From f56b7722742a493cd9fee8de401dab5bcca05dea Mon Sep 17 00:00:00 2001
From: Thirumalesh Aaraveti <athiruma@redhat.com>
Date: Wed, 11 Sep 2024 11:25:14 +0530
Subject: [PATCH] Create the cloud-governance infra: User, Policy, Bucket

---
 .../CloudGovernanceDeletePolicy.json          | 136 +++++++++---------
 .../CloudGovernanceInfra.tar                  | Bin 0 -> 50688 bytes
 .../CloudGovernanceReadPolicy.json            |  85 ++++++-----
 .../aws/CloudGovernanceInfra/IAM/main.tf      |  33 +++++
 .../aws/CloudGovernanceInfra/IAM/output.tf    |   8 ++
 .../aws/CloudGovernanceInfra/IAM/variables.tf |  29 ++++
 iam/clouds/aws/CloudGovernanceInfra/README.md |  67 +++++++++
 .../aws/CloudGovernanceInfra/S3/main.tf       |   7 +
 .../aws/CloudGovernanceInfra/S3/output.tf     |   3 +
 .../aws/CloudGovernanceInfra/S3/variables.tf  |  10 ++
 iam/clouds/aws/CloudGovernanceInfra/main.tf   |  11 ++
 iam/clouds/aws/CloudGovernanceInfra/output.tf |   8 ++
 .../aws/CloudGovernanceInfra/variables.tf     |  29 ++++
 jenkins/tenant/aws/README.md                  |  20 +--
 14 files changed, 338 insertions(+), 108 deletions(-)
 rename iam/clouds/aws/{ => CloudGovernanceInfra}/CloudGovernanceDeletePolicy.json (84%)
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceInfra.tar
 rename iam/clouds/aws/{ => CloudGovernanceInfra}/CloudGovernanceReadPolicy.json (79%)
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/IAM/main.tf
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/IAM/output.tf
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/IAM/variables.tf
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/README.md
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/S3/main.tf
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/S3/output.tf
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/S3/variables.tf
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/main.tf
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/output.tf
 create mode 100644 iam/clouds/aws/CloudGovernanceInfra/variables.tf

diff --git a/iam/clouds/aws/CloudGovernanceDeletePolicy.json b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json
similarity index 84%
rename from iam/clouds/aws/CloudGovernanceDeletePolicy.json
rename to iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json
index f2fa18701..98cc39a8d 100644
--- a/iam/clouds/aws/CloudGovernanceDeletePolicy.json
+++ b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceDeletePolicy.json
@@ -6,7 +6,13 @@
       "Effect": "Allow",
       "Action": [
         "ce:GetCostAndUsage",
-        "ce:GetCostForecast"
+        "ce:GetCostForecast",
+        "tag:GetResources",
+        "tag:TagResources",
+        "support:DescribeTrustedAdvisorCheckResult",
+        "support:DescribeTrustedAdvisorChecks",
+        "resource-explorer-2:ListViews",
+        "resource-explorer-2:Search"
       ],
       "Resource": "*"
     },
@@ -39,52 +45,49 @@
       "Sid": "EC2ResourceLevel",
       "Effect": "Allow",
       "Action": [
-        "ec2:DeregisterImage",
-        "ec2:DeleteSubnet",
+        "autoscaling:DescribeAutoScalingGroups",
+        "autoscaling:DescribeLaunchConfigurations",
+        "ec2:AssociateDhcpOptions",
+        "ec2:DeleteDhcpOptions",
+        "ec2:DeleteInternetGateway",
+        "ec2:DeleteNatGateway",
+        "ec2:DeleteNetworkAcl",
+        "ec2:DeleteNetworkInterface",
+        "ec2:DeleteRouteTable",
+        "ec2:DeleteSecurityGroup",
         "ec2:DeleteSnapshot",
-        "ec2:DescribeAddresses",
-        "ec2:DescribeInstances",
+        "ec2:DeleteSubnet",
+        "ec2:DeleteVolume",
+        "ec2:DeleteVpc",
         "ec2:DeleteVpcEndpoints",
         "ec2:DeleteVpcPeeringConnection",
