From f2efa6dadfbbb73247daccb91fc726c7e7c757a3 Mon Sep 17 00:00:00 2001 From: Shikha Mishra Date: Fri, 26 Mar 2021 14:29:17 +1300 Subject: [PATCH 1/4] added documentation --- README.md | 3 + examples/managed_role/main.tf | 237 ++++++++++++++++++++++++++++++ examples/resources/policy/main.tf | 215 +++++++++++++++++++++++++++ examples/resources/role/main.tf | 39 +++++ managed-role/README.md | 36 +++++ managed-role/main.tf | 19 +++ managed-role/outputs.tf | 22 +++ managed-role/vars.tf | 28 ++++ managed-role/versions.tf | 10 ++ resources/policy/README.md | 30 ++++ resources/policy/main.tf | 8 + resources/policy/outputs.tf | 10 ++ resources/policy/vars.tf | 13 ++ resources/policy/versions.tf | 10 ++ resources/role/README.md | 30 ++++ resources/role/main.tf | 6 + resources/role/outputs.tf | 10 ++ resources/role/vars.tf | 13 ++ resources/role/versions.tf | 10 ++ 19 files changed, 749 insertions(+) create mode 100644 examples/managed_role/main.tf create mode 100644 examples/resources/policy/main.tf create mode 100644 examples/resources/role/main.tf create mode 100644 managed-role/README.md create mode 100644 managed-role/main.tf create mode 100644 managed-role/outputs.tf create mode 100644 managed-role/vars.tf create mode 100644 managed-role/versions.tf create mode 100644 resources/policy/README.md create mode 100644 resources/policy/main.tf create mode 100644 resources/policy/outputs.tf create mode 100644 resources/policy/vars.tf create mode 100644 resources/policy/versions.tf create mode 100644 resources/role/README.md create mode 100644 resources/role/main.tf create mode 100644 resources/role/outputs.tf create mode 100644 resources/role/vars.tf create mode 100644 resources/role/versions.tf diff --git a/README.md b/README.md index 878be10..fe0ba08 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,9 @@ These include * [Policy to Group](./policy-to-group/README.md) - Creates an IAM policy and group and created the attachment between them. * [Policy to Role](./policy-to-role/README.md) - Creates an IAM policy and attaches it with an existing Role. * [User to Group](./user-to-group/README.md) - Creates an IAM user and adds user to a list of groups. +* [Resources/role] (./resource/role/README.md) - Creates an IAM Role and attaches the provided assume role policy to the role. +* [Resources/policy] (./resource/policy/README.md) - Creates an IAM Policy with the provided policy document. +* [Managed Role] (./managed-role/README.md) - Creates an IAM role and attaches the policy to it. ## ADR's diff --git a/examples/managed_role/main.tf b/examples/managed_role/main.tf new file mode 100644 index 0000000..f24dcad --- /dev/null +++ b/examples/managed_role/main.tf @@ -0,0 +1,237 @@ +module "example" { + source = "../../managed_role" + + providers = { + aws = aws + } + policy_name = "JSONTESTPolicyAWSLoadBalancerController" + policy_description = "JSONTESTPolicy testing AWSLoadBalancerController" + policy_document = jsonencode(var.policy_document) + role_name = "JSONTESTROLEAWSLoadBalancerController" + assume_role_policy_document = jsonencode(var.assume_role_policy_document) + +} +provider "aws" { + region = var.region +} + +variable "region" { + default = "ap-southeast-2" +} + +variable "policy_document" { +default = { +"Version": "2012-10-17", +"Statement": [ +{ +"Effect": "Allow", +"Action": [ +"iam:CreateServiceLinkedRole", +"ec2:DescribeAccountAttributes", +"ec2:DescribeAddresses", +"ec2:DescribeInternetGateways", +"ec2:DescribeVpcs", +"ec2:DescribeSubnets", +"ec2:DescribeSecurityGroups", +"ec2:DescribeInstances", +"ec2:DescribeNetworkInterfaces", +"ec2:DescribeTags", +"ec2:GetCoipPoolUsage", +"ec2:DescribeCoipPools", +"elasticloadbalancing:DescribeLoadBalancers", +"elasticloadbalancing:DescribeLoadBalancerAttributes", +"elasticloadbalancing:DescribeListeners", +"elasticloadbalancing:DescribeListenerCertificates", +"elasticloadbalancing:DescribeSSLPolicies", +"elasticloadbalancing:DescribeRules", +"elasticloadbalancing:DescribeTargetGroups", +"elasticloadbalancing:DescribeTargetGroupAttributes", +"elasticloadbalancing:DescribeTargetHealth", +"elasticloadbalancing:DescribeTags" +], +"Resource": "*" +}, +{ +"Effect": "Allow", +"Action": [ +"cognito-idp:DescribeUserPoolClient", +"acm:ListCertificates", +"acm:DescribeCertificate", +"iam:ListServerCertificates", +"iam:GetServerCertificate", +"waf-regional:GetWebACL", +"waf-regional:GetWebACLForResource", +"waf-regional:AssociateWebACL", +"waf-regional:DisassociateWebACL", +"wafv2:GetWebACL", +"wafv2:GetWebACLForResource", +"wafv2:AssociateWebACL", +"wafv2:DisassociateWebACL", +"shield:GetSubscriptionState", +"shield:DescribeProtection", +"shield:CreateProtection", +"shield:DeleteProtection" +], +"Resource": "*" +}, +{ +"Effect": "Allow", +"Action": [ +"ec2:AuthorizeSecurityGroupIngress", +"ec2:RevokeSecurityGroupIngress" +], +"Resource": "*" +}, +{ +"Effect": "Allow", +"Action": [ +"ec2:CreateSecurityGroup" +], +"Resource": "*" +}, +{ +"Effect": "Allow", +"Action": [ +"ec2:CreateTags" +], +"Resource": "arn:aws:ec2:*:*:security-group/*", +"Condition": { +"StringEquals": { +"ec2:CreateAction": "CreateSecurityGroup" +}, +"Null": { +"aws:RequestTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"ec2:CreateTags", +"ec2:DeleteTags" +], +"Resource": "arn:aws:ec2:*:*:security-group/*", +"Condition": { +"Null": { +"aws:RequestTag/elbv2.k8s.aws/cluster": "true", +"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"ec2:AuthorizeSecurityGroupIngress", +"ec2:RevokeSecurityGroupIngress", +"ec2:DeleteSecurityGroup" +], +"Resource": "*", +"Condition": { +"Null": { +"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:CreateLoadBalancer", +"elasticloadbalancing:CreateTargetGroup" +], +"Resource": "*", +"Condition": { +"Null": { +"aws:RequestTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:CreateListener", +"elasticloadbalancing:DeleteListener", +"elasticloadbalancing:CreateRule", +"elasticloadbalancing:DeleteRule" +], +"Resource": "*" +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:AddTags", +"elasticloadbalancing:RemoveTags" +], +"Resource": [ +"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", +"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", +"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" +], +"Condition": { +"Null": { +"aws:RequestTag/elbv2.k8s.aws/cluster": "true", +"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:ModifyLoadBalancerAttributes", +"elasticloadbalancing:SetIpAddressType", +"elasticloadbalancing:SetSecurityGroups", +"elasticloadbalancing:SetSubnets", +"elasticloadbalancing:DeleteLoadBalancer", +"elasticloadbalancing:ModifyTargetGroup", +"elasticloadbalancing:ModifyTargetGroupAttributes", +"elasticloadbalancing:DeleteTargetGroup" +], +"Resource": "*", +"Condition": { +"Null": { +"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:RegisterTargets", +"elasticloadbalancing:DeregisterTargets" +], +"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:SetWebAcl", +"elasticloadbalancing:ModifyListener", +"elasticloadbalancing:AddListenerCertificates", +"elasticloadbalancing:RemoveListenerCertificates", +"elasticloadbalancing:ModifyRule" +], +"Resource": "*" +} +] +} +} + + +variable "assume_role_policy_document" { + default = { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::854489628483:oidc-provider/oidc.eks.ap-southeast-2.amazonaws.com/id/428AD43341BD31E3D94CF2A832841183" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "oidc.eks.ap-southeast-2.amazonaws.com/id/428AD43341BD31E3D94CF2A832841183:sub": "system:serviceaccount:kube-system:aws-load-balancer-controllerModuleTest" + } + } + } + ] +} +} \ No newline at end of file diff --git a/examples/resources/policy/main.tf b/examples/resources/policy/main.tf new file mode 100644 index 0000000..73d2fcf --- /dev/null +++ b/examples/resources/policy/main.tf @@ -0,0 +1,215 @@ +module "example" { + source = "../../../resources/policy" + + providers = { + aws = aws + } + + policy_name = "JSONTESTPolicyAWSLoadBalancerController" + policy_description = "JSONTESTPolicy testing AWSLoadBalancerController" + policy_document = var.policy_document + +} +provider "aws" { + region = var.region +} + +variable "region" { + default = "ap-southeast-2" +} + +variable "policy_document" { +default = { +"Version": "2012-10-17", +"Statement": [ +{ +"Effect": "Allow", +"Action": [ +"iam:CreateServiceLinkedRole", +"ec2:DescribeAccountAttributes", +"ec2:DescribeAddresses", +"ec2:DescribeInternetGateways", +"ec2:DescribeVpcs", +"ec2:DescribeSubnets", +"ec2:DescribeSecurityGroups", +"ec2:DescribeInstances", +"ec2:DescribeNetworkInterfaces", +"ec2:DescribeTags", +"ec2:GetCoipPoolUsage", +"ec2:DescribeCoipPools", +"elasticloadbalancing:DescribeLoadBalancers", +"elasticloadbalancing:DescribeLoadBalancerAttributes", +"elasticloadbalancing:DescribeListeners", +"elasticloadbalancing:DescribeListenerCertificates", +"elasticloadbalancing:DescribeSSLPolicies", +"elasticloadbalancing:DescribeRules", +"elasticloadbalancing:DescribeTargetGroups", +"elasticloadbalancing:DescribeTargetGroupAttributes", +"elasticloadbalancing:DescribeTargetHealth", +"elasticloadbalancing:DescribeTags" +], +"Resource": "*" +}, +{ +"Effect": "Allow", +"Action": [ +"cognito-idp:DescribeUserPoolClient", +"acm:ListCertificates", +"acm:DescribeCertificate", +"iam:ListServerCertificates", +"iam:GetServerCertificate", +"waf-regional:GetWebACL", +"waf-regional:GetWebACLForResource", +"waf-regional:AssociateWebACL", +"waf-regional:DisassociateWebACL", +"wafv2:GetWebACL", +"wafv2:GetWebACLForResource", +"wafv2:AssociateWebACL", +"wafv2:DisassociateWebACL", +"shield:GetSubscriptionState", +"shield:DescribeProtection", +"shield:CreateProtection", +"shield:DeleteProtection" +], +"Resource": "*" +}, +{ +"Effect": "Allow", +"Action": [ +"ec2:AuthorizeSecurityGroupIngress", +"ec2:RevokeSecurityGroupIngress" +], +"Resource": "*" +}, +{ +"Effect": "Allow", +"Action": [ +"ec2:CreateSecurityGroup" +], +"Resource": "*" +}, +{ +"Effect": "Allow", +"Action": [ +"ec2:CreateTags" +], +"Resource": "arn:aws:ec2:*:*:security-group/*", +"Condition": { +"StringEquals": { +"ec2:CreateAction": "CreateSecurityGroup" +}, +"Null": { +"aws:RequestTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"ec2:CreateTags", +"ec2:DeleteTags" +], +"Resource": "arn:aws:ec2:*:*:security-group/*", +"Condition": { +"Null": { +"aws:RequestTag/elbv2.k8s.aws/cluster": "true", +"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"ec2:AuthorizeSecurityGroupIngress", +"ec2:RevokeSecurityGroupIngress", +"ec2:DeleteSecurityGroup" +], +"Resource": "*", +"Condition": { +"Null": { +"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:CreateLoadBalancer", +"elasticloadbalancing:CreateTargetGroup" +], +"Resource": "*", +"Condition": { +"Null": { +"aws:RequestTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:CreateListener", +"elasticloadbalancing:DeleteListener", +"elasticloadbalancing:CreateRule", +"elasticloadbalancing:DeleteRule" +], +"Resource": "*" +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:AddTags", +"elasticloadbalancing:RemoveTags" +], +"Resource": [ +"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", +"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", +"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" +], +"Condition": { +"Null": { +"aws:RequestTag/elbv2.k8s.aws/cluster": "true", +"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:ModifyLoadBalancerAttributes", +"elasticloadbalancing:SetIpAddressType", +"elasticloadbalancing:SetSecurityGroups", +"elasticloadbalancing:SetSubnets", +"elasticloadbalancing:DeleteLoadBalancer", +"elasticloadbalancing:ModifyTargetGroup", +"elasticloadbalancing:ModifyTargetGroupAttributes", +"elasticloadbalancing:DeleteTargetGroup" +], +"Resource": "*", +"Condition": { +"Null": { +"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" +} +} +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:RegisterTargets", +"elasticloadbalancing:DeregisterTargets" +], +"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" +}, +{ +"Effect": "Allow", +"Action": [ +"elasticloadbalancing:SetWebAcl", +"elasticloadbalancing:ModifyListener", +"elasticloadbalancing:AddListenerCertificates", +"elasticloadbalancing:RemoveListenerCertificates", +"elasticloadbalancing:ModifyRule" +], +"Resource": "*" +} +] +} +} diff --git a/examples/resources/role/main.tf b/examples/resources/role/main.tf new file mode 100644 index 0000000..533b3e7 --- /dev/null +++ b/examples/resources/role/main.tf @@ -0,0 +1,39 @@ +module "example" { + source = "../../../resources/role" + + providers = { + aws = aws + } + + role_name = "JSONTESTROLEAWSLoadBalancerController" + assume_role_policy_document = var.assume_role_policy_document + +} +provider "aws" { + region = var.region +} + +variable "region" { + default = "ap-southeast-2" +} + + +variable "assume_role_policy_document" { + default = { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::854489628483:oidc-provider/oidc.eks.ap-southeast-2.amazonaws.com/id/428AD43341BD31E3D94CF2A832841183" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "oidc.eks.ap-southeast-2.amazonaws.com/id/428AD43341BD31E3D94CF2A832841183:sub": "system:serviceaccount:kube-system:aws-load-balancer-controllerModuleTest" + } + } + } + ] +} +} \ No newline at end of file diff --git a/managed-role/README.md b/managed-role/README.md new file mode 100644 index 0000000..942d193 --- /dev/null +++ b/managed-role/README.md @@ -0,0 +1,36 @@ +## Terraform Managed role module + +This module creates an IAM role and attaches the policy to it.. It uses role and policy modules to create the resources. Refer Resources section for more details. + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 0.12.26 | + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| assume\_role\_policy\_document | Json policy document | `any` | n/a | yes | +| policy\_description | A description of the policy | `string` | `""` | no | +| policy\_document | JSON policy document | `any` | n/a | yes | +| policy\_name | The name of the policy to create | `any` | n/a | yes | +| role\_name | The name of the role | `any` | n/a | yes | +| tags | Additional tags to add to IAM Role Resource. | `map(any)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| policy\_arn | The arn of the policy created | +| policy\_name | The name of the policy created | +| role\_arn | The arn of the role created | +| role\_name | The name of the role created | + diff --git a/managed-role/main.tf b/managed-role/main.tf new file mode 100644 index 0000000..0376469 --- /dev/null +++ b/managed-role/main.tf @@ -0,0 +1,19 @@ +module "role" { + source = "../resources/role" + role_name = var.role_name + assume_role_policy_document = var.assume_role_policy_document +} + + +module "policy" { + source = "../resources/policy" + policy_name = var.policy_name + policy_description = var.policy_description + policy_document = var.policy_document +} + +resource "aws_iam_role_policy_attachment" "this" { + role = module.role.role_name + policy_arn = module.policy.policy_arn +} + diff --git a/managed-role/outputs.tf b/managed-role/outputs.tf new file mode 100644 index 0000000..f292e4f --- /dev/null +++ b/managed-role/outputs.tf @@ -0,0 +1,22 @@ +output "policy_name" { + description = "The name of the policy created" + value = module.policy.policy_name +} + + +output "policy_arn" { + description = "The arn of the policy created" + value = module.policy.policy_arn +} + + +output "role_arn" { + description = "The arn of the role created" + value = module.role.role_arn +} + + +output "role_name" { + description = "The name of the role created" + value = module.role.role_name +} \ No newline at end of file diff --git a/managed-role/vars.tf b/managed-role/vars.tf new file mode 100644 index 0000000..bef26a9 --- /dev/null +++ b/managed-role/vars.tf @@ -0,0 +1,28 @@ +variable "policy_name" { + description = "The name of the policy to create" +} + +variable "policy_description" { + description = "A description of the policy" + default = "" +} + +variable "policy_document" { + description = "JSON policy document" +} + +variable "assume_role_policy_document" { + description = "Json policy document" +} + +variable "tags" { + description = "Additional tags to add to IAM Role Resource." + type = map(any) + default = {} +} + +variable "role_name" { + description = "The name of the role" +} + + diff --git a/managed-role/versions.tf b/managed-role/versions.tf new file mode 100644 index 0000000..f8415c1 --- /dev/null +++ b/managed-role/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 0.12.26" + + required_providers { + aws = { + source : "hashicorp/aws", + required_version : ">= 3.21.0" + } + } +} \ No newline at end of file diff --git a/resources/policy/README.md b/resources/policy/README.md new file mode 100644 index 0000000..e0b9f52 --- /dev/null +++ b/resources/policy/README.md @@ -0,0 +1,30 @@ +## Terraform Policy module + +This module creates an IAM Policy with the provided policy document. +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 0.12.26 | + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| policy\_description | A description of the policy | `string` | `""` | no | +| policy\_document | JSON policy document | `any` | n/a | yes | +| policy\_name | The name of the policy to create | `any` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| policy\_arn | The name of the policy created | +| policy\_name | The name of the policy created | + diff --git a/resources/policy/main.tf b/resources/policy/main.tf new file mode 100644 index 0000000..5d3a525 --- /dev/null +++ b/resources/policy/main.tf @@ -0,0 +1,8 @@ + +resource "aws_iam_policy" "this" { + name = var.policy_name + description = var.policy_description + path = "/" + policy = var.policy_document +} + diff --git a/resources/policy/outputs.tf b/resources/policy/outputs.tf new file mode 100644 index 0000000..bb7792b --- /dev/null +++ b/resources/policy/outputs.tf @@ -0,0 +1,10 @@ +output "policy_name" { + description = "The name of the policy created" + value = aws_iam_policy.this.name +} + + +output "policy_arn" { + description = "The name of the policy created" + value = aws_iam_policy.this.arn +} diff --git a/resources/policy/vars.tf b/resources/policy/vars.tf new file mode 100644 index 0000000..b48bc69 --- /dev/null +++ b/resources/policy/vars.tf @@ -0,0 +1,13 @@ +variable "policy_name" { + description = "The name of the policy to create" +} + +variable "policy_description" { + description = "A description of the policy" + default = "" +} + +variable "policy_document" { + description = "JSON policy document" +} + diff --git a/resources/policy/versions.tf b/resources/policy/versions.tf new file mode 100644 index 0000000..f8415c1 --- /dev/null +++ b/resources/policy/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 0.12.26" + + required_providers { + aws = { + source : "hashicorp/aws", + required_version : ">= 3.21.0" + } + } +} \ No newline at end of file diff --git a/resources/role/README.md b/resources/role/README.md new file mode 100644 index 0000000..4522b89 --- /dev/null +++ b/resources/role/README.md @@ -0,0 +1,30 @@ +## Terraform Role module + +This module creates an IAM Role and attaches the provided assume role policy to the role. +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 0.12.26 | + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| assume\_role\_policy\_document | Json policy document | `any` | n/a | yes | +| role\_name | The name of the role | `any` | n/a | yes | +| tags | Additional tags to add to IAM Role Resource. | `map(any)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| role\_arn | The arn of the policy created | +| role\_name | The arn of the policy created | + diff --git a/resources/role/main.tf b/resources/role/main.tf new file mode 100644 index 0000000..4c84d9f --- /dev/null +++ b/resources/role/main.tf @@ -0,0 +1,6 @@ +resource "aws_iam_role" "this" { + name = var.role_name + assume_role_policy = var.assume_role_policy_document + tags = var.tags +} + diff --git a/resources/role/outputs.tf b/resources/role/outputs.tf new file mode 100644 index 0000000..084bcd9 --- /dev/null +++ b/resources/role/outputs.tf @@ -0,0 +1,10 @@ +output "role_arn" { + description = "The arn of the role created" + value = aws_iam_role.this.arn +} + + +output "role_name" { + description = "The name of the role created" + value = aws_iam_role.this.name +} diff --git a/resources/role/vars.tf b/resources/role/vars.tf new file mode 100644 index 0000000..3dee1a9 --- /dev/null +++ b/resources/role/vars.tf @@ -0,0 +1,13 @@ +variable "assume_role_policy_document" { + description = "Json policy document" +} + +variable "tags" { + description = "Additional tags to add to IAM Role Resource." + type = map(any) + default = {} +} + +variable "role_name" { + description = "The name of the role that needs to be created" +} \ No newline at end of file diff --git a/resources/role/versions.tf b/resources/role/versions.tf new file mode 100644 index 0000000..f8415c1 --- /dev/null +++ b/resources/role/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 0.12.26" + + required_providers { + aws = { + source : "hashicorp/aws", + required_version : ">= 3.21.0" + } + } +} \ No newline at end of file From 3ff42d3a819496774bc6753f929bdead72be15c3 Mon Sep 17 00:00:00 2001 From: Shikha Mishra Date: Fri, 26 Mar 2021 14:39:26 +1300 Subject: [PATCH 2/4] linting changes --- README.md | 6 +++--- managed-role/main.tf | 14 +++++++------- managed-role/outputs.tf | 2 +- resources/role/main.tf | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index fe0ba08..d2b5091 100644 --- a/README.md +++ b/README.md @@ -8,9 +8,9 @@ These include * [Policy to Group](./policy-to-group/README.md) - Creates an IAM policy and group and created the attachment between them. * [Policy to Role](./policy-to-role/README.md) - Creates an IAM policy and attaches it with an existing Role. * [User to Group](./user-to-group/README.md) - Creates an IAM user and adds user to a list of groups. -* [Resources/role] (./resource/role/README.md) - Creates an IAM Role and attaches the provided assume role policy to the role. -* [Resources/policy] (./resource/policy/README.md) - Creates an IAM Policy with the provided policy document. -* [Managed Role] (./managed-role/README.md) - Creates an IAM role and attaches the policy to it. +* [Resources/role](./resource/role/README.md) - Creates an IAM Role and attaches the provided assume role policy to