Skip to content

Commit

Permalink
Create the cloud-governance infra: User, Policy, Bucket
Browse files Browse the repository at this point in the history
  • Loading branch information
athiruma committed Sep 12, 2024
1 parent b87a1e5 commit a7868c1
Show file tree
Hide file tree
Showing 6 changed files with 224 additions and 108 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,13 @@
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetCostForecast"
"ce:GetCostForecast",
"tag:GetResources",
"tag:TagResources",
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks",
"resource-explorer-2:ListViews",
"resource-explorer-2:Search"
],
"Resource": "*"
},
Expand Down Expand Up @@ -39,52 +45,49 @@
"Sid": "EC2ResourceLevel",
"Effect": "Allow",
"Action": [
"ec2:DeregisterImage",
"ec2:DeleteSubnet",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"ec2:AssociateDhcpOptions",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DeleteSubnet",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteVpcPeeringConnection",
"autoscaling:DescribeLaunchConfigurations",
"ec2:DescribeRegions",
"ec2:CreateImage",
"ec2:CreateVpc",
"ec2:DeregisterImage",
"ec2:DescribeAddresses",
"ec2:DescribeDhcpOptions",
"ec2:DescribeSnapshots",
"ec2:DeleteRouteTable",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DeleteVolume",
"ec2:DescribeNetworkInterfaces",
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeVolumes",
"ec2:DeleteInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:DeleteNetworkAcl",
"ec2:ReleaseAddress",
"ec2:AssociateDhcpOptions",
"ec2:TerminateInstances",
"ec2:DetachNetworkInterface",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:StopInstances",
"ec2:DetachNetworkInterface",
"ec2:DisassociateRouteTable",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeImages",
"ec2:DescribeVpcs",
"ec2:DeleteSecurityGroup",
"ec2:DescribeInstanceTypes",
"ec2:DeleteDhcpOptions",
"ec2:DeleteNatGateway",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpc",
"ec2:DescribeSubnets"
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
Expand All @@ -95,40 +98,37 @@
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DescribeLoadBalancers"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:RemoveTags"
],
"Resource": "*"
},
{
"Sid": "IAM",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:DeleteAccessKey",
"iam:DeleteGroup",
"iam:TagRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteUserPolicy",
"iam:ListRoles",
"iam:DeleteUser",
"iam:ListUserPolicies",
"iam:CreateUser",
"iam:TagUser",
"sts:AssumeRole",
"iam:RemoveUserFromGroup",
"iam:GetUserPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListUsers",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListRolePolicies",
"iam:ListAccountAliases",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:DeletePolicy",
"iam:DeleteRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:RemoveRoleFromInstanceProfile",
"sts:GetCallerIdentity"
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser"
],
"Resource": "*"
},
Expand All @@ -142,17 +142,16 @@
"Sid": "S3Bucket",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:putBucketTagging",
"s3:GetBucketTagging",
"s3:GetBucketLocation"
"s3:putBucketTagging"
],
"Resource": "*"
},
Expand All @@ -173,6 +172,15 @@
"cloudwatch:GetMetricData"
],
"Resource": "*"
},
{
"Sid": "RDS",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:DescribeDBInstances"
],
"Resource": "*"
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,21 @@
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetCostForecast"
"ce:GetCostForecast",
"tag:GetResources",
"tag:TagResources",
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks",
"resource-explorer-2:ListViews",
"resource-explorer-2:Search"
],
"Resource": "*"
},
{
"Sid": "EC2AccountLevel",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Resource": [
Expand All @@ -38,29 +45,28 @@
"Sid": "EC2ResourceLevel",
"Effect": "Allow",
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"ec2:DescribeRegions",
"ec2:DescribeAddresses",
"ec2:DescribeDhcpOptions",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeVolumes",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:AssociateDhcpOptions",
"ec2:DescribeTags",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeNatGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeVpcs",
"ec2:DescribeInstanceTypes",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeSubnets"
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
Expand All @@ -70,7 +76,8 @@
"Action": [
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DescribeLoadBalancers"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:RemoveTags"
],
"Resource": "*"
},
Expand All @@ -79,20 +86,20 @@
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:TagRole",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:CreateUser",
"iam:TagUser",
"iam:GetUserPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListUsers",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListRolePolicies",
"iam:ListAccountAliases",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"sts:GetCallerIdentity"
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser"
],
"Resource": "*"
},
Expand All @@ -106,15 +113,14 @@
"Sid": "S3Bucket",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:putBucketTagging",
"s3:GetBucketTagging",
"s3:GetBucketLocation"
"s3:putBucketTagging"
],
"Resource": "*"
},
Expand All @@ -131,8 +137,17 @@
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics"
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData"
],
"Resource": "*"
},
{
"Sid": "RDS",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:DescribeDBInstances"
],
"Resource": "*"
}
Expand Down
33 changes: 33 additions & 0 deletions iam/clouds/aws/CloudGovernanceInfra/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
## Create CloudGovernance Infra in the cloud

#### Requirements

- IAM User: to access cloud resources.
- IAM Policy: Least privilege principle
- S3-Bucket: To store the logs of cloud-governance policy runs.

### Pre-requisites

- Install [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli).
- Configure IAM Access credentials. (Admin Privileges/ Required Permissions to create/delete an user/policy/bucket)

Steps to create Cloud Governance Infra resources:

- Download tar `CloudGovernanceInfra.tar` and untar the file.

```shell
curl -L https://github.com/redhat-performance/cloud-governance/raw/main/iam/clouds/aws/CloudGovernanceInfra.tar | tar -xzvf -
```

- Create CloudGovernance Infra: User, Policy and Bucket

```shell
terraform init
terraform apply -var=IAM_USERNAME="${USERNAME}" -var=IAM_POLICY_NAME="${IAM_POLICY_NAME}" -var =S3_BUCKET_NAME="${S3_BUCKET_NAME}"
```

- Destroy CloudGovernanceInfra

```shell
./create_infra.sh --username "$USERNAME" --s3-bucket-name "$BUCKET_NAME" --policy-type delete
```
Loading

0 comments on commit a7868c1

Please sign in to comment.