-        "autoscaling:DescribeLaunchConfigurations",
-        "ec2:DescribeRegions",
-        "ec2:CreateImage",
-        "ec2:CreateVpc",
+        "ec2:DeregisterImage",
+        "ec2:DescribeAddresses",
         "ec2:DescribeDhcpOptions",
-        "ec2:DescribeSnapshots",
-        "ec2:DeleteRouteTable",
+        "ec2:DescribeImages",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeInstances",
         "ec2:DescribeInternetGateways",
-        "ec2:DeleteVolume",
-        "ec2:DescribeNetworkInterfaces",
-        "autoscaling:DescribeAutoScalingGroups",
-        "ec2:DescribeVolumes",
-        "ec2:DeleteInternetGateway",
+        "ec2:DescribeNatGateways",
         "ec2:DescribeNetworkAcls",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeRegions",
+        "ec2:DescribeReservedInstances",
         "ec2:DescribeRouteTables",
-        "ec2:DeleteNetworkAcl",
-        "ec2:ReleaseAddress",
-        "ec2:AssociateDhcpOptions",
-        "ec2:TerminateInstances",
-        "ec2:DetachNetworkInterface",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeSubnets",
         "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
+        "ec2:DescribeVpcEndpoints",
         "ec2:DescribeVpcPeeringConnections",
-        "ec2:ModifyNetworkInterfaceAttribute",
-        "ec2:DeleteNetworkInterface",
+        "ec2:DescribeVpcs",
         "ec2:DetachInternetGateway",
-        "ec2:DescribeNatGateways",
-        "ec2:StopInstances",
+        "ec2:DetachNetworkInterface",
         "ec2:DisassociateRouteTable",
-        "ec2:DescribeSecurityGroups",
-        "ec2:RevokeSecurityGroupIngress",
-        "ec2:DescribeImages",
-        "ec2:DescribeVpcs",
-        "ec2:DeleteSecurityGroup",
-        "ec2:DescribeInstanceTypes",
-        "ec2:DeleteDhcpOptions",
-        "ec2:DeleteNatGateway",
-        "ec2:DescribeVpcEndpoints",
-        "ec2:DeleteVpc",
-        "ec2:DescribeSubnets"
+        "ec2:ModifyNetworkInterfaceAttribute",
+        "ec2:ReleaseAddress",
+        "ec2:RevokeSecurityGroupIngress"
       ],
       "Resource": "*"
     },
@@ -95,7 +98,8 @@
         "elasticloadbalancing:DeleteLoadBalancer",
         "elasticloadbalancing:DescribeTags",
         "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:DescribeLoadBalancers"
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:RemoveTags"
       ],
       "Resource": "*"
     },
@@ -103,32 +107,28 @@
       "Sid": "IAM",
       "Effect": "Allow",
       "Action": [
-        "iam:GetRole",
-        "iam:DeleteAccessKey",
-        "iam:DeleteGroup",
-        "iam:TagRole",
+        "iam:DeleteInstanceProfile",
+        "iam:DeletePolicy",
+        "iam:DeleteRole",
+        "iam:DeleteRolePolicy",
         "iam:DeleteUserPolicy",
-        "iam:ListRoles",
-        "iam:DeleteUser",
-        "iam:ListUserPolicies",
-        "iam:CreateUser",
-        "iam:TagUser",
-        "sts:AssumeRole",
-        "iam:RemoveUserFromGroup",
-        "iam:GetUserPolicy",
-        "iam:ListAttachedRolePolicies",
-        "iam:ListUsers",
+        "iam:DetachRolePolicy",
+        "iam:GetRole",
         "iam:GetUser",
+        "iam:GetUserPolicy",
         "iam:ListAccessKeys",
-        "iam:ListRolePolicies",
         "iam:ListAccountAliases",
-        "iam:DeleteRole",
-        "iam:DetachRolePolicy",
-        "iam:DeletePolicy",
-        "iam:DeleteRolePolicy",
+        "iam:ListAttachedRolePolicies",
         "iam:ListInstanceProfilesForRole",
+        "iam:ListRolePolicies",
+        "iam:ListRoles",
+        "iam:ListUserPolicies",
+        "iam:ListUsers",
         "iam:RemoveRoleFromInstanceProfile",
-        "sts:GetCallerIdentity"
+        "iam:TagRole",
+        "iam:TagUser",