the role. +* [Resources/policy](./resource/policy/README.md) - Creates an IAM Policy with the provided policy document. +* [Managed Role](./managed-role/README.md) - Creates an IAM role and attaches the policy to it. ## ADR's diff --git a/managed-role/main.tf b/managed-role/main.tf index 0376469..1f5ed08 100644 --- a/managed-role/main.tf +++ b/managed-role/main.tf @@ -1,15 +1,15 @@ module "role" { - source = "../resources/role" - role_name = var.role_name - assume_role_policy_document = var.assume_role_policy_document + source = "../resources/role" + role_name = var.role_name + assume_role_policy_document = var.assume_role_policy_document } module "policy" { - source = "../resources/policy" - policy_name = var.policy_name - policy_description = var.policy_description - policy_document = var.policy_document + source = "../resources/policy" + policy_name = var.policy_name + policy_description = var.policy_description + policy_document = var.policy_document } resource "aws_iam_role_policy_attachment" "this" { diff --git a/managed-role/outputs.tf b/managed-role/outputs.tf index f292e4f..0dc42b9 100644 --- a/managed-role/outputs.tf +++ b/managed-role/outputs.tf @@ -12,7 +12,7 @@ output "policy_arn" { output "role_arn" { description = "The arn of the role created" - value = module.role.role_arn + value = module.role.role_arn } diff --git a/resources/role/main.tf b/resources/role/main.tf index 4c84d9f..eff439d 100644 --- a/resources/role/main.tf +++ b/resources/role/main.tf @@ -1,6 +1,6 @@ resource "aws_iam_role" "this" { - name = var.role_name + name = var.role_name assume_role_policy = var.assume_role_policy_document - tags = var.tags + tags = var.tags } From 0305461ec292f04e7b89eca1f2db394b499bd08c Mon Sep 17 00:00:00 2001 From: Shikha Mishra Date: Fri, 26 Mar 2021 14:40:38 +1300 Subject: [PATCH 3/4] fix readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d2b5091..43a1d86 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,8 @@ These include * [Policy to Group](./policy-to-group/README.md) - Creates an IAM policy and group and created the attachment between them. * [Policy to Role](./policy-to-role/README.md) - Creates an IAM policy and attaches it with an existing Role. * [User to Group](./user-to-group/README.md) - Creates an IAM user and adds user to a list of groups. -* [Resources/role](./resource/role/README.md) - Creates an IAM Role and attaches the provided assume role policy to the role. -* [Resources/policy](./resource/policy/README.md) - Creates an IAM Policy with the provided policy document. +* [Resources/role](./resources/role/README.md) - Creates an IAM Role and attaches the provided assume role policy to the role. +* [Resources/policy](./resources/policy/README.md) - Creates an IAM Policy with the provided policy document. * [Managed Role](./managed-role/README.md) - Creates an IAM role and attaches the policy to it. ## ADR's From 76a54f4db753f334454c737f578100c89701fe13 Mon Sep 17 00:00:00 2001 From: Shikha Mishra Date: Wed, 31 Mar 2021 10:08:11 +1300 Subject: [PATCH 4/4] updated tags in managed role,refactored example,tidy up as per feedback --- README.md | 2 - examples/managed_role/.gitignore | 1 + examples/managed_role/main.tf | 235 +----------------------------- examples/managed_role/vars.tf | 32 ++++ examples/resources/policy/main.tf | 215 --------------------------- examples/resources/role/main.tf | 39 ----- managed-role/main.tf | 1 + 7 files changed, 41 insertions(+), 484 deletions(-) create mode 100644 examples/managed_role/.gitignore create mode 100644 examples/managed_role/vars.tf delete mode 100644 examples/resources/policy/main.tf delete mode 100644 examples/resources/role/main.tf diff --git a/README.md b/README.md index 43a1d86..9aa2452 