Skip to content

Commit

Permalink
Merge pull request #16 from dominodatalab/PLAT-3795-v4
Browse files Browse the repository at this point in the history 
PLAT-3795: Terraform module and IAM policies for deployment
  • Loading branch information
@Secretions
Secretions authored Dec 21, 2022
2 parents 26e5d81 + 278499a commit d0b4357
Show file tree
Hide file tree
Showing 7 changed files with 396 additions and 0 deletions.
158 changes: 158 additions & 0 deletions iam-bootstrap/bootstrap-0.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Gated",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:*Object",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration"
],
"Resource": [
"arn:${partition}:s3:::${deploy_id}-*"
]
},
{
"Sid": "S3Ungated",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "*"
},
{
"Sid": "IAMGated",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:Tag*",
"iam:Untag*",
"iam:UpdateAssumeRolePolicy"
],
"Resource": [
"arn:${partition}:iam::${account_id}:policy/${deploy_id}-*",
"arn:${partition}:iam::${account_id}:role/${deploy_id}-*",
"arn:${partition}:iam::${account_id}:instance-profile/${deploy_id}-*",
"arn:${partition}:iam::${account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
},
{
"Sid": "IAMUngated",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetRolePolicy"
],
"Resource": "*"
},
{
"Sid": "LogsUngated",
"Effect": "Allow",
"Action": [
"ec2:CreateFlowLogs",
"ec2:DescribeFlowLogs",
"logs:CreateLogGroup",
"logs:CreateLogDelivery",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"logs:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "EKSUngated",
"Effect": "Allow",
"Action": [
"eks:*Addon*",
"eks:CreateCluster",
"eks:CreateNodegroup",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:DescribeUpdate",
"eks:ListTagsForResource",
"eks:TagResource",
"eks:UntagResource"
],
"Resource": "*"
},
{
"Sid": "Route53Ungated",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:GetHostedZone",
"route53:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "BackupGated",
"Effect": "Allow",
"Action": [
"backup:*BackupPlan",
"backup:*BackupVault*",
"backup:CreateBackupSelection",
"backup:DeleteBackupSelection",
"backup:GetBackupSelection",
"backup:ListTags",
"backup:TagResource",
"backup:UntagResource"
],
"Resource": [
"arn:${partition}:backup:*:${account_id}:backup-vault:${deploy_id}-efs",
"arn:${partition}:backup:*:${account_id}:backup-plan:*"
]
}
]
}
133 changes: 133 additions & 0 deletions iam-bootstrap/bootstrap-1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EFSUngated",
"Effect": "Allow",
"Action": [
"backup-storage:MountCapsule",
"elasticfilesystem:Backup",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:ListTagsForResource",
"elasticfilesystem:ModifyMountTargetSecurityGroups",
"elasticfilesystem:TagResource",
"elasticfilesystem:UntagResource"
],
"Resource": "*"
},
{
"Sid": "EC2BastionGated",
"Effect": "Allow",
"Action": [
"ec2:ModifyInstanceAttribute",
"ec2:MonitorInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "${deploy_id}-bastion"
}
}
},
{
"Sid": "EC2GeneralUngated",
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteTags",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeTags",
"autoscaling:UpdateAutoScalingGroup",
"ec2:*InternetGateway*",
"ec2:*NatGateway*",
"ec2:*NetworkAcl*",
"ec2:*NetworkInterface*",
"ec2:*Route*",
"ec2:*Subnet*",
"ec2:*Vpc*",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteKeyPair",
"ec2:DeleteTags",
"ec2:Describe*",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DisassociateAddress",
"ec2:GetLaunchTemplateData",
"ec2:ImportKeyPair",
"ec2:ModifyInstanceMetadataOptions",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances"
],
"Resource": [
"*"
]
},
{
"Sid": "KMSUngated",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:CreateAlias",
"kms:CreateKey",
"kms:DescribeKey",
"kms:EnableKeyRotation",
"kms:GenerateDataKey",
"kms:GetKeyRotationStatus",
"kms:GetKeyPolicy",
"kms:ListResourceTags",
"kms:PutKeyPolicy",
"kms:RetireGrant",
"kms:ScheduleKeyDeletion",
"kms:TagResource",
"kms:UpdateAlias"
],
"Resource": "*"
},
{
"Sid": "DeletesUngated",
"Effect": "Allow",
"Action": [
"autoscaling:DeleteAutoScalingGroup",
"ec2:DeleteFlowLogs",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteSecurityGroup",
"eks:DeleteCluster",
"eks:DeleteNodegroup",
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"kms:DeleteAlias",
"logs:DeleteLogDelivery",
"logs:DeleteLogGroup",
"s3:DeleteObjectVersion"
],
"Resource": "*"
}
]
}
47 changes: 47 additions & 0 deletions iam-bootstrap/iam.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
locals {
iam_policy_paths = length(var.iam_policy_paths) == 0 ? ["${path.module}/bootstrap-0.json", "${path.module}/bootstrap-1.json"] : var.iam_policy_paths
}

data "aws_caller_identity" "admin" {}
data "aws_partition" "current" {}

resource "aws_iam_policy" "deployment" {
count = length(local.iam_policy_paths)

name = "${var.deploy_id}-deployment-policy-${count.index}"

policy = templatefile(
abspath(pathexpand(local.iam_policy_paths[count.index])),
merge(
{
account_id = data.aws_caller_identity.admin.account_id,
deploy_id = var.deploy_id,
region = var.region,
partition = data.aws_partition.current.partition
},
var.template_config
)
)
}

resource "aws_iam_role" "deployment" {
name = "${var.deploy_id}-deployment-role"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.admin.account_id}:root"
}
},
]
})

managed_policy_arns = aws_iam_policy.deployment[*].arn

max_session_duration = var.max_session_duration
}
4 changes: 4 additions & 0 deletions iam-bootstrap/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "role_arn" {
description = "ARN of bootstrap role"
value = aws_iam_role.deployment.arn
}
9 changes: 9 additions & 0 deletions iam-bootstrap/render.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/bin/bash

export deploy_id=example
export account_id=1234567890
export partition=aws

echo "Rendering bootstrap-*.json to bootstrap-render-*.json..."
cat bootstrap-0.json | envsubst > bootstrap-rendered-0.json
cat bootstrap-1.json | envsubst > bootstrap-rendered-1.json
32 changes: 32 additions & 0 deletions iam-bootstrap/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
variable "deploy_id" {
type = string
description = "Domino Deployment ID"

validation {
condition = can(regex("^[a-z-0-9]{3,32}$", var.deploy_id))
error_message = "Argument deploy_id must: start with a letter, contain lowercase alphanumeric characters(can contain hyphens[-]) with length between 3 and 32 characters."
}
}

variable "region" {
type = string
description = "AWS region for the deployment"
}

variable "iam_policy_paths" {
type = list(any)
description = "IAM policies to provision and use for deployment role, can be terraform templates"
default = []
}

variable "template_config" {
type = map
description = "Variables to use for any templating in the IAM policies. AWS account ID (as 'account_id'), deploy_id, region and partition are automatically included."
default = {}
}

variable "max_session_duration" {
type = number
description = "Maximum session duration for role in seconds"
default = 43200
}
Loading

0 comments on commit d0b4357

Please sign in to comment.