+        "iam:UntagRole",
+        "iam:UntagUser"
       ],
       "Resource": "*"
     },
@@ -142,17 +142,16 @@
       "Sid": "S3Bucket",
       "Effect": "Allow",
       "Action": [
-        "s3:PutObject",
+        "s3:DeleteBucket",
+        "s3:DeleteObject",
+        "s3:GetBucketLocation",
+        "s3:GetBucketTagging",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
+        "s3:PutObject",
         "s3:PutObjectTagging",
-        "s3:DeleteObject",
-        "s3:DeleteBucket",
-        "s3:putBucketTagging",
-        "s3:GetBucketTagging",
-        "s3:GetBucketLocation"
+        "s3:putBucketTagging"
       ],
       "Resource": "*"
     },
@@ -173,6 +172,15 @@
         "cloudwatch:GetMetricData"
       ],
       "Resource": "*"
+    },
+    {
+      "Sid": "RDS",
+      "Effect": "Allow",
+      "Action": [
+        "rds:AddTagsToResource",
+        "rds:DescribeDBInstances"
+      ],
+      "Resource": "*"
     }
   ]
 }
diff --git a/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceInfra.tar b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceInfra.tar
new file mode 100644
index 0000000000000000000000000000000000000000..962ef3937c851328142d6e3a04775a87b1ae34c8
GIT binary patch
literal 50688
zcmeGlU31&G(d|s9Q@5|}GftC-_9l`=Qj{#u<w22^oF{hTvz%NrH&+f#!8R`vsq({#
zC-Fb%59o9I2m2GcOYmEuC^?4gOW+xgX#&^<_5<9-0*jV$FgV&0`_pc>d%8}x@Nbv>
zZL6K=e|Xh~XN@SGZck||n$puqTT#31?iOi_?G}R``hn>|*UaG3_QIK2g%hfspH~&a
z`)DNXWKd*D&4*R=yTAN?>$h85N2Wzyjmh6h{Dbed{s6x!{QeVu@&EtA?+QPI)6<i<
z8n*a1{Qj}j>^Ir_KU?msWzOeQ+M0Xr6?II<qFYcw|I<JI*Z$AHj8aqi?_E;h*!=K4
zH7C^D5jPKjYAn}(rCrkhj;3|C$cMWeXcerlT>rH;nFaQYK2dsVS5>usUvB}kx=Md{
zSKroq<nZ9>;AHsy!JAR*gBb)~i>Izn20si2FMs$zclU?(FVA+jJAE>SMu%^gHOlGu
zb`^W%d$AM%t=|!gA^J2f)qj{DO8T#MI-vi$=#C-$uU!9;|1HA}gLxRVf@KEI?U@1m
z?RJ>Gx1#;m(REGQf48Uj8ZD*$w+6AkysD`GnGGmr9;ns-1^ch7wH0aqZ9>{A>_5HR
z-fb(={@Vl#?iB~>zZk90hE=EknxdBMKk)zL_dg?`z$eCg(ijYfqw&~yF?wqp>^I2A
zZ9=ZhX-LTvV!rnc+ngDuWl`TZ-qGupHFd*D^8!|DylA<m$;z5oW>2<nwzm_w<I(VB
zbjpE?>r89I_NnF30Q%-r$F~Ff3i}s$AqA8IiSz}7X7>Ngv>j2_f8_tIYyT@+Pul+*
z5j$!BZ-mSb6-m+l7c&pkegD-3`(N*Nb!q=^LS`!L|8_@JdUE}D6CAi-9H{?dv_2bG
zjs7d3?IrtP>q+}Rqo2qp47u76{v!=A^O@c6(F@ykz_7kDz1HBzv9UjTHh6t_YMhLo
zAG~^r*8Ri`%&3K7nbRrt3;^K-c5vMw4J-6K_y=G?MUVP!=vkCBoNzidl7FGv%$?Zh
z*T%U$r3`J<6CW^RXQnOyZqg6bVugf2*lA`u6X@1=-;G|Kf)9W{KAn)JO&Sf-1RVYj
z_#tlS1kj(IM<215E%aVWoovNjY-P1?b}pb#k3Qm%K_!giSBD3~x5n|{^!uAegp1+4
z!O<t9U=%>tDD<g^Lod5U>^(YDjyXeLC4v8XJUV$fI2!T6&E2VOMYQArY$nAiTt<rw
zdffX60U;AQr_RJTBA)(K;6p3Ng`c693~~hS2|?EUHR*7UAb-P(uw8;-g+VoT8vJqK
z@C^pjfY_mFUCtuOXe<^mHskvgY~pv~%SDefdW%#|yKR^rN^R1N;pI1sN!WrG{GMmN
zE|0C5x0~yBhPkf856M?${vUAJHqWNi7vcog%>SJIKf2PD>pvo={S3DB|1w&9g-=EQ
zPs}_}tN#oBAM6E`@t=)IV}<|MhkZc(j*S0oga`MD1odBx)@P%t(SJpUZDz&&znz{g
z*MBnt3Vcd<Pa5d<ByI^aYlG`KjjeI8tNp;UoeQwGC)Bq*dmb<+5!;d1XtxJ0@j{0L
zmy`_AZ+V`EhtPw9Xp#*M88$+{1sytP0wEmuAAd6ECFukC20RPqdr{AGJ!1yZC-VZm
zsKzn#S|ePAegovlMJo;~=MSwrvg61V!?F1^LN}-0%=Xbw^~t&Gm4`~u_{UyP=(!nA
zgLrU_5=Bm6&n*MJ7Hx6^Ay0q~)lkW&PpPw6(`uhiX+X2y5VAn;Bio;ufprPqHgl^Y
zfA%pMhx57X1@QU}1`GYYGC8twJ}wuP(N^;fz3^M|?HK&j$T`gfVsS-d9oW#CoUjFw
zgu@^kq2HvYA2d}C=W}Hb$?=Qll$J5p1WqpzXqf+(?*HVR|LEZQzdZjTnlk`j`hOcB
z^20@u?fnxs57g@ag8v86Cs_ZH=Rd^D4d4IkX^PVCY101_&wzWzFxG@0|A@|gE<67T
z^Fzu1Q#BRzU!MOEFC4&s(Z@fK|LgAm>S(I8|HN}2Fi87vBV>N4NI?HH6Hw4b@LK&}
zu>ZPBw=M0zO~_1z{ipOh?f$N`|2Dybd&L3zFG%aNVb$rsqAr~OP%-`|*MBk^ih4@V
zX&6sm4`0AZ4cs)u7DV&sKYYzN3$1rFSlmw&zh{47H;t&CO1L5@5ZV8NH-OgZ|Kj>@
zr>)5RKO)$@2vgesi!}L)-W2SALGwVZ{x8`7x{moj<od68LFC*2-Ce!k?)RkqFP;JS
zi~;mtkk)4dtJnW>{y$Cc$?tzgK!H!UJO5EU0g*ZfyuI?wFJK-8dye<|jJ3SWAsq*S
zOkM&yvj3CKF=Dp=-(vk=hx3Qh|6jtkyDO6R|J~8@R|u(K{|lN2>c9Wx_-|M5$@Tw@
zNE6@w?{)i-f=k-}8)3n{A_4sur1jab>hxdJ%l3b#tIGZV836@8CCn#{qCLLOp6Ibg
zo<_lemw3n-x5@{uN6FN^@a5iXfxNp5&@H2Mh9JK!zx9jnI-ifFPX8Cy|JAmxO8@`!
