From 3064efcfdbff3506aa7449aefafac8de038cff57 Mon Sep 17 00:00:00 2001
From: Thirumalesh Aaraveti <athiruma@redhat.com>
Date: Wed, 11 Sep 2024 11:25:14 +0530
Subject: [PATCH] Create the cloud-governance infra: User, Policy, Bucket

---
 iam/clouds/aws/CloudGovernanceInfra/README.md |  41 ++++++
 .../CloudGovernanceDeletePolicy.json          | 136 +++++++++---------
 .../terraform/CloudGovernanceInfra.tar        | Bin 0 -> 27136 bytes
 .../terraform}/CloudGovernanceReadPolicy.json |  85 ++++++-----
 .../CloudGovernanceInfra/terraform/main.tf    |  39 +++++
 .../CloudGovernanceInfra/terraform/output.tf  |   8 ++
 .../terraform/variable.tf                     |  29 ++++
 jenkins/tenant/aws/README.md                  |  20 +--
 8 files changed, 250 insertions(+), 108 deletions(-)
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/README.md
 rename iam/clouds/aws/{ => CloudGovernanceInfra/terraform}/CloudGovernanceDeletePolicy.json (84%)
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceInfra.tar
 rename iam/clouds/aws/{ => CloudGovernanceInfra/terraform}/CloudGovernanceReadPolicy.json (79%)
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/terraform/main.tf
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/terraform/output.tf
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/terraform/variable.tf

diff --git a/iam/clouds/aws/CloudGovernanceInfra/README.md b/iam/clouds/aws/CloudGovernanceInfra/README.md
new file mode 100644
index 000000000..0c251cf89
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/README.md
@@ -0,0 +1,41 @@
+## Create CloudGovernance Infra in the cloud
+
+#### Requirements
+
+- IAM User: to access cloud resources.
+- IAM Policy: Least privilege principle
+- S3-Bucket: To store the logs of cloud-governance policy runs.
+
+### Pre-requisites
+
+- Install [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli).
+- Configure IAM Access credentials. (Admin Privileges/ Required Permissions to create/delete an user/policy/bucket)
+
+Steps to create Cloud Governance Infra resources:
+
+- Download tar `CloudGovernanceInfra.tar` and untar the file.
+
+```shell
+curl -L https://github.com/redhat-performance/cloud-governance/raw/main/iam/clouds/aws/CloudGovernanceInfra.tar | tar -xzvf -
+```
+
+- Create CloudGovernance Infra: User, Policy and Bucket
+
+```shell
+terraform init
+terraform apply -var=IAM_USERNAME="cloud-governance-user" -var=IAM_POLICY_NAME="CloudGovernanceReadPolicy" -var =S3_BUCKET_NAME="${ACCOUNT_NAME}-cloud-governance"
+```
+
+- To provide ACCESS_KEY_ID and SECRET_KEY_ID run below commnd
+
+```shell
+  terraform output SECRET_KEY_ID
+  terraform output ACCESS_KEY_ID
+
+```
+
+- Destroy CloudGovernanceInfra
+
+```shell
+terraform destroy -var=IAM_USERNAME="cloud-governance-user" -var=IAM_POLICY_NAME="CloudGovernanceReadPolicy" -var =S3_BUCKET_NAME="${ACCOUNT_NAME}-cloud-governance"
+```
diff --git a/iam/clouds/aws/CloudGovernanceDeletePolicy.json b/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceDeletePolicy.json
similarity index 84%
rename from iam/clouds/aws/CloudGovernanceDeletePolicy.json
rename to iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceDeletePolicy.json
index f2fa18701..98cc39a8d 100644
