Create the cloud-governance infra: User, Policy, Bucket

iam/clouds/aws/CloudGovernanceDeletePolicy.json → iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json

@@ -6,7 +6,13 @@
       "Effect": "Allow",
       "Action": [
         "ce:GetCostAndUsage",
-        "ce:GetCostForecast"
+        "ce:GetCostForecast",
+        "tag:GetResources",
+        "tag:TagResources",
+        "support:DescribeTrustedAdvisorCheckResult",
+        "support:DescribeTrustedAdvisorChecks",
+        "resource-explorer-2:ListViews",
+        "resource-explorer-2:Search"
       ],
       "Resource": "*"
     },
@@ -39,52 +45,49 @@
       "Sid": "EC2ResourceLevel",
       "Effect": "Allow",
       "Action": [
-        "ec2:DeregisterImage",
-        "ec2:DeleteSubnet",
+        "autoscaling:DescribeAutoScalingGroups",
+        "autoscaling:DescribeLaunchConfigurations",
+        "ec2:AssociateDhcpOptions",
+        "ec2:DeleteDhcpOptions",
+        "ec2:DeleteInternetGateway",
+        "ec2:DeleteNatGateway",
+        "ec2:DeleteNetworkAcl",
+        "ec2:DeleteNetworkInterface",
+        "ec2:DeleteRouteTable",
+        "ec2:DeleteSecurityGroup",
         "ec2:DeleteSnapshot",
-        "ec2:DescribeAddresses",
-        "ec2:DescribeInstances",
+        "ec2:DeleteSubnet",
+        "ec2:DeleteVolume",
+        "ec2:DeleteVpc",
         "ec2:DeleteVpcEndpoints",
         "ec2:DeleteVpcPeeringConnection",
-        "autoscaling:DescribeLaunchConfigurations",
-        "ec2:DescribeRegions",
-        "ec2:CreateImage",
-        "ec2:CreateVpc",
+        "ec2:DeregisterImage",
+        "ec2:DescribeAddresses",
         "ec2:DescribeDhcpOptions",
-        "ec2:DescribeSnapshots",
-        "ec2:DeleteRouteTable",
+        "ec2:DescribeImages",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeInstances",
         "ec2:DescribeInternetGateways",
-        "ec2:DeleteVolume",
-        "ec2:DescribeNetworkInterfaces",
-        "autoscaling:DescribeAutoScalingGroups",
-        "ec2:DescribeVolumes",
-        "ec2:DeleteInternetGateway",
+        "ec2:DescribeNatGateways",
         "ec2:DescribeNetworkAcls",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeRegions",
+        "ec2:DescribeReservedInstances",
         "ec2:DescribeRouteTables",
-        "ec2:DeleteNetworkAcl",
-        "ec2:ReleaseAddress",
-        "ec2:AssociateDhcpOptions",
-        "ec2:TerminateInstances",
-        "ec2:DetachNetworkInterface",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeSubnets",
         "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
+        "ec2:DescribeVpcEndpoints",
         "ec2:DescribeVpcPeeringConnections",
-        "ec2:ModifyNetworkInterfaceAttribute",
-        "ec2:DeleteNetworkInterface",
+        "ec2:DescribeVpcs",
         "ec2:DetachInternetGateway",
-        "ec2:DescribeNatGateways",
-        "ec2:StopInstances",
+        "ec2:DetachNetworkInterface",
         "ec2:DisassociateRouteTable",
-        "ec2:DescribeSecurityGroups",
-        "ec2:RevokeSecurityGroupIngress",
-        "ec2:DescribeImages",
-        "ec2:DescribeVpcs",
-        "ec2:DeleteSecurityGroup",
-        "ec2:DescribeInstanceTypes",
-        "ec2:DeleteDhcpOptions",
-        "ec2:DeleteNatGateway",
-        "ec2:DescribeVpcEndpoints",
-        "ec2:DeleteVpc",
-        "ec2:DescribeSubnets"
+        "ec2:ModifyNetworkInterfaceAttribute",
+        "ec2:ReleaseAddress",
+        "ec2:RevokeSecurityGroupIngress"
       ],
       "Resource": "*"
     },
@@ -95,40 +98,37 @@
         "elasticloadbalancing:DeleteLoadBalancer",
         "elasticloadbalancing:DescribeTags",
         "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:DescribeLoadBalancers"
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:RemoveTags"
       ],
       "Resource": "*"
     },
     {
       "Sid": "IAM",
       "Effect": "Allow",
       "Action": [
-        "iam:GetRole",
-        "iam:DeleteAccessKey",
-        "iam:DeleteGroup",
-        "iam:TagRole",
+        "iam:DeleteInstanceProfile",
+        "iam:DeletePolicy",
+        "iam:DeleteRole",
+        "iam:DeleteRolePolicy",
         "iam:DeleteUserPolicy",
-        "iam:ListRoles",
-        "iam:DeleteUser",
-        "iam:ListUserPolicies",
-        "iam:CreateUser",
-        "iam:TagUser",
-        "sts:AssumeRole",
-        "iam:RemoveUserFromGroup",
-        "iam:GetUserPolicy",
-        "iam:ListAttachedRolePolicies",
-        "iam:ListUsers",
+        "iam:DetachRolePolicy",
+        "iam:GetRole",
         "iam:GetUser",
+        "iam:GetUserPolicy",
         "iam:ListAccessKeys",
-        "iam:ListRolePolicies",
         "iam:ListAccountAliases",
-        "iam:DeleteRole",
-        "iam:DetachRolePolicy",
-        "iam:DeletePolicy",
-        "iam:DeleteRolePolicy",
+        "iam:ListAttachedRolePolicies",
         "iam:ListInstanceProfilesForRole",
+        "iam:ListRolePolicies",
+        "iam:ListRoles",
+        "iam:ListUserPolicies",
+        "iam:ListUsers",
         "iam:RemoveRoleFromInstanceProfile",
-        "sts:GetCallerIdentity"
+        "iam:TagRole",
+        "iam:TagUser",
+        "iam:UntagRole",
+        "iam:UntagUser"
       ],
       "Resource": "*"
     },
@@ -142,17 +142,16 @@
       "Sid": "S3Bucket",
       "Effect": "Allow",
       "Action": [
-        "s3:PutObject",
+        "s3:DeleteBucket",
+        "s3:DeleteObject",
+        "s3:GetBucketLocation",
+        "s3:GetBucketTagging",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
+        "s3:PutObject",
         "s3:PutObjectTagging",
-        "s3:DeleteObject",
-        "s3:DeleteBucket",
-        "s3:putBucketTagging",
-        "s3:GetBucketTagging",
-        "s3:GetBucketLocation"
+        "s3:putBucketTagging"
       ],
       "Resource": "*"
     },
@@ -173,6 +172,15 @@
         "cloudwatch:GetMetricData"
       ],
       "Resource": "*"
+    },
+    {
+      "Sid": "RDS",
+      "Effect": "Allow",
+      "Action": [
+        "rds:AddTagsToResource",
+        "rds:DescribeDBInstances"
+      ],
+      "Resource": "*"
     }
   ]
 }

