From 637fec559a9599b11b00e4ebc4fa3708f3089aa7 Mon Sep 17 00:00:00 2001 From: Chris Wright Date: Mon, 5 Aug 2024 14:53:24 +0100 Subject: [PATCH] Allow multiple role ARNs and Services in Pass Role policy * Prevents needing to have multiple policies when more than 1 role needs to be passed to a service --- README.md | 6 ++-- ...r-infrastructure-service-scheduled-task.tf | 4 +-- ecs-cluster-infrastructure.tf | 4 +-- policies/pass-role.json.tpl | 6 ++-- ...nfrastructure-s3-backups-scheduled-task.tf | 36 +++++-------------- 5 files changed, 17 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index c585d0c..3242a97 100644 --- a/README.md +++ b/README.md @@ -163,8 +163,7 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_iam_policy.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_rds_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_rds_s3_backups_image_codebuild_allow_builds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_rds_s3_backups_image_codebuild_cloudwatch_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_rds_s3_backups_image_codebuild_ecr_push](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -234,8 +233,7 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_rds_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_image_codebuild_allow_builds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_image_codebuild_cloudwatch_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_image_codebuild_ecr_push](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | diff --git a/ecs-cluster-infrastructure-service-scheduled-task.tf b/ecs-cluster-infrastructure-service-scheduled-task.tf index 304e058..814d9bf 100644 --- a/ecs-cluster-infrastructure-service-scheduled-task.tf +++ b/ecs-cluster-infrastructure-service-scheduled-task.tf @@ -123,8 +123,8 @@ resource "aws_iam_policy" "infrastructure_ecs_cluster_service_scheduled_task_pas policy = templatefile( "${path.root}/policies/pass-role.json.tpl", { - role_arn = aws_iam_role.infrastructure_ecs_cluster_service_task_execution[each.value["container_name"]].arn - service = "ecs-tasks.amazonaws.com" + role_arns = jsonencode([aws_iam_role.infrastructure_ecs_cluster_service_task_execution[each.value["container_name"]].arn]) + services = jsonencode(["ecs-tasks.amazonaws.com"]) } ) } diff --git a/ecs-cluster-infrastructure.tf b/ecs-cluster-infrastructure.tf index e611dbd..40c9c55 100644 --- a/ecs-cluster-infrastructure.tf +++ b/ecs-cluster-infrastructure.tf @@ -74,8 +74,8 @@ resource "aws_iam_policy" "infrastructure_ecs_cluster_pass_role_ssm_dhmc" { policy = templatefile( "${path.root}/policies/pass-role.json.tpl", { - role_arn = "arn:aws:iam::${local.aws_account_id}:role/${data.external.ssm_dhmc_setting[0].result.setting_value}", - service = "ssm.amazonaws.com" + role_arns = jsonencode(["arn:aws:iam::${local.aws_account_id}:role/${data.external.ssm_dhmc_setting[0].result.setting_value}"]) + services = jsonencode(["ssm.amazonaws.com"]) } ) } diff --git a/policies/pass-role.json.tpl b/policies/pass-role.json.tpl index 2d3d8f4..96b265b 100644 --- a/policies/pass-role.json.tpl +++ b/policies/pass-role.json.tpl @@ -6,12 +6,10 @@ "Action": [ "iam:PassRole" ], - "Resource": "${role_arn}", + "Resource": ${role_arns}, "Condition": { "StringEquals": { - "iam:PassedToService": [ - "${service}" - ] + "iam:PassedToService": ${services} } } } diff --git a/rds-infrastructure-s3-backups-scheduled-task.tf b/rds-infrastructure-s3-backups-scheduled-task.tf index 92f4ee5..07a3a24 100644 --- a/rds-infrastructure-s3-backups-scheduled-task.tf +++ b/rds-infrastructure-s3-backups-scheduled-task.tf @@ -24,7 +24,7 @@ resource "aws_iam_role_policy_attachment" "infrastructure_rds_s3_backups_cloudwa policy_arn = aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task[each.key].arn } -resource "aws_iam_policy" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role" { +resource "aws_iam_policy" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role" { for_each = local.enable_infrastructure_rds_backup_to_s3 ? local.infrastructure_rds : {} name = "${local.resource_prefix}-${substr(sha512("rds-s3-backups-cloudwatch-schedule-${each.key}-pass-role-execution-role"), 0, 6)}" @@ -32,38 +32,20 @@ resource "aws_iam_policy" "infrastructure_rds_s3_backups_cloudwatch_schedule_pas policy = templatefile( "${path.root}/policies/pass-role.json.tpl", { - role_arn = aws_iam_role.infrastructure_rds_s3_backups_task_execution[each.key].arn - service = "ecs-tasks.amazonaws.com" + role_arns = jsonencode([ + aws_iam_role.infrastructure_rds_s3_backups_task_execution[each.key].arn, + aws_iam_role.infrastructure_rds_s3_backups_task[each.key].arn, + ]) + services = jsonencode(["ecs-tasks.amazonaws.com"]) } ) } -resource "aws_iam_role_policy_attachment" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role" { +resource "aws_iam_role_policy_attachment" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role" { for_each = local.enable_infrastructure_rds_backup_to_s3 ? local.infrastructure_rds : {} role = aws_iam_role.infrastructure_rds_s3_backups_cloudwatch_schedule[each.key].name - policy_arn = aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role[each.key].arn -} - -resource "aws_iam_policy" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_task_role" { - for_each = local.enable_infrastructure_rds_backup_to_s3 ? local.infrastructure_rds : {} - - name = "${local.resource_prefix}-${substr(sha512("rds-s3-backups-cloudwatch-schedule-${each.key}-pass-role-task-role"), 0, 6)}" - description = "${local.resource_prefix}-rds-s3-backups-cloudwatch-schedule-${each.key}-pass-role-task-role" - policy = templatefile( - "${path.root}/policies/pass-role.json.tpl", - { - role_arn = aws_iam_role.infrastructure_rds_s3_backups_task[each.key].arn - service = "ecs-tasks.amazonaws.com" - } - ) -} - -resource "aws_iam_role_policy_attachment" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_task_role" { - for_each = local.enable_infrastructure_rds_backup_to_s3 ? local.infrastructure_rds : {} - - role = aws_iam_role.infrastructure_rds_s3_backups_cloudwatch_schedule[each.key].name - policy_arn = aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_task_role[each.key].arn + policy_arn = aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role[each.key].arn } resource "aws_cloudwatch_event_rule" "infrastructure_rds_s3_backups_scheduled_task" { @@ -101,6 +83,6 @@ resource "aws_cloudwatch_event_target" "infrastructure_rds_s3_backups_scheduled_ depends_on = [ aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task, - aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role, + aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role, ] }