z3BL*iY5%W6r7yNlw)scgJW#9u<@JA6Rdu=kzY&?^+y5OEa&qnV<@*0dcyOOc#A$st
zs^$8xsBO3usBr#QZEG_ApV3d`6Q0FwyrCW*Xl?9~h6<N2HI;T#=`|i>(Ks*z8fER-
zBR|0l5})41B71@@hOQrsKFp_J@_SJmtkf8tpHnNq^1*cKzRwB<7M}Tq0tPLrY|*{v
zG(bQDXYv{k`KI*&R95;7a9D88GG7{)7ufhDPBi70%TCP;Zkf-HuI}wer<u>_sRuVf
z(8*wOW&5r-yrkAUXa^^F^8i<9ROmnwCxJ{>j6h9w@6h&xH#UWATS#E`)8JJcQ`58H
z^eU_Jb5gsJ3<rt(Ei1lZh3sH;#+uPk9k7I0hxCe0Q-terhgvF73C{=vEepNIlA%XI
zLZXsoJ<V|&k}mB*lBPXu{q0_sgKN)r;F2x4{AuUgw5KqZ%IY5MU8Bta^A@ex!lA)?
z*L&Broq&4h=E|6&`p~#}0YiOnUayF5a%s(*Zgf!IU)E&Lcg(qe=?2Rx<>+)Zw^po4
zr=Tsi)wJg;Hb^LBTGLfqn8A8ffgH}E2dUzk7r?+(`vpU8LK3sN3#?eNV}5uBqgk=?
zl{*b*OT}o<p255X;1Vg1{#GkqqNSgsd1e^6J|wS$ybI|(HGp?x_U<_nu%M8<28U+o
zSeHZBIkzuDFUr7BXoG4v@O{^^LAdupWM46f&Ff$`1=LnJK-~huKWD1Khw{>_DQAj0
zu(CM|W`e92FIjnn3-y?f<pd{)Q=A|8<>OcqBRW=8i8ZsLG!ij>*_%kBD$3?oWx*(x
z@&z8TDfrFYI;IpeaR5gh_{8GJH2E~7G{O{)@HO)eP-Yj4F@MJy9ZV+h+3_g{6RWV4
z*Q`o}pc24AJfWXLB9YokODYs3s<K`tRMk~dxvHy@idJPsmIY!-F(d-HqLYLM)fH1I
zt*lZI)aqKXtX5Zu#I>@R_jOOKBPPw2O+hM`$So5Up5!hA$SK1NlC|>-R;ryJY~M_#
zyy{uvC`wUUhBbgo@a!{~S;~5K0ydKACu+4=dgZ>O1x_9~7pQ>g7bQ{SH7vYC*PJ{x
zr)V|Z*7%NXgegEeiy*PD4cdEL=s3wRv!dLD@p(avc$H!9S*czkfBBvi1%n6ugw7!M
zP_0c`V?9G+p_Ga1S<H|UHnx}(?T3U#QKs93#X!WYQk;5+TXy0Wzg}4@ELqkPb23$x
zqmER!M|X;Y7G5LFlqT^Q;@5ms=<I+C0#g2hUKbdL1Bpv9WA9*UgYNKaM44mhB<--x
zuUDeA58fhg7>KkE6qa-Qk`lF|4_Lm?kclJ0eCD~cQa8)w1gYiq8ea2=|Jn)o^`nBQ
zMPjce;<d)?a_rd_%m!%}SI~mSoV7up9E5%nT0usSHBgT=7E)XXch1N3wO9d5P(WtW
zqE~0X;1Web7ghw_W=#$u19jQBf~ILXFytano3uF>Y$WN^>CrU<o{@w#!(whvkHdfq
zFMZGN23+RIz$L|>Aq3G1;i+fZnJvD89OQUmVKTS?0qh;R?z?b4f=ixrQUN5$R{>H)
z*gosK7<KwbOj(xl_ZFRgj{uP6M-;yK7OsUs?`*5UzNqh|n){G>{Bu6*C;Q`D_S>8I
zd-2Eh)J=TQ6c&&gD<ogl{in%fv?8%VjDD6obw#enZW{JN{6EXscSq6xTipKyi_kr}
z|7SCzAmjg=q4NX9QW^ih!+BtN{IA_!xc>?69#ZA~PaBb#iuk|YQ~IjR|F#hp+$)mE
zP|h+n-=WrL!&<KYN*liR#rQvb{k!t~Pewq2PZ%<m@qdVh$oN0(GidO3XJlbFSWPIn
zzE~pT|CJjQWc;7E%R|QhSKb%J3+D@o|0fGVG9;XA$YPToi)fW2fD3bALOvN1#+_nm
zxK}_(_%qhA^C84^L3F)EVHx+#2*<M&Fs28q<-GV6yynHP;@2{Gh!G%e@DOY+9zEeT
zkDf9f$hTqhkvkdLOLlH!U`|H%WMmI7&61HlfvYSJ7j(-Ip8o3=`F|iIfXx598KIH!
