Skip to content

Commit

Permalink
Create the cloud-governance infra: User, Policy, Bucket
Browse files Browse the repository at this point in the history
  • Loading branch information
athiruma committed Sep 13, 2024
1 parent b87a1e5 commit 3c1fa18
Show file tree
Hide file tree
Showing 15 changed files with 334 additions and 108 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,13 @@
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetCostForecast"
"ce:GetCostForecast",
"tag:GetResources",
"tag:TagResources",
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks",
"resource-explorer-2:ListViews",
"resource-explorer-2:Search"
],
"Resource": "*"
},
Expand Down Expand Up @@ -39,52 +45,49 @@
"Sid": "EC2ResourceLevel",
"Effect": "Allow",
"Action": [
"ec2:DeregisterImage",
"ec2:DeleteSubnet",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"ec2:AssociateDhcpOptions",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DeleteSubnet",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteVpcPeeringConnection",
"autoscaling:DescribeLaunchConfigurations",
"ec2:DescribeRegions",
"ec2:CreateImage",
"ec2:CreateVpc",
"ec2:DeregisterImage",
"ec2:DescribeAddresses",
"ec2:DescribeDhcpOptions",
"ec2:DescribeSnapshots",
"ec2:DeleteRouteTable",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DeleteVolume",
"ec2:DescribeNetworkInterfaces",
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeVolumes",
"ec2:DeleteInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:DeleteNetworkAcl",
"ec2:ReleaseAddress",
"ec2:AssociateDhcpOptions",
"ec2:TerminateInstances",
"ec2:DetachNetworkInterface",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:StopInstances",
"ec2:DetachNetworkInterface",
"ec2:DisassociateRouteTable",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeImages",
"ec2:DescribeVpcs",
"ec2:DeleteSecurityGroup",
"ec2:DescribeInstanceTypes",
"ec2:DeleteDhcpOptions",
"ec2:DeleteNatGateway",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpc",
"ec2:DescribeSubnets"
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
Expand All @@ -95,40 +98,37 @@
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DescribeLoadBalancers"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:RemoveTags"
],
"Resource": "*"
},
{
"Sid": "IAM",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:DeleteAccessKey",
"iam:DeleteGroup",
"iam:TagRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteUserPolicy",
"iam:ListRoles",
"iam:DeleteUser",
"iam:ListUserPolicies",
"iam:CreateUser",
"iam:TagUser",
"sts:AssumeRole",
"iam:RemoveUserFromGroup",
"iam:GetUserPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListUsers",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListRolePolicies",
"iam:ListAccountAliases",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:DeletePolicy",
"iam:DeleteRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:RemoveRoleFromInstanceProfile",
"sts:GetCallerIdentity"
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser"
],
"Resource": "*"
},
Expand All @@ -142,17 +142,16 @@
"Sid": "S3Bucket",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:putBucketTagging",
"s3:GetBucketTagging",
"s3:GetBucketLocation"
"s3:putBucketTagging"
],
"Resource": "*"
},
Expand All @@ -173,6 +172,15 @@
"cloudwatch:GetMetricData"
],
"Resource": "*"
},
{
"Sid": "RDS",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:DescribeDBInstances"
],
"Resource": "*"
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,21 @@
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetCostForecast"
"ce:GetCostForecast",
"tag:GetResources",
"tag:TagResources",
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks",
"resource-explorer-2:ListViews",
"resource-explorer-2:Search"
],
"Resource": "*"
},
{
"Sid": "EC2AccountLevel",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Resource": [
Expand All @@ -38,29 +45,28 @@
"Sid": "EC2ResourceLevel",
"Effect": "Allow",
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"ec2:DescribeRegions",
"ec2:DescribeAddresses",
"ec2:DescribeDhcpOptions",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeVolumes",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:AssociateDhcpOptions",
"ec2:DescribeTags",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeNatGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeVpcs",
"ec2:DescribeInstanceTypes",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeSubnets"
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
Expand All @@ -70,7 +76,8 @@
"Action": [
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DescribeLoadBalancers"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:RemoveTags"
],
"Resource": "*"
},
Expand All @@ -79,20 +86,20 @@
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:TagRole",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:CreateUser",
"iam:TagUser",
"iam:GetUserPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListUsers",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListRolePolicies",
"iam:ListAccountAliases",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"sts:GetCallerIdentity"
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser"
],
"Resource": "*"
},
Expand All @@ -106,15 +113,14 @@
"Sid": "S3Bucket",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:putBucketTagging",
"s3:GetBucketTagging",
"s3:GetBucketLocation"
"s3:putBucketTagging"
],
"Resource": "*"
},
Expand All @@ -131,8 +137,17 @@
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics"
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData"
],
"Resource": "*"
},
{
"Sid": "RDS",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:DescribeDBInstances"
],
"Resource": "*"
}
Expand Down
Empty file.
33 changes: 33 additions & 0 deletions iam/clouds/aws/CloudGovernanceInfra/IAM/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
provider "aws" {
region = var.AWS_DEFAULT_REGION
}

data "aws_caller_identity" "current" {}

resource "null_resource" "modify_file" {
provisioner "local-exec" {
command = <<EOT
sed -i "" -e "s/account_id/${data.aws_caller_identity.current.account_id}/g" "${var.IAM_POLICY_PATH}"
EOT
}
}

resource "aws_iam_user" "cloud-governance-user" {
name = var.IAM_USERNAME
}

resource "aws_iam_policy" "cloud-governance-user-policy" {
name = var.IAM_POLICY_NAME
depends_on = [null_resource.modify_file]
policy = file(var.IAM_POLICY_PATH)
path = "/"
}

resource "aws_iam_user_policy_attachment" "user_policy_attach" {
user = aws_iam_user.cloud-governance-user.name
policy_arn = aws_iam_policy.cloud-governance-user-policy.arn
}

resource "aws_iam_access_key" "cloud-governance-access-key" {
user = aws_iam_user.cloud-governance-user.name
}
8 changes: 8 additions & 0 deletions iam/clouds/aws/CloudGovernanceInfra/IAM/output.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
output "ACCESS_KEY_ID" {
value = aws_iam_access_key.cloud-governance-access-key.id
}

output "SECRET_KEY_ID" {
value = aws_iam_access_key.cloud-governance-access-key.secret
sensitive = true
}
Loading

0 comments on commit 3c1fa18

Please sign in to comment.