iam/clouds/aws/CloudGovernanceReadPolicy.json → iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json

@@ -6,7 +6,13 @@
       "Effect": "Allow",
       "Action": [
         "ce:GetCostAndUsage",
-        "ce:GetCostForecast"
+        "ce:GetCostForecast",
+        "tag:GetResources",
+        "tag:TagResources",
+        "support:DescribeTrustedAdvisorCheckResult",
+        "support:DescribeTrustedAdvisorChecks",
+        "resource-explorer-2:ListViews",
+        "resource-explorer-2:Search"
       ],
       "Resource": "*"
     },
@@ -38,29 +44,28 @@
       "Sid": "EC2ResourceLevel",
       "Effect": "Allow",
       "Action": [
-        "ec2:DescribeAddresses",
-        "ec2:DescribeInstances",
+        "autoscaling:DescribeAutoScalingGroups",
         "autoscaling:DescribeLaunchConfigurations",
-        "ec2:DescribeRegions",
+        "ec2:DescribeAddresses",
         "ec2:DescribeDhcpOptions",
-        "ec2:DescribeSnapshots",
+        "ec2:DescribeImages",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeInstances",
         "ec2:DescribeInternetGateways",
-        "ec2:DescribeNetworkInterfaces",
-        "autoscaling:DescribeAutoScalingGroups",
-        "ec2:DescribeVolumes",
+        "ec2:DescribeNatGateways",
         "ec2:DescribeNetworkAcls",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeRegions",
+        "ec2:DescribeReservedInstances",
         "ec2:DescribeRouteTables",
-        "ec2:ReleaseAddress",
-        "ec2:AssociateDhcpOptions",
-        "ec2:DescribeTags",
-        "ec2:DescribeVpcPeeringConnections",
-        "ec2:DescribeNatGateways",
         "ec2:DescribeSecurityGroups",
-        "ec2:DescribeImages",
-        "ec2:DescribeVpcs",
-        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
         "ec2:DescribeVpcEndpoints",
-        "ec2:DescribeSubnets"
+        "ec2:DescribeVpcPeeringConnections",
+        "ec2:DescribeVpcs"
       ],
       "Resource": "*"
     },
@@ -79,20 +84,20 @@
       "Effect": "Allow",
       "Action": [
         "iam:GetRole",
-        "iam:TagRole",
-        "iam:ListRoles",
-        "iam:ListUserPolicies",
-        "iam:CreateUser",
-        "iam:TagUser",
-        "iam:GetUserPolicy",
-        "iam:ListAttachedRolePolicies",
-        "iam:ListUsers",
         "iam:GetUser",
+        "iam:GetUserPolicy",
         "iam:ListAccessKeys",
-        "iam:ListRolePolicies",
         "iam:ListAccountAliases",
+        "iam:ListAttachedRolePolicies",
         "iam:ListInstanceProfilesForRole",
-        "sts:GetCallerIdentity"
+        "iam:ListRolePolicies",
+        "iam:ListRoles",
+        "iam:ListUserPolicies",
+        "iam:ListUsers",
+        "iam:TagRole",
+        "iam:TagUser",
+        "iam:UntagRole",
+        "iam:UntagUser"
       ],
       "Resource": "*"
     },
@@ -106,15 +111,14 @@
       "Sid": "S3Bucket",
       "Effect": "Allow",
       "Action": [
-        "s3:PutObject",
+        "s3:GetBucketLocation",
+        "s3:GetBucketTagging",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
+        "s3:PutObject",
         "s3:PutObjectTagging",
-        "s3:putBucketTagging",
-        "s3:GetBucketTagging",
-        "s3:GetBucketLocation"
+        "s3:putBucketTagging"
       ],
       "Resource": "*"
     },
@@ -131,8 +135,17 @@
       "Sid": "CloudWatch",
       "Effect": "Allow",
       "Action": [
-        "cloudwatch:GetMetricData",
-        "cloudwatch:GetMetricStatistics"
+        "cloudwatch:GetMetricStatistics",
+        "cloudwatch:GetMetricData"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "RDS",
+      "Effect": "Allow",
+      "Action": [
+        "rds:AddTagsToResource",
+        "rds:DescribeDBInstances"
       ],
       "Resource": "*"
     }