zzs=D3fnv$xf8yqW<?H{P_@APyc>kx&|0!N*`0>BpcE6)5GXIZw`rkJOaax~^tWN(s
zTDKJc(=-+Gf64s+84X1}&0ve}l)@?A=olw#c|UN@J(Fes@!im~(i?#Bj^0LV2Y1DT
zvw*km#`ntN^{iO-=;Iu2TWwkICpSBfK0;!lR<06WD{vF-C`($W_x!?=>*DRdMHJXN
zS1EU)E$l|zE{-AIM;o0}E{z}>z*xf`6tf-0u!}Fhij9uKFaH9;t<(R7{69)Z>B#$E
zMX7uduC)J)^!UpD%j|!46HF^OzjF%I>VG-^kD_;b^8VL5=K~L5h5g^@={>b8^Z)Qj
z_C>uDr}Y_`YV}_)-~XlcG->~51Qhth_z%f^M#B@h{p-c(t#PoQzyAw2L_8tP#BLS6
zgjS&u7}Y*?d^@nOD6|N?kfL#(AQ%jXqw$!7pbB`Q!B=663uJR8=$4UWfEASdA28SI
ze`g{8udYk`zmjKnS|IKJJ0<6@4OnLXi<<{(^?$+shvf6p{@;iwRoMSM4Kgsx{GS_P
z!M!38r}f#eYV=<LSF^PK-_bfU|93_}flmqlNdp(_lQsEuvj0Onf?E+W@xK>3B)Fuc
zbgB#&+~GE1dlF^Th%<;<t}_8=!F8f7*NYJV@(nE4V@pD)=eeFSgDf(T&J28u24ohw
zvL|rY0N^V08>-)+*HIi+E?%(i$k@)*=u!iQZce?K?PI!BpPaj1d8j1B6gkk12|YI<
zduTkkMu{TXIlHxJlN$(m0(7W`N<Mu8k}rf{c&+jo|10QyWcxGBg+V7|?oMs%nmBOP
z!(%dLNmSwW8*>^`f3HlAY@CnFMP;-lz72jH8~dYYgV%?r#>wdU!K;_+unt-iwi`cX
r1c+zoHz7k;&{R1L%9R!5rx+7jrw=vPVhB`f30hJ>Qb1B*1q%Eh+O7N%

literal 0
HcmV?d00001

diff --git a/iam/clouds/aws/CloudGovernanceReadPolicy.json b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json
similarity index 79%
rename from iam/clouds/aws/CloudGovernanceReadPolicy.json
rename to iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json
index a67c8b894..3b6e75c90 100644
--- a/iam/clouds/aws/CloudGovernanceReadPolicy.json
+++ b/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceReadPolicy.json
@@ -6,7 +6,13 @@
       "Effect": "Allow",
       "Action": [
         "ce:GetCostAndUsage",
-        "ce:GetCostForecast"
+        "ce:GetCostForecast",
+        "tag:GetResources",
+        "tag:TagResources",
+        "support:DescribeTrustedAdvisorCheckResult",
+        "support:DescribeTrustedAdvisorChecks",
+        "resource-explorer-2:ListViews",
+        "resource-explorer-2:Search"
       ],
       "Resource": "*"
     },
@@ -14,6 +20,7 @@
       "Sid": "EC2AccountLevel",
       "Effect": "Allow",
       "Action": [
+        "ec2:DeleteTags",
         "ec2:CreateTags"
       ],
       "Resource": [
@@ -38,29 +45,28 @@
       "Sid": "EC2ResourceLevel",
       "Effect": "Allow",
       "Action": [
-        "ec2:DescribeAddresses",
-        "ec2:DescribeInstances",
+        "autoscaling:DescribeAutoScalingGroups",
         "autoscaling:DescribeLaunchConfigurations",
-        "ec2:DescribeRegions",
+        "ec2:DescribeAddresses",
         "ec2:DescribeDhcpOptions",
-        "ec2:DescribeSnapshots",
+        "ec2:DescribeImages",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeInstances",
         "ec2:DescribeInternetGateways",
-        "ec2:DescribeNetworkInterfaces",
-        "autoscaling:DescribeAutoScalingGroups",
-        "ec2:DescribeVolumes",
+        "ec2:DescribeNatGateways",
         "ec2:DescribeNetworkAcls",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeRegions",
+        "ec2:DescribeReservedInstances",
         "ec2:DescribeRouteTables",
-        "ec2:ReleaseAddress",
-        "ec2:AssociateDhcpOptions",
-        "ec2:DescribeTags",
-        "ec2:DescribeVpcPeeringConnections",
-        "ec2:DescribeNatGateways",
         "ec2:DescribeSecurityGroups",
-        "ec2:DescribeImages",
-        "ec2:DescribeVpcs",
-        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
         "ec2:DescribeVpcEndpoints",
-        "ec2:DescribeSubnets"
+        "ec2:DescribeVpcPeeringConnections",
+        "ec2:DescribeVpcs"
       ],
       "Resource": "*"
     },
@@ -70,7 +76,8 @@
       "Action": [
         "elasticloadbalancing:DescribeTags",
         "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:DescribeLoadBalancers"
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:RemoveTags"
       ],
       "Resource": "*"
     },
@@ -79,20 +86,20 @@
       "Effect": "Allow",
       "Action": [
         "iam:GetRole",
-        "iam:TagRole",
-        "iam:ListRoles",
-        "iam:ListUserPolicies",
-        "iam:CreateUser",
-        "iam:TagUser",
-        "iam:GetUserPolicy",