--- a/iam/clouds/aws/CloudGovernanceDeletePolicy.json
+++ b/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceDeletePolicy.json
@@ -6,7 +6,13 @@
       "Effect": "Allow",
       "Action": [
         "ce:GetCostAndUsage",
-        "ce:GetCostForecast"
+        "ce:GetCostForecast",
+        "tag:GetResources",
+        "tag:TagResources",
+        "support:DescribeTrustedAdvisorCheckResult",
+        "support:DescribeTrustedAdvisorChecks",
+        "resource-explorer-2:ListViews",
+        "resource-explorer-2:Search"
       ],
       "Resource": "*"
     },
@@ -39,52 +45,49 @@
       "Sid": "EC2ResourceLevel",
       "Effect": "Allow",
       "Action": [
-        "ec2:DeregisterImage",
-        "ec2:DeleteSubnet",
+        "autoscaling:DescribeAutoScalingGroups",
+        "autoscaling:DescribeLaunchConfigurations",
+        "ec2:AssociateDhcpOptions",
+        "ec2:DeleteDhcpOptions",
+        "ec2:DeleteInternetGateway",
+        "ec2:DeleteNatGateway",
+        "ec2:DeleteNetworkAcl",
+        "ec2:DeleteNetworkInterface",
+        "ec2:DeleteRouteTable",
+        "ec2:DeleteSecurityGroup",
         "ec2:DeleteSnapshot",
-        "ec2:DescribeAddresses",
-        "ec2:DescribeInstances",
+        "ec2:DeleteSubnet",
+        "ec2:DeleteVolume",
+        "ec2:DeleteVpc",
         "ec2:DeleteVpcEndpoints",
         "ec2:DeleteVpcPeeringConnection",
-        "autoscaling:DescribeLaunchConfigurations",
-        "ec2:DescribeRegions",
-        "ec2:CreateImage",
-        "ec2:CreateVpc",
+        "ec2:DeregisterImage",
+        "ec2:DescribeAddresses",
         "ec2:DescribeDhcpOptions",
-        "ec2:DescribeSnapshots",
-        "ec2:DeleteRouteTable",
+        "ec2:DescribeImages",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeInstances",
         "ec2:DescribeInternetGateways",
-        "ec2:DeleteVolume",
-        "ec2:DescribeNetworkInterfaces",
-        "autoscaling:DescribeAutoScalingGroups",
-        "ec2:DescribeVolumes",
-        "ec2:DeleteInternetGateway",
+        "ec2:DescribeNatGateways",
         "ec2:DescribeNetworkAcls",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeRegions",
+        "ec2:DescribeReservedInstances",
         "ec2:DescribeRouteTables",
-        "ec2:DeleteNetworkAcl",
-        "ec2:ReleaseAddress",
-        "ec2:AssociateDhcpOptions",
-        "ec2:TerminateInstances",
-        "ec2:DetachNetworkInterface",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeSubnets",
         "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
+        "ec2:DescribeVpcEndpoints",
         "ec2:DescribeVpcPeeringConnections",
-        "ec2:ModifyNetworkInterfaceAttribute",
-        "ec2:DeleteNetworkInterface",
+        "ec2:DescribeVpcs",
         "ec2:DetachInternetGateway",
-        "ec2:DescribeNatGateways",
-        "ec2:StopInstances",
+        "ec2:DetachNetworkInterface",
         "ec2:DisassociateRouteTable",
-        "ec2:DescribeSecurityGroups",
-        "ec2:RevokeSecurityGroupIngress",
-        "ec2:DescribeImages",
-        "ec2:DescribeVpcs",
-        "ec2:DeleteSecurityGroup",
-        "ec2:DescribeInstanceTypes",
-        "ec2:DeleteDhcpOptions",
-        "ec2:DeleteNatGateway",
-        "ec2:DescribeVpcEndpoints",
