.SECRET_KEY_ID + sensitive = true +} + +output "ACCESS_KEY_ID" { + value = module.CreateIAMInfra.ACCESS_KEY_ID +} diff --git a/iam/clouds/aws/CloudGovernanceInfra/variables.tf b/iam/clouds/aws/CloudGovernanceInfra/variables.tf new file mode 100644 index 000000000..927ab41fd --- /dev/null +++ b/iam/clouds/aws/CloudGovernanceInfra/variables.tf @@ -0,0 +1,31 @@ +variable "IAM_USERNAME" { + type = string + description = "IAM User to run the CloudGovernance" + default = null + validation { + condition = var.IAM_USERNAME != "" || var.IAM_USERNAME != null + error_message = "Provide the IAM_USERNAME" + } +} + +variable "IAM_POLICY_NAME" { + type = string + description = "IAM Policy to se the permissions for CloudGovernance user" + default = "CloudGovernanceReadPolicy" + validation { + condition = var.IAM_POLICY_NAME == "CloudGovernanceReadPolicy" || var.IAM_POLICY_NAME == "CloudGovernanceDeletePolicy" + error_message = "Mismatched policy name, Supported Values: CloudGovernanceReadPolicy, CloudGovernanceDeletePolicy" + } +} + +variable "AWS_DEFAULT_REGION" { + type = string + description = "AWS Region default to us-east-2" + default = "us-east-2" +} + +variable "S3_BUCKET_NAME" { + type = string + description = "S3 BucketName to store logs" + default = null +} diff --git a/jenkins/tenant/aws/README.md b/jenkins/tenant/aws/README.md index afcae3a85..eb58efbbf 100644 --- a/jenkins/tenant/aws/README.md +++ b/jenkins/tenant/aws/README.md @@ -1,12 +1,14 @@ # How to run cloud-governance on Tenant Accounts Steps -1. Create AWS User and attach user by [CloudGovernanceDeletePolicy.json](../../../iam/clouds/aws/CloudGovernanceDeletePolicy.json). [ Note: Replace account_id with actual account id] -2. Create S3 bucket -3. Add kind secret-text to jenkins with below naming conventions - 1. ${account_name}-aws-access-key-id - 2. ${account_name}-aws-secret-key-id - 3. ${account_name}-s3-bucket -4. Create folder named that you want to run the cloud-governance policies and copy the file in templates. -5. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily) and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly). -6. Create two Jenkins jobs by using this two Jenkinsfile + +1. Create IAM User with Read/Delete Permissions and create S3 bucket. + 1. Follow the instructions [README.md](..%2F..%2F..%2Fiam%2Fclouds%2Faws%2FCloudGovernanceInfra%2FREADME.md). +2. Add kind secret-text to jenkins with below naming conventions + 1. ${account_name}-aws-access-key-id + 2. ${account_name}-aws-secret-key-id + 3. ${account_name}-s3-bucket +3. Create folder named that you want to run the cloud-governance policies and copy the file in templates. +4. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily) + and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly). +5. Create two Jenkins jobs by using this two Jenkinsfile