Skip to content

Commit

Permalink
PLAT-6776 Adds RP delete perms (#104)
Browse files Browse the repository at this point in the history 
* PLAT-6776 Adds RP delete perms

* Adds additional delay for eks create assume
  • Loading branch information
@miguelhar
miguelhar authored Jun 8, 2023
1 parent f579ea6 commit 1c1abda
Show file tree
Hide file tree
Showing 4 changed files with 172 additions and 172 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ aws s3 rb s3://"${AWS_TERRAFORM_REMOTE_STATE_BUCKET}" --force
| [aws_key_pair.domino](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
| [aws_kms_alias.domino](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.domino](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [time_sleep.create_eks_role_10_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [time_sleep.create_eks_role_30_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_default_tags.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source |
| [aws_ec2_instance_type.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_instance_type) | data source |
Expand Down
336 changes: 168 additions & 168 deletions iam-bootstrap/bootstrap-0.json
View file
Original file line number Diff line number Diff line change
@@ -1,170 +1,170 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Gated",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:*Object",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration"
],
"Resource": [
"arn:${partition}:s3:::${deploy_id}-*"
]
},
{
"Sid": "S3Ungated",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "*"
},
{
"Sid": "IAMGated",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteInstanceProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetOpenIDConnectProvider",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:Tag*",
"iam:Untag*",
"iam:UpdateAssumeRolePolicy",
"sts:AssumeRole"
],
"Resource": [
"arn:${partition}:iam::${account_id}:policy/${deploy_id}-*",
"arn:${partition}:iam::${account_id}:role/${deploy_id}-*",
"arn:${partition}:iam::${account_id}:instance-profile/${deploy_id}-*",
"arn:${partition}:iam::${account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
"arn:${partition}:iam::${account_id}:oidc-provider/oidc.eks*"
]
},
{
"Sid": "IAMUngated",
"Effect": "Allow",
"Action": [
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:TagRole"
],
"Resource": "*"
},
{
"Sid": "LogsUngated",
"Effect": "Allow",
"Action": [
"ec2:CreateFlowLogs",
"ec2:DescribeFlowLogs",
"logs:CreateLogGroup",
"logs:CreateLogDelivery",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"logs:ListTagsForResource",
"logs:PutRetentionPolicy",
"logs:TagLogGroup"
],
"Resource": "*"
},
{
"Sid": "EKSUngated",
"Effect": "Allow",
"Action": [
"eks:*Addon*",
"eks:CreateCluster",
"eks:CreateNodegroup",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:DescribeUpdate",
"eks:ListTagsForResource",
"eks:TagResource",
"eks:UntagResource",
"eks:UpdateNodegroupVersion"
],
"Resource": "*"
},
{
"Sid": "Route53Ungated",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:GetHostedZone",
"route53:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "BackupGated",
"Effect": "Allow",
"Action": [
"backup:*BackupPlan",
"backup:*BackupVault*",
"backup:CreateBackupSelection",
"backup:DeleteBackupSelection",
"backup:GetBackupSelection",
"backup:ListTags",
"backup:TagResource",
"backup:UntagResource"
],
"Resource": [
"arn:${partition}:backup:*:${account_id}:backup-vault:${deploy_id}-efs",
"arn:${partition}:backup:*:${account_id}:backup-plan:*"
]
}
]
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Gated",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:*Object",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration"
],
"Resource": ["arn:${partition}:s3:::${deploy_id}-*"]
},
{
"Sid": "S3Ungated",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "*"
},
{
"Sid": "IAMGated",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteInstanceProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetOpenIDConnectProvider",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:Tag*",
"iam:Untag*",
"iam:UpdateAssumeRolePolicy",
"sts:AssumeRole"
],
"Resource": [
"arn:${partition}:iam::${account_id}:policy/${deploy_id}-*",
"arn:${partition}:iam::${account_id}:role/${deploy_id}-*",
"arn:${partition}:iam::${account_id}:instance-profile/${deploy_id}-*",
"arn:${partition}:iam::${account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
"arn:${partition}:iam::${account_id}:oidc-provider/oidc.eks*"
]
},
{
"Sid": "IAMUngated",
"Effect": "Allow",
"Action": [
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:TagRole"
],
"Resource": "*"
},
{
"Sid": "LogsUngated",
"Effect": "Allow",
"Action": [
"ec2:CreateFlowLogs",
"ec2:DescribeFlowLogs",
"logs:CreateLogGroup",
"logs:CreateLogDelivery",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"logs:ListTagsForResource",
"logs:PutRetentionPolicy",
"logs:TagLogGroup"
],
"Resource": "*"
},
{
"Sid": "EKSUngated",
"Effect": "Allow",
"Action": [
"eks:*Addon*",
"eks:CreateCluster",
"eks:CreateNodegroup",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:DescribeUpdate",
"eks:ListTagsForResource",
"eks:TagResource",
"eks:UntagResource",
"eks:UpdateNodegroupVersion"
],
"Resource": "*"
},
{
"Sid": "Route53Ungated",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:GetHostedZone",
"route53:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "BackupGated",
"Effect": "Allow",
"Action": [
"backup:*BackupPlan",
"backup:*BackupVault*",
"backup:CreateBackupSelection",
"backup:DeleteBackupSelection",
"backup:GetBackupSelection",
"backup:ListTags",
"backup:TagResource",
"backup:UntagResource",
"backup:DeleteRecoveryPoint"
],
"Resource": [
"arn:${partition}:backup:*:${account_id}:backup-vault:${deploy_id}-efs",
"arn:${partition}:backup:*:${account_id}:backup-plan:*",
"arn:${partition}:backup:*:${account_id}:recovery-point:*"
]
}
]
}
4 changes: 2 additions & 2 deletions iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ resource "aws_iam_role_policy_attachment" "create_eks_role" {
policy_arn = aws_iam_policy.create_eks_role.arn
}

resource "time_sleep" "create_eks_role_10_seconds" {
create_duration = "10s"
resource "time_sleep" "create_eks_role_30_seconds" {
create_duration = "30s"
depends_on = [aws_iam_role_policy_attachment.create_eks_role]
}
2 changes: 1 addition & 1 deletion versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,6 @@ provider "aws" {
assume_role {
# https://github.com/hashicorp/terraform/issues/30690
# https://github.com/hashicorp/terraform/issues/2430
role_arn = "${aws_iam_role.create_eks_role.arn}${time_sleep.create_eks_role_10_seconds.id == "nil" ? "" : ""}"
role_arn = "${aws_iam_role.create_eks_role.arn}${time_sleep.create_eks_role_30_seconds.id == "nil" ? "" : ""}"
}
}

0 comments on commit 1c1abda

Please sign in to comment.