-        "ec2:DeleteVpc",
-        "ec2:DescribeSubnets"
+        "ec2:ModifyNetworkInterfaceAttribute",
+        "ec2:ReleaseAddress",
+        "ec2:RevokeSecurityGroupIngress"
       ],
       "Resource": "*"
     },
@@ -95,7 +98,8 @@
         "elasticloadbalancing:DeleteLoadBalancer",
         "elasticloadbalancing:DescribeTags",
         "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:DescribeLoadBalancers"
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:RemoveTags"
       ],
       "Resource": "*"
     },
@@ -103,32 +107,28 @@
       "Sid": "IAM",
       "Effect": "Allow",
       "Action": [
-        "iam:GetRole",
-        "iam:DeleteAccessKey",
-        "iam:DeleteGroup",
-        "iam:TagRole",
+        "iam:DeleteInstanceProfile",
+        "iam:DeletePolicy",
+        "iam:DeleteRole",
+        "iam:DeleteRolePolicy",
         "iam:DeleteUserPolicy",
-        "iam:ListRoles",
-        "iam:DeleteUser",
-        "iam:ListUserPolicies",
-        "iam:CreateUser",
-        "iam:TagUser",
-        "sts:AssumeRole",
-        "iam:RemoveUserFromGroup",
-        "iam:GetUserPolicy",
-        "iam:ListAttachedRolePolicies",
-        "iam:ListUsers",
+        "iam:DetachRolePolicy",
+        "iam:GetRole",
         "iam:GetUser",
+        "iam:GetUserPolicy",
         "iam:ListAccessKeys",
-        "iam:ListRolePolicies",
         "iam:ListAccountAliases",
-        "iam:DeleteRole",
-        "iam:DetachRolePolicy",
-        "iam:DeletePolicy",
-        "iam:DeleteRolePolicy",
+        "iam:ListAttachedRolePolicies",
         "iam:ListInstanceProfilesForRole",
+        "iam:ListRolePolicies",
+        "iam:ListRoles",
+        "iam:ListUserPolicies",
+        "iam:ListUsers",
         "iam:RemoveRoleFromInstanceProfile",
-        "sts:GetCallerIdentity"
+        "iam:TagRole",
+        "iam:TagUser",
+        "iam:UntagRole",
+        "iam:UntagUser"
       ],
       "Resource": "*"
     },
@@ -142,17 +142,16 @@
       "Sid": "S3Bucket",
       "Effect": "Allow",
       "Action": [
-        "s3:PutObject",
+        "s3:DeleteBucket",
+        "s3:DeleteObject",
+        "s3:GetBucketLocation",
+        "s3:GetBucketTagging",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
+        "s3:PutObject",
         "s3:PutObjectTagging",
-        "s3:DeleteObject",
-        "s3:DeleteBucket",
-        "s3:putBucketTagging",
-        "s3:GetBucketTagging",
-        "s3:GetBucketLocation"
+        "s3:putBucketTagging"
       ],
       "Resource": "*"
     },
@@ -173,6 +172,15 @@
         "cloudwatch:GetMetricData"
       ],
       "Resource": "*"
+    },
+    {
+      "Sid": "RDS",
+      "Effect": "Allow",
+      "Action": [
+        "rds:AddTagsToResource",
+        "rds:DescribeDBInstances"
+      ],
+      "Resource": "*"
     }
   ]
 }
diff --git a/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceInfra.tar b/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceInfra.tar
new file mode 100644
index 0000000000000000000000000000000000000000..004c4ce6e6d3ddac2078ef298f56628348b93971
GIT binary patch
literal 27136
zcmeGk*>2;=(FqU)aq^lxcZ577gAvU`vTR|EKqG5rjq$aT?ag4ZA!xEKb4-y6508yq
z|3N+=&&dzw6H?X9OH@<Gc&M4|Qh*?->*(t0s_v?;rX<~q!f6yr;muZ6FIkp%TP?B$