-        "iam:ListAttachedRolePolicies",
-        "iam:ListUsers",
         "iam:GetUser",
+        "iam:GetUserPolicy",
         "iam:ListAccessKeys",
-        "iam:ListRolePolicies",
         "iam:ListAccountAliases",
+        "iam:ListAttachedRolePolicies",
         "iam:ListInstanceProfilesForRole",
-        "sts:GetCallerIdentity"
+        "iam:ListRolePolicies",
+        "iam:ListRoles",
+        "iam:ListUserPolicies",
+        "iam:ListUsers",
+        "iam:TagRole",
+        "iam:TagUser",
+        "iam:UntagRole",
+        "iam:UntagUser"
       ],
       "Resource": "*"
     },
@@ -106,15 +113,14 @@
       "Sid": "S3Bucket",
       "Effect": "Allow",
       "Action": [
-        "s3:PutObject",
+        "s3:GetBucketLocation",
+        "s3:GetBucketTagging",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
+        "s3:PutObject",
         "s3:PutObjectTagging",
-        "s3:putBucketTagging",
-        "s3:GetBucketTagging",
-        "s3:GetBucketLocation"
+        "s3:putBucketTagging"
       ],
       "Resource": "*"
     },
@@ -131,8 +137,17 @@
       "Sid": "CloudWatch",
       "Effect": "Allow",
       "Action": [
-        "cloudwatch:GetMetricData",
-        "cloudwatch:GetMetricStatistics"
+        "cloudwatch:GetMetricStatistics",
+        "cloudwatch:GetMetricData"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "RDS",
+      "Effect": "Allow",
+      "Action": [
+        "rds:AddTagsToResource",
+        "rds:DescribeDBInstances"
       ],
       "Resource": "*"
     }
diff --git a/iam/clouds/aws/CloudGovernanceInfra/IAM/main.tf b/iam/clouds/aws/CloudGovernanceInfra/IAM/main.tf
new file mode 100644
index 000000000..26ac3af3c
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/IAM/main.tf
@@ -0,0 +1,33 @@
+provider "aws" {
+  region = var.AWS_DEFAULT_REGION
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "null_resource" "modify_file" {
+  provisioner "local-exec" {
+    command = <<EOT
+      sed -i "" -e "s/account_id/${data.aws_caller_identity.current.account_id}/g" "${var.IAM_POLICY_PATH}"
+    EOT
+  }
+}
+
+resource "aws_iam_user" "cloud-governance-user" {
+  name = var.IAM_USERNAME
+}
+
+resource "aws_iam_policy" "cloud-governance-user-policy" {
+  name       = var.IAM_POLICY_NAME
+  depends_on = [null_resource.modify_file]
+  policy     = file(var.IAM_POLICY_PATH)
+  path       = "/"
+}
+
+resource "aws_iam_user_policy_attachment" "user_policy_attach" {
+  user       = aws_iam_user.cloud-governance-user.name
+  policy_arn = aws_iam_policy.cloud-governance-user-policy.arn
+}
+
+resource "aws_iam_access_key" "cloud-governance-access-key" {
+  user = aws_iam_user.cloud-governance-user.name
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/IAM/output.tf b/iam/clouds/aws/CloudGovernanceInfra/IAM/output.tf
new file mode 100644
index 000000000..f135e3ffc
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/IAM/output.tf
@@ -0,0 +1,8 @@
+output "ACCESS_KEY_ID" {
+  value = aws_iam_access_key.cloud-governance-access-key.id
+}
+
+output "SECRET_KEY_ID" {
+  value     = aws_iam_access_key.cloud-governance-access-key.secret
+  sensitive = true
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/IAM/variables.tf b/iam/clouds/aws/CloudGovernanceInfra/IAM/variables.tf
new file mode 100644
index 000000000..7518b626a
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/IAM/variables.tf
@@ -0,0 +1,29 @@
+variable "IAM_USERNAME" {
+  type        = string
+  description = "IAM User to run the CloudGovernance"
+  validation {
+    condition     = var.IAM_USERNAME != ""
+    error_message = "Provide the IAM_USERNAME"
+  }
+}
+
+variable "IAM_POLICY_NAME" {
+  type        = string
+  description = "IAM Policy to se the permissions for CloudGovernance user"
+  default     = "CloudGovernanceReadPolicy"
+  validation {
+    condition     = var.IAM_POLICY_NAME == "CloudGovernanceReadPolicy" || var.IAM_POLICY_NAME == "CloudGovernanceDeletePolicy"
