From 1c1abdaee529d975b7b660f6405ea4c8ee7900ee Mon Sep 17 00:00:00 2001 From: miguelhar <98769216+miguelhar@users.noreply.github.com> Date: Thu, 8 Jun 2023 12:09:53 -0400 Subject: [PATCH] PLAT-6776 Adds RP delete perms (#104) * PLAT-6776 Adds RP delete perms * Adds additional delay for eks create assume --- README.md | 2 +- iam-bootstrap/bootstrap-0.json | 336 ++++++++++++++++----------------- iam.tf | 4 +- versions.tf | 2 +- 4 files changed, 172 insertions(+), 172 deletions(-) diff --git a/README.md b/README.md index b63cbf80..cf799fa7 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ aws s3 rb s3://"${AWS_TERRAFORM_REMOTE_STATE_BUCKET}" --force | [aws_key_pair.domino](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource | | [aws_kms_alias.domino](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_key.domino](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [time_sleep.create_eks_role_10_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [time_sleep.create_eks_role_30_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_default_tags.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source | | [aws_ec2_instance_type.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_instance_type) | data source | diff --git a/iam-bootstrap/bootstrap-0.json b/iam-bootstrap/bootstrap-0.json index 2c495ac7..914a4c97 100644 --- a/iam-bootstrap/bootstrap-0.json +++ b/iam-bootstrap/bootstrap-0.json @@ -1,170 +1,170 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "S3Gated", - "Effect": "Allow", - "Action": [ - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:GetAccelerateConfiguration", - "s3:GetBucketAcl", - "s3:GetBucketCORS", - "s3:GetBucketLocation", - "s3:GetBucketLogging", - "s3:GetBucketObjectLockConfiguration", - "s3:GetBucketOwnershipControls", - "s3:GetBucketPolicy", - "s3:GetBucketPublicAccessBlock", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetEncryptionConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetReplicationConfiguration", - "s3:*Object", - "s3:PutAccountPublicAccessBlock", - "s3:PutBucketAcl", - "s3:PutBucketLogging", - "s3:PutBucketOwnershipControls", - "s3:PutBucketPolicy", - "s3:PutBucketRequestPayment", - "s3:PutBucketTagging", - "s3:PutBucketVersioning", - "s3:PutBucketPublicAccessBlock", - "s3:PutEncryptionConfiguration" - ], - "Resource": [ - "arn:${partition}:s3:::${deploy_id}-*" - ] - }, - { - "Sid": "S3Ungated", - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:ListAllMyBuckets", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Resource": "*" - }, - { - "Sid": "IAMGated", - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreateOpenIDConnectProvider", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:DeleteInstanceProfile", - "iam:DeleteOpenIDConnectProvider", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:GetInstanceProfile", - "iam:GetOpenIDConnectProvider", - "iam:PassRole", - "iam:PutRolePolicy", - "iam:RemoveRoleFromInstanceProfile", - "iam:Tag*", - "iam:Untag*", - "iam:UpdateAssumeRolePolicy", - "sts:AssumeRole" - ], - "Resource": [ - "arn:${partition}:iam::${account_id}:policy/${deploy_id}-*", - "arn:${partition}:iam::${account_id}:role/${deploy_id}-*", - "arn:${partition}:iam::${account_id}:instance-profile/${deploy_id}-*", - "arn:${partition}:iam::${account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", - "arn:${partition}:iam::${account_id}:oidc-provider/oidc.eks*" - ] - }, - { - "Sid": "IAMUngated", - "Effect": "Allow", - "Action": [ - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicies", - "iam:ListPolicyVersions", - "iam:ListRolePolicies", - "iam:TagRole" - ], - "Resource": "*" - }, - { - "Sid": "LogsUngated", - "Effect": "Allow", - "Action": [ - "ec2:CreateFlowLogs", - "ec2:DescribeFlowLogs", - "logs:CreateLogGroup", - "logs:CreateLogDelivery", - "logs:DescribeLogGroups", - "logs:ListTagsLogGroup", - "logs:ListTagsForResource", - "logs:PutRetentionPolicy", - "logs:TagLogGroup" - ], - "Resource": "*" - }, - { - "Sid": "EKSUngated", - "Effect": "Allow", - "Action": [ - "eks:*Addon*", - "eks:CreateCluster", - "eks:CreateNodegroup", - "eks:DescribeCluster", - "eks:DescribeNodegroup", - "eks:DescribeUpdate", - "eks:ListTagsForResource", - "eks:TagResource", - "eks:UntagResource", - "eks:UpdateNodegroupVersion" - ], - "Resource": "*" - }, - { - "Sid": "Route53Ungated", - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones", - "route53:GetHostedZone", - "route53:ListTagsForResource" - ], - "Resource": "*" - }, - { - "Sid": "BackupGated", - "Effect": "Allow", - "Action": [ - "backup:*BackupPlan", - "backup:*BackupVault*", - "backup:CreateBackupSelection", - "backup:DeleteBackupSelection", - "backup:GetBackupSelection", - "backup:ListTags", - "backup:TagResource", - "backup:UntagResource" - ], - "Resource": [ - "arn:${partition}:backup:*:${account_id}:backup-vault:${deploy_id}-efs", - "arn:${partition}:backup:*:${account_id}:backup-plan:*" - ] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "S3Gated", + "Effect": "Allow", + "Action": [ + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:DeleteBucketPolicy", + "s3:GetAccelerateConfiguration", + "s3:GetBucketAcl", + "s3:GetBucketCORS", + "s3:GetBucketLocation", + "s3:GetBucketLogging", + "s3:GetBucketObjectLockConfiguration", + "s3:GetBucketOwnershipControls", + "s3:GetBucketPolicy", + "s3:GetBucketPublicAccessBlock", + "s3:GetBucketRequestPayment", + "s3:GetBucketTagging", + "s3:GetBucketVersioning", + "s3:GetBucketWebsite", + "s3:GetEncryptionConfiguration", + "s3:GetLifecycleConfiguration", + "s3:GetReplicationConfiguration", + "s3:*Object", + "s3:PutAccountPublicAccessBlock", + "s3:PutBucketAcl", + "s3:PutBucketLogging", + "s3:PutBucketOwnershipControls", + "s3:PutBucketPolicy", + "s3:PutBucketRequestPayment", + "s3:PutBucketTagging", + "s3:PutBucketVersioning", + "s3:PutBucketPublicAccessBlock", + "s3:PutEncryptionConfiguration" + ], + "Resource": ["arn:${partition}:s3:::${deploy_id}-*"] + }, + { + "Sid": "S3Ungated", + "Effect": "Allow", + "Action": [ + "s3:GetBucketLocation", + "s3:ListAllMyBuckets", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": "*" + }, + { + "Sid": "IAMGated", + "Effect": "Allow", + "Action": [ + "iam:AddRoleToInstanceProfile", + "iam:AttachRolePolicy", + "iam:CreateInstanceProfile", + "iam:CreateOpenIDConnectProvider", + "iam:CreatePolicy", + "iam:CreatePolicyVersion", + "iam:CreateRole", + "iam:CreateServiceLinkedRole", + "iam:DeleteInstanceProfile", + "iam:DeleteOpenIDConnectProvider", + "iam:DeletePolicy", + "iam:DeletePolicyVersion", + "iam:DeleteRole", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:GetInstanceProfile", + "iam:GetOpenIDConnectProvider", + "iam:PassRole", + "iam:PutRolePolicy", + "iam:RemoveRoleFromInstanceProfile", + "iam:Tag*", + "iam:Untag*", + "iam:UpdateAssumeRolePolicy", + "sts:AssumeRole" + ], + "Resource": [ + "arn:${partition}:iam::${account_id}:policy/${deploy_id}-*", + "arn:${partition}:iam::${account_id}:role/${deploy_id}-*", + "arn:${partition}:iam::${account_id}:instance-profile/${deploy_id}-*", + "arn:${partition}:iam::${account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", + "arn:${partition}:iam::${account_id}:oidc-provider/oidc.eks*" + ] + }, + { + "Sid": "IAMUngated", + "Effect": "Allow", + "Action": [ + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfilesForRole", + "iam:ListPolicies", + "iam:ListPolicyVersions", + "iam:ListRolePolicies", + "iam:TagRole" + ], + "Resource": "*" + }, + { + "Sid": "LogsUngated", + "Effect": "Allow", + "Action": [ + "ec2:CreateFlowLogs", + "ec2:DescribeFlowLogs", + "logs:CreateLogGroup", + "logs:CreateLogDelivery", + "logs:DescribeLogGroups", + "logs:ListTagsLogGroup", + "logs:ListTagsForResource", + "logs:PutRetentionPolicy", + "logs:TagLogGroup" + ], + "Resource": "*" + }, + { + "Sid": "EKSUngated", + "Effect": "Allow", + "Action": [ + "eks:*Addon*", + "eks:CreateCluster", + "eks:CreateNodegroup", + "eks:DescribeCluster", + "eks:DescribeNodegroup", + "eks:DescribeUpdate", + "eks:ListTagsForResource", + "eks:TagResource", + "eks:UntagResource", + "eks:UpdateNodegroupVersion" + ], + "Resource": "*" + }, + { + "Sid": "Route53Ungated", + "Effect": "Allow", + "Action": [ + "route53:ListHostedZones", + "route53:GetHostedZone", + "route53:ListTagsForResource" + ], + "Resource": "*" + }, + { + "Sid": "BackupGated", + "Effect": "Allow", + "Action": [ + "backup:*BackupPlan", + "backup:*BackupVault*", + "backup:CreateBackupSelection", + "backup:DeleteBackupSelection", + "backup:GetBackupSelection", + "backup:ListTags", + "backup:TagResource", + "backup:UntagResource", + "backup:DeleteRecoveryPoint" + ], + "Resource": [ + "arn:${partition}:backup:*:${account_id}:backup-vault:${deploy_id}-efs", + "arn:${partition}:backup:*:${account_id}:backup-plan:*", + "arn:${partition}:backup:*:${account_id}:recovery-point:*" + ] + } + ] } diff --git a/iam.tf b/iam.tf index 910de578..e6621627 100644 --- a/iam.tf +++ b/iam.tf @@ -107,7 +107,7 @@ resource "aws_iam_role_policy_attachment" "create_eks_role" { policy_arn = aws_iam_policy.create_eks_role.arn } -resource "time_sleep" "create_eks_role_10_seconds" { - create_duration = "10s" +resource "time_sleep" "create_eks_role_30_seconds" { + create_duration = "30s" depends_on = [aws_iam_role_policy_attachment.create_eks_role] } diff --git a/versions.tf b/versions.tf index 87f930a2..a00ef96b 100644 --- a/versions.tf +++ b/versions.tf @@ -38,6 +38,6 @@ provider "aws" { assume_role { # https://github.com/hashicorp/terraform/issues/30690 # https://github.com/hashicorp/terraform/issues/2430 - role_arn = "${aws_iam_role.create_eks_role.arn}${time_sleep.create_eks_role_10_seconds.id == "nil" ? "" : ""}" + role_arn = "${aws_iam_role.create_eks_role.arn}${time_sleep.create_eks_role_30_seconds.id == "nil" ? "" : ""}" } }