zpPk({`;=Aw8=7SJt`ViR+mYL?j-qNrR$5A1+ahvR0_FKeL1_3Oni1aGel#)iu>5yG
zyIG_nHWHZ+PKM9_m)EcU@awH#Zf%_yCOI3CzmfQbZCk&Aw+ionz#D)62i_~ZdKVYN
z7!4`@1@GS$$bONv|K9W_k};h+RGRwUJ#`J&q+5W{{@vgIEC2hSdV#e5`6)GUZajQV
z4U76a)vW{I8jJm3kqiFc?#Rj(dH9qAE#vhw_kT?$lhB^f1Er(xD%$@3UPn??Wp7t$
zY3g>nLynJL^@jbgkFEyNgAs<lBy!h--Z#D8={FB_@33#bf4#Te+9x9*I)1l^DCgtb
zWz$o)SF3^QygrkAng44_asSskTC3jwGYwYvjn6-6^!ok5Xr#X#ywi^k8{~&=LhcPG
zqU3-W9|GMrCc0soGzj!N`Y4%>7g^0Q?AAWpuA3azM3`-DKW%R(d`E-+aBv~ui*d%<
zyaQ_bGz8fK>IQab-=ln?A5rYGIwk#tIZOJz;oHVFL|>I<0L%P8AOFL?gYkb$ZrA?5
z5wok~|Ba~mOYJ0!|EpUEmim7#{^$M=ktpQ<b^Kqw)y&5KEm@OgN$zOcUR!DH)$xDz
z6Y!aPsLt!Nfi3ZWrQK1}{6F6RmCkOx|7RMk?predq;b?c(Jx1X;c4$=z!QM*aY~c(
zzylJ5zU_`7_O@tX`t~%mJr|;Hq$8IB^-1UvKXOTUOGzK|gEwh<(BRpGZ5fORlM6yj
z&$S?g2PXJBfONx`@-mP=0&}D!g!;bc>l4U6j4?+1jdM6Cv@Oc|%F`hF6XpW5!#Y1Z
zKI*^IKW1d-o@1MjIJSUyH>Li>4g!!nAUB?094d)G6)1*9Z;Z$ZQGArRpphY*xpCHO
z=_WT2a<Gsq`SHh8qf4j`sY64WNh8qri5*Og(7dG<nR11=#)Q5kqi8zy{1BS2Fj)+`
zMRjE3d|3n)yDiMyNYh_k_TNJ8xbC!#H1aAk?`U`mGP0QqJ)aWC8wZV9+vt5e(hmo(
zdzZ%-`f%{(=<IYI!v|_Iq+_(;WU|3bqM%8QAZ)4vBgny?zL0cP(kF)PR+szX%C%(u
zpQ-=ss=JW?X;2BO*Z=BP{T$~y|H~=k=l3<s|EgODmioWk$>Kle|7}gK^S_N4qq?83
z|3Lny$db0Vzo)6%Zk_&ZWC}iOC)Ig<HmoK7ufl#`@PAEH>-|4dV1?iC$^~RnK50Oi
zhey9Yk7;>EHXkBm2n~sx!6<aoa2)FEz`_mf@UcM}X5{<u19$<VPXjOVO-dSW<T!fr
z6VN7}W#2sNH?~80w@ebut56un1IA7IKur$Bba65<Tnlokuf7_bU9h|m>p&K1+K?xb
zCiD^PKpo19+z{m1`O^<5rG(Y1f{;=yqLg7j?TkSt35b$3G?z3zN$&&C#dw|&-Zjfr
zlEH9AV1<n3exQM3b&R)T+KXwEAlF5m&a>mG7OGUlu$h2Uz9?Tllg<r+C8Sg8T7k~8
z_U~q<L&{CY_kbGbc$^!~(4Uv6<}XMDH>j8ZEZ^N>sn-0MP!&4oufuf$!@Qj^V`<C-
z_{?K_$~GxQV&i-flC`3S(;?`Fk7pDK8Sht27^_nPiuu_HH2s>Tl%mN<AUF@q`jR=A
zO=0<Y2Kg&dNSDZf%jsfkn8ig21O|~+U`29dHQ1cyvcWIY*;9q9OwIaB)qtcIPNwq5
zGHl&@zT`{x|C#*1-D(qAg`1%D{g3A>eiaUN{=bTrezG`O{$JfXu+;x^^<VD)s@hTO
z`tK%;u2}ztOP~^*zI3$xj<R1L0Bm9kK5HM<d3`pl#s06TGCUNLJpU2z|5|<jGt*y{
z-!N%uTu~nr??#t2;4nsQDsoflG+rWT6dECADO#6&2MvT>4aLvK$hMH8?*-xDVd_AQ
z&1W<WIJmi?W{B{f<9Hu3K+nXQF90|<hHTRA8yX^`o@-rVkvGMMelqB5=);8KS{@o2
zV<aBN2Ms|Hc43T#uz;5?yN9freN8WXcoKkGJ?q{MJimWS%{!oj3T~d^3PdvkB>69#
zWN-yF)$Xw!gjY6&(-u@Pe>FsiBWn2OEkAZ3<og7>kqifw`+|d?I1ncjU&+)A`f86K
zh#b><>ZBbu)|wq^s-PvT5rZygq((^Jr(hur68A2YG&kFjVRs=T?;`b!ZgvLKwOx3~
z3LgI1d67yAV<|=V;f^tFhIn^%MGBXOA3XoAX}clyZ;X|DV)#JZ9K%pQ7>_G<XWg39
zrpGQy1dB+zfon{ITQ6LMl+)Aw)LaphI^Zp~*|euC5+oWjOlMUJBV11_aECkc;i#}V
zh6!9%E*NqXPOqjOOvQ?V1<^H(W<}(C&xs}r&8TZnU|j-siIua@a>q-&^f{hqM4=bJ
z;U(O=N!O_!w2gS%8&u$oLy8EFjmR}``<{Dak0YPmz?q>zH|zz0XWC%ghhVa2++y=S
zm@NTI5suKeK=E(5tBARr8cX2ZQF~^#X2D93NpZ^ItS|IqaW6w$ATDry5W`2YB{Dsh
zpv0b80%ay9hFvj>DuGSSQota#^0_(UOYqgyJf{?IV!@2Mu*KqLnrscJj_?Q{b~FD7
zZFU}v_qVQT&$3|K38<haj<9g9IST8bl)+KFpkKg6vZY815N0f@6fZNXa+K7rmZ7Ak
zRf@>3{wx5)8TCE25*?HyrdC>tGGnOaSh1~^BQSF<1&em~Bs${OTuKU7xxj9@sfa9h
z5kmnC%LPl<7erdRKG=bgEP3Ut#0e`=6?ygGAxQfgR+ge)4IxG{g2b)nq4(Y$oteoa
zcZ?30?kI^HuMy!LdxrJOa4>56*x);k5gg!j%{cMh2ID;;cU)w6SWzV5^E_upB4k*5
zR>Di{FE7cgVTia7=>+bcE{#c-M9*-sG@ZotB4(%s#u0Pk{cvHGRXUR?1|?=l=j=*l
z+Sd$h=*{k485KenQC`COQwB#LDW}JDO3*DdBhR9oakIE9Om-jz0V{t?A7>^G2NFZE
zV%u|U@EtJ*D-%*H71$Qz6?7dywkR3~cDjre!iBP=N-dEA;d6xC9Fga1-<uS~EUFW%
zRwOkvi<E!qhGKjMU=&HbnwZ`itIN4>o3I+BBCg;CjVY(WoE(haip((6#~NLaG=7J7
zoxXE9W}w9mSl|M_m4eQ$-{TQQq8APVu{p^x+(0M>S3sJ=VM4}v-K69~w#?EU=j4$y
z&s4(65G<7RJPL*U(sr>J@P{s(T>^fF5wH`&3*WG_SbPOL$jya`w--WW&^`9NyJ$Lq