+    error_message = "Mismatched policy name, Supported Values: CloudGovernanceReadPolicy, CloudGovernanceDeletePolicy"
+  }
+}
+
+variable "IAM_POLICY_PATH" {
+  type        = string
+  description = "IAM Policy Path"
+}
+
+variable "AWS_DEFAULT_REGION" {
+  type        = string
+  description = "AWS Region default to us-east-2"
+  default     = "us-east-2"
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/README.md b/iam/clouds/aws/CloudGovernanceInfra/README.md
new file mode 100644
index 000000000..9b7e7e7b3
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/README.md
@@ -0,0 +1,67 @@
+## Create CloudGovernance Infra in the cloud
+
+#### Requirements
+
+- IAM User: to access cloud resources.
+- IAM Policy: Least privilege principle
+- S3-Bucket: To store the logs of cloud-governance policy runs.
+
+### Pre-requisites
+
+- Install [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli).
+- Install AWS CLI and configure IAM Access credentials. (aws configure)
+
+Steps to create Cloud Governance Infra resources:
+
+* Deploy S3 bucket (once for logs)
+* Deploy IAM read role (dry_run==yes) IAM_POLICY_NAME=CloudGovernanceReadPolicy
+* Deploy IAM delete role (dry_run==no => actions) IAM_POLICY_NAME=CloudGovernanceDeletePolicy
+
+- Download tar `CloudGovernanceInfra.tar` and untar the file.
+
+```shell
+curl -L https://github.com/redhat-performance/cloud-governance/raw/main/iam/clouds/aws/CloudGovernanceInfra/CloudGovernanceInfra.tar | tar -xzvf -
+```
+
+- Create CloudGovernance Infra: S3_BUCKET. ( Only once)
+
+```shell
+export ACCOUNT_NAME="<ACCOUNT_ID>"
+export S3_BUCKET_NAME="${ACCOUNT_NAME}-<BUCKET_NAME>"
+terraform init
+terraform apply -var=S3_BUCKET_NAME="$S3_BUCKET_NAME" -target=module.CreateBucket
+```
+
+- Create CloudGovernance Infra: User, Policy
+
+```shell
+export IAM_USERNAME="cloud-governance-user"
+export IAM_POLICY_NAME="CloudGovernanceReadPolicy"
+terraform init
+terraform apply -var=IAM_USERNAME="$IAM_USERNAME" -var=IAM_POLICY_NAME="$IAM_USERNAME" -target=module.CreateIAMInfra
+```
+
+- Create CloudGovernance Infra: User, Policy and Bucket
+
+```shell
+export IAM_USERNAME="cloud-governance-user"
+export IAM_POLICY_NAME="CloudGovernanceReadPolicy"
+terraform init
+terraform apply -var=IAM_USERNAME="$IAM_USERNAME" -var=IAM_POLICY_NAME="$IAM_USERNAME" -var=S3_BUCKET_NAME="$S3_BUCKET_NAME"
+```
+
+- To provide ACCESS_KEY_ID and SECRET_KEY_ID run below command
+
+```shell
+  terraform output SECRET_KEY_ID
+  terraform output ACCESS_KEY_ID
+
+```
+
+- Destroy CloudGovernanceInfra
+
+```shell
+terraform destroy -var=S3_BUCKET_NAME="$S3_BUCKET_NAME" -target=module.CreateBucket
+terraform destroy -var=IAM_USERNAME="$IAM_USERNAME" -var=IAM_POLICY_NAME="$IAM_USERNAME" -var=S3_BUCKET_NAME="$S3_BUCKET_NAME"
+terraform destroy -var=IAM_USERNAME="${IAM_USERNAME}" -var=IAM_POLICY_NAME="${IAM_POLICY_NAME}" -var=S3_BUCKET_NAME="${S3_BUCKET_NAME}"
+```
diff --git a/iam/clouds/aws/CloudGovernanceInfra/S3/main.tf b/iam/clouds/aws/CloudGovernanceInfra/S3/main.tf
new file mode 100644
index 000000000..0a1ea64a8
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/S3/main.tf
@@ -0,0 +1,7 @@
+provider "aws" {
+  region = var.AWS_DEFAULT_REGION
+}
+
+resource "aws_s3_bucket" "cloud-governance-bucket" {
+  bucket = var.S3_BUCKET_NAME
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/S3/output.tf b/iam/clouds/aws/CloudGovernanceInfra/S3/output.tf
new file mode 100644
index 000000000..80d1af2fc
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/S3/output.tf
@@ -0,0 +1,3 @@
+output "S_BUCKET_NAME" {
+  value = aws_s3_bucket.cloud-governance-bucket.bucket
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/S3/variables.tf b/iam/clouds/aws/CloudGovernanceInfra/S3/variables.tf
new file mode 100644
index 000000000..b8d119d61
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/S3/variables.tf
@@ -0,0 +1,10 @@
+variable "S3_BUCKET_NAME" {