iam/clouds/aws/CloudGovernanceInfra/IAM/main.tf

@@ -0,0 +1,30 @@
+provider "aws" {
+  region = var.AWS_DEFAULT_REGION
+}
+
+data "aws_caller_identity" "current" {}
+
+
+resource "local_file" "updated_policy" {
+  content  = replace(file(var.IAM_POLICY_PATH), "account_id", data.aws_caller_identity.current.account_id)
+  filename = "${path.module}/updated_policy.json"
+}
+
+resource "aws_iam_user" "cloud-governance-user" {
+  name = var.IAM_USERNAME
+}
+
+resource "aws_iam_policy" "cloud-governance-user-policy" {
+  name   = var.IAM_POLICY_NAME
+  path   = "/"
+  policy = local_file.updated_policy.content
+}
+
+resource "aws_iam_user_policy_attachment" "user_policy_attach" {
+  user       = aws_iam_user.cloud-governance-user.name
+  policy_arn = aws_iam_policy.cloud-governance-user-policy.arn
+}
+
+resource "aws_iam_access_key" "cloud-governance-access-key" {
+  user = aws_iam_user.cloud-governance-user.name
+}

iam/clouds/aws/CloudGovernanceInfra/IAM/output.tf

@@ -0,0 +1,8 @@
+output "ACCESS_KEY_ID" {
+  value = aws_iam_access_key.cloud-governance-access-key.id
+}
+
+output "SECRET_KEY_ID" {
+  value     = aws_iam_access_key.cloud-governance-access-key.secret
+  sensitive = true
+}

iam/clouds/aws/CloudGovernanceInfra/IAM/variables.tf

@@ -0,0 +1,29 @@
+variable "IAM_USERNAME" {
+  type        = string
+  description = "IAM User to run the CloudGovernance"
+  validation {
+    condition     = var.IAM_USERNAME != ""
+    error_message = "Provide the IAM_USERNAME"
+  }
+}
+
+variable "IAM_POLICY_NAME" {
+  type        = string
+  description = "IAM Policy to se the permissions for CloudGovernance user"
+  default     = "CloudGovernanceReadPolicy"
+  validation {
+    condition     = var.IAM_POLICY_NAME == "CloudGovernanceReadPolicy" || var.IAM_POLICY_NAME == "CloudGovernanceDeletePolicy"
+    error_message = "Mismatched policy name, Supported Values: CloudGovernanceReadPolicy, CloudGovernanceDeletePolicy"
+  }
+}
+
+variable "IAM_POLICY_PATH" {
+  type        = string
+  description = "IAM Policy Path"
+}
+
+variable "AWS_DEFAULT_REGION" {
+  type        = string
+  description = "AWS Region default to us-east-2"
+  default     = "us-east-2"
+}