zKl#X61*jm80;*uWJ!@ZNLVt@_*3<d@2%$e91Dx^`3VXhZXJH_nZO%*|lf8g>2sclj
zv#k#gM;|G-Zw1|WbG`7A95m$xsz!ulS3P`{EJiCT8_ei?xSLSrfn?2lqZ*j2|7TBZ
ze4^_AI`{vz)@}>#|Esd9)c^mq89S)!|C`bC7uri{{r?lL1B>f_@c(aV{Xg-4rPHea
z|7jx@Gh6=${qMJ=PD|ZWI*Qh+>;D^>gU{Is3zV}bbw8okXQNu||B5Ut$@4$4|0|tN
z{rq>Pzbe0B$+)inLp7wX|Kr60(d~?^>;|U^GpR2^>iU1_1%<l)FS_MX*Z)_(7bPm^
zS5p5^4utBGFuOkm3n5?hctxvN0i0U{6ZO?4VZ14pmU}BG2|wc;J6}Rf4@B2H6t3%@
znc_r|0@n24v|Lobf@V?uDsHZehgbm;77roj66q6~Mf$Akf#Mi8U%9I*d&$jhEX>uF
dy}Gi8f0|ZT_NqK)sd?8Ls5MY);EU71{{U3zuC4$8

literal 0
HcmV?d00001

diff --git a/iam/clouds/aws/CloudGovernanceReadPolicy.json b/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceReadPolicy.json
similarity index 79%
rename from iam/clouds/aws/CloudGovernanceReadPolicy.json
rename to iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceReadPolicy.json
index a67c8b894..3b6e75c90 100644
--- a/iam/clouds/aws/CloudGovernanceReadPolicy.json
+++ b/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceReadPolicy.json
@@ -6,7 +6,13 @@
       "Effect": "Allow",
       "Action": [
         "ce:GetCostAndUsage",
-        "ce:GetCostForecast"
+        "ce:GetCostForecast",
+        "tag:GetResources",
+        "tag:TagResources",
+        "support:DescribeTrustedAdvisorCheckResult",
+        "support:DescribeTrustedAdvisorChecks",
+        "resource-explorer-2:ListViews",
+        "resource-explorer-2:Search"
       ],
       "Resource": "*"
     },
@@ -14,6 +20,7 @@
       "Sid": "EC2AccountLevel",
       "Effect": "Allow",
       "Action": [
+        "ec2:DeleteTags",
         "ec2:CreateTags"
       ],
       "Resource": [
@@ -38,29 +45,28 @@
       "Sid": "EC2ResourceLevel",
       "Effect": "Allow",
       "Action": [
-        "ec2:DescribeAddresses",
-        "ec2:DescribeInstances",
+        "autoscaling:DescribeAutoScalingGroups",
         "autoscaling:DescribeLaunchConfigurations",
-        "ec2:DescribeRegions",
+        "ec2:DescribeAddresses",
         "ec2:DescribeDhcpOptions",
-        "ec2:DescribeSnapshots",
+        "ec2:DescribeImages",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeInstances",
         "ec2:DescribeInternetGateways",
-        "ec2:DescribeNetworkInterfaces",
-        "autoscaling:DescribeAutoScalingGroups",
-        "ec2:DescribeVolumes",
+        "ec2:DescribeNatGateways",
         "ec2:DescribeNetworkAcls",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeRegions",
+        "ec2:DescribeReservedInstances",
         "ec2:DescribeRouteTables",
-        "ec2:ReleaseAddress",
-        "ec2:AssociateDhcpOptions",
-        "ec2:DescribeTags",
-        "ec2:DescribeVpcPeeringConnections",
-        "ec2:DescribeNatGateways",
         "ec2:DescribeSecurityGroups",
-        "ec2:DescribeImages",
-        "ec2:DescribeVpcs",
-        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
         "ec2:DescribeVpcEndpoints",
-        "ec2:DescribeSubnets"
+        "ec2:DescribeVpcPeeringConnections",
+        "ec2:DescribeVpcs"
       ],
       "Resource": "*"
     },
@@ -70,7 +76,8 @@
       "Action": [
         "elasticloadbalancing:DescribeTags",
         "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:DescribeLoadBalancers"
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:RemoveTags"