+  type        = string
+  description = "S3 BucketName to store logs"
+}
+
+variable "AWS_DEFAULT_REGION" {
+  type        = string
+  description = "AWS Region default to us-east-2"
+  default     = "us-east-2"
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/main.tf b/iam/clouds/aws/CloudGovernanceInfra/main.tf
new file mode 100644
index 000000000..64033733e
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/main.tf
@@ -0,0 +1,11 @@
+module "CreateIAMInfra" {
+  source          = "./IAM"
+  IAM_POLICY_PATH = "${path.cwd}/${var.IAM_POLICY_NAME}.json"
+  IAM_USERNAME    = var.IAM_USERNAME
+  IAM_POLICY_NAME = var.IAM_POLICY_NAME
+}
+
+module "CreateBucket" {
+  source         = "./S3"
+  S3_BUCKET_NAME = var.S3_BUCKET_NAME
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/output.tf b/iam/clouds/aws/CloudGovernanceInfra/output.tf
new file mode 100644
index 000000000..1ca4c5dd0
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/output.tf
@@ -0,0 +1,8 @@
+output "SECRET_KEY_ID" {
+  value     = module.CreateIAMInfra.SECRET_KEY_ID
+  sensitive = true
+}
+
+output "ACCESS_KEY_ID" {
+  value = module.CreateIAMInfra.ACCESS_KEY_ID
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/variables.tf b/iam/clouds/aws/CloudGovernanceInfra/variables.tf
new file mode 100644
index 000000000..689587792
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/variables.tf
@@ -0,0 +1,29 @@
+variable "IAM_USERNAME" {
+  type        = string
+  description = "IAM User to run the CloudGovernance"
+  validation {
+    condition     = var.IAM_USERNAME != ""
+    error_message = "Provide the IAM_USERNAME"
+  }
+}
+
+variable "IAM_POLICY_NAME" {
+  type        = string
+  description = "IAM Policy to se the permissions for CloudGovernance user"
+  default     = "CloudGovernanceReadPolicy"
+  validation {
+    condition     = var.IAM_POLICY_NAME == "CloudGovernanceReadPolicy" || var.IAM_POLICY_NAME == "CloudGovernanceDeletePolicy"
+    error_message = "Mismatched policy name, Supported Values: CloudGovernanceReadPolicy, CloudGovernanceDeletePolicy"
+  }
+}
+
+variable "AWS_DEFAULT_REGION" {
+  type        = string
+  description = "AWS Region default to us-east-2"
+  default     = "us-east-2"
+}
+
+variable "S3_BUCKET_NAME" {
+  type        = string
+  description = "S3 BucketName to store logs"
+}
diff --git a/jenkins/tenant/aws/README.md b/jenkins/tenant/aws/README.md
index afcae3a85..eb58efbbf 100644
--- a/jenkins/tenant/aws/README.md
+++ b/jenkins/tenant/aws/README.md
@@ -1,12 +1,14 @@
 # How to run cloud-governance on Tenant Accounts
 
 Steps
-1. Create AWS User and attach user by [CloudGovernanceDeletePolicy.json](../../../iam/clouds/aws/CloudGovernanceDeletePolicy.json). [ Note: Replace account_id with actual account id]
-2. Create S3 bucket
-3. Add kind secret-text to jenkins with below naming conventions
-   1. ${account_name}-aws-access-key-id
-   2. ${account_name}-aws-secret-key-id
-   3. ${account_name}-s3-bucket
-4. Create folder named that you want to run the cloud-governance policies and copy the file in templates.
-5. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily) and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly).
-6. Create two Jenkins jobs by using this two Jenkinsfile
+
+1. Create IAM User with Read/Delete Permissions and create S3 bucket.
+    1. Follow the instructions [README.md](..%2F..%2F..%2Fiam%2Fclouds%2Faws%2FCloudGovernanceInfra%2FREADME.md).
+2. Add kind secret-text to jenkins with below naming conventions
+    1. ${account_name}-aws-access-key-id
+    2. ${account_name}-aws-secret-key-id
+    3. ${account_name}-s3-bucket
+3. Create folder named that you want to run the cloud-governance policies and copy the file in templates.
+4. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily)
+   and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly).
+5. Create two Jenkins jobs by using this two Jenkinsfile