       ],
       "Resource": "*"
     },
@@ -79,20 +86,20 @@
       "Effect": "Allow",
       "Action": [
         "iam:GetRole",
-        "iam:TagRole",
-        "iam:ListRoles",
-        "iam:ListUserPolicies",
-        "iam:CreateUser",
-        "iam:TagUser",
-        "iam:GetUserPolicy",
-        "iam:ListAttachedRolePolicies",
-        "iam:ListUsers",
         "iam:GetUser",
+        "iam:GetUserPolicy",
         "iam:ListAccessKeys",
-        "iam:ListRolePolicies",
         "iam:ListAccountAliases",
+        "iam:ListAttachedRolePolicies",
         "iam:ListInstanceProfilesForRole",
-        "sts:GetCallerIdentity"
+        "iam:ListRolePolicies",
+        "iam:ListRoles",
+        "iam:ListUserPolicies",
+        "iam:ListUsers",
+        "iam:TagRole",
+        "iam:TagUser",
+        "iam:UntagRole",
+        "iam:UntagUser"
       ],
       "Resource": "*"
     },
@@ -106,15 +113,14 @@
       "Sid": "S3Bucket",
       "Effect": "Allow",
       "Action": [
-        "s3:PutObject",
+        "s3:GetBucketLocation",
+        "s3:GetBucketTagging",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
+        "s3:PutObject",
         "s3:PutObjectTagging",
-        "s3:putBucketTagging",
-        "s3:GetBucketTagging",
-        "s3:GetBucketLocation"
+        "s3:putBucketTagging"
       ],
       "Resource": "*"
     },
@@ -131,8 +137,17 @@
       "Sid": "CloudWatch",
       "Effect": "Allow",
       "Action": [
-        "cloudwatch:GetMetricData",
-        "cloudwatch:GetMetricStatistics"
+        "cloudwatch:GetMetricStatistics",
+        "cloudwatch:GetMetricData"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "RDS",
+      "Effect": "Allow",
+      "Action": [
+        "rds:AddTagsToResource",
+        "rds:DescribeDBInstances"
       ],
       "Resource": "*"
     }
diff --git a/iam/clouds/aws/CloudGovernanceInfra/terraform/main.tf b/iam/clouds/aws/CloudGovernanceInfra/terraform/main.tf
new file mode 100644
index 000000000..5cfb4a81b
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/terraform/main.tf
@@ -0,0 +1,39 @@
+provider "aws" {
+  region = var.AWS_DEFAULT_REGION
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "null_resource" "modify_file" {
+  provisioner "local-exec" {
+    command = <<EOT
+      sed -i "" -e "s/account_id/${data.aws_caller_identity.current.account_id}/g" "./${var.IAM_POLICY_NAME}.json"
+    EOT
+  }
+}
+
+resource "aws_iam_user" "cloud-governance-user" {
+  name = var.IAM_USERNAME
+}
+
+resource "aws_iam_policy" "cloud-governance-user-policy" {
+  name       = var.IAM_POLICY_NAME
+  depends_on = [null_resource.modify_file]
+  policy     = file("./${var.IAM_POLICY_NAME}.json")
+  path       = "/"
+}
+
+resource "aws_iam_user_policy_attachment" "user_policy_attach" {
+  user       = aws_iam_user.cloud-governance-user.name
+  policy_arn = aws_iam_policy.cloud-governance-user-policy.arn
+}
+
+resource "aws_s3_bucket" "cloud-governance-bucket" {
+  count  = var.S3_BUCKET_NAME != "" ? 1 : 0
+  bucket = var.S3_BUCKET_NAME
+}
+
+
+resource "aws_iam_access_key" "cloud-governance-access-key" {
+  user = aws_iam_user.cloud-governance-user.name
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/terraform/output.tf b/iam/clouds/aws/CloudGovernanceInfra/terraform/output.tf
new file mode 100644
index 000000000..f135e3ffc
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/terraform/output.tf
@@ -0,0 +1,8 @@
+output "ACCESS_KEY_ID" {
+  value = aws_iam_access_key.cloud-governance-access-key.id
+}
+
+output "SECRET_KEY_ID" {
+  value     = aws_iam_access_key.cloud-governance-access-key.secret
+  sensitive = true
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/terraform/variable.tf b/iam/clouds/aws/CloudGovernanceInfra/terraform/variable.tf
new file mode 100644
index 000000000..03c8cd940
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/terraform/variable.tf
@@ -0,0 +1,29 @@
+variable "IAM_USERNAME" {
+  type        = string
+  description = "IAM User to run the CloudGovernance"
+  validation {
+    condition     = var.IAM_USERNAME != ""
+    error_message = "Provide the IAM_USERNAME"
+  }
+}
+
+variable "IAM_POLICY_NAME" {
+  type        = string
+  description = "IAM Policy to se the permissions for CloudGovernance user"
+  default     = "CloudGovernanceReadPolicy"
+  validation {
+    condition     = var.IAM_POLICY_NAME == "CloudGovernanceReadPolicy" || var.IAM_POLICY_NAME == "CloudGovernanceDeletePolicy"
+    error_message = "Mismatched policy name, Supported Values: CloudGovernanceReadPolicy, CloudGovernanceDeletePolicy"
+  }
+}
+
+variable "S3_BUCKET_NAME" {
+  type        = string
+  description = "S3 BucketName to store logs"
+}
+
+variable "AWS_DEFAULT_REGION" {
+  type        = string
+  description = "AWS Region default to us-east-2"
+  default     = "us-east-2"
+}
diff --git a/jenkins/tenant/aws/README.md b/jenkins/tenant/aws/README.md
index afcae3a85..eb58efbbf 100644
--- a/jenkins/tenant/aws/README.md
+++ b/jenkins/tenant/aws/README.md
@@ -1,12 +1,14 @@
 # How to run cloud-governance on Tenant Accounts
 
 Steps
-1. Create AWS User and attach user by [CloudGovernanceDeletePolicy.json](../../../iam/clouds/aws/CloudGovernanceDeletePolicy.json). [ Note: Replace account_id with actual account id]
-2. Create S3 bucket
-3. Add kind secret-text to jenkins with below naming conventions
-   1. ${account_name}-aws-access-key-id
-   2. ${account_name}-aws-secret-key-id
-   3. ${account_name}-s3-bucket
-4. Create folder named that you want to run the cloud-governance policies and copy the file in templates.
-5. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily) and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly).
-6. Create two Jenkins jobs by using this two Jenkinsfile
+
+1. Create IAM User with Read/Delete Permissions and create S3 bucket.
+    1. Follow the instructions [README.md](..%2F..%2F..%2Fiam%2Fclouds%2Faws%2FCloudGovernanceInfra%2FREADME.md).
+2. Add kind secret-text to jenkins with below naming conventions
+    1. ${account_name}-aws-access-key-id
+    2. ${account_name}-aws-secret-key-id
+    3. ${account_name}-s3-bucket
+3. Create folder named that you want to run the cloud-governance policies and copy the file in templates.
+4. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily)
+   and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly).
+5. Create two Jenkins jobs by using this two Jenkinsfile