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,6 @@ These include * [Policy to Group](./policy-to-group/README.md) - Creates an IAM policy and group and created the attachment between them. * [Policy to Role](./policy-to-role/README.md) - Creates an IAM policy and attaches it with an existing Role. * [User to Group](./user-to-group/README.md) - Creates an IAM user and adds user to a list of groups. -* [Resources/role](./resources/role/README.md) - Creates an IAM Role and attaches the provided assume role policy to the role. -* [Resources/policy](./resources/policy/README.md) - Creates an IAM Policy with the provided policy document. * [Managed Role](./managed-role/README.md) - Creates an IAM role and attaches the policy to it. ## ADR's diff --git a/examples/managed_role/.gitignore b/examples/managed_role/.gitignore new file mode 100644 index 0000000..174bcac --- /dev/null +++ b/examples/managed_role/.gitignore @@ -0,0 +1 @@ +terraform.tfvars \ No newline at end of file diff --git a/examples/managed_role/main.tf b/examples/managed_role/main.tf index f24dcad..6c28075 100644 --- a/examples/managed_role/main.tf +++ b/examples/managed_role/main.tf @@ -1,237 +1,16 @@ module "example" { - source = "../../managed_role" + source = "../../managed-role" providers = { aws = aws } - policy_name = "JSONTESTPolicyAWSLoadBalancerController" - policy_description = "JSONTESTPolicy testing AWSLoadBalancerController" - policy_document = jsonencode(var.policy_document) - role_name = "JSONTESTROLEAWSLoadBalancerController" - assume_role_policy_document = jsonencode(var.assume_role_policy_document) - + policy_name = var.policy_name + policy_description = var.policy_description + policy_document = jsonencode(var.policy_document) + role_name = var.role_name + assume_role_policy_document = jsonencode(var.assume_role_policy_document) + tags = var.tags } provider "aws" { region = var.region -} - -variable "region" { - default = "ap-southeast-2" -} - -variable "policy_document" { -default = { -"Version": "2012-10-17", -"Statement": [ -{ -"Effect": "Allow", -"Action": [ -"iam:CreateServiceLinkedRole", -"ec2:DescribeAccountAttributes", -"ec2:DescribeAddresses", -"ec2:DescribeInternetGateways", -"ec2:DescribeVpcs", -"ec2:DescribeSubnets", -"ec2:DescribeSecurityGroups", -"ec2:DescribeInstances", -"ec2:DescribeNetworkInterfaces", -"ec2:DescribeTags", -"ec2:GetCoipPoolUsage", -"ec2:DescribeCoipPools", -"elasticloadbalancing:DescribeLoadBalancers", -"elasticloadbalancing:DescribeLoadBalancerAttributes", -"elasticloadbalancing:DescribeListeners", -"elasticloadbalancing:DescribeListenerCertificates", -"elasticloadbalancing:DescribeSSLPolicies", -"elasticloadbalancing:DescribeRules", -"elasticloadbalancing:DescribeTargetGroups", -"elasticloadbalancing:DescribeTargetGroupAttributes", -"elasticloadbalancing:DescribeTargetHealth", -"elasticloadbalancing:DescribeTags" -], -"Resource": "*" -}, -{ -"Effect": "Allow", -"Action": [ -"cognito-idp:DescribeUserPoolClient", -"acm:ListCertificates", -"acm:DescribeCertificate", -"iam:ListServerCertificates", -"iam:GetServerCertificate", -"waf-regional:GetWebACL", -"waf-regional:GetWebACLForResource", -"waf-regional:AssociateWebACL", -"waf-regional:DisassociateWebACL", -"wafv2:GetWebACL", -"wafv2:GetWebACLForResource", -"wafv2:AssociateWebACL", -"wafv2:DisassociateWebACL", -"shield:GetSubscriptionState", -"shield:DescribeProtection", -"shield:CreateProtection", -"shield:DeleteProtection" -], -"Resource": "*" -}, -{ -"Effect": "Allow", -"Action": [ -"ec2:AuthorizeSecurityGroupIngress", -"ec2:RevokeSecurityGroupIngress" -], -"Resource": "*" -}, -{ -"Effect": "Allow", -"Action": [ -"ec2:CreateSecurityGroup" -], -"Resource": "*" -}, -{ -"Effect": "Allow", -"Action": [ -"ec2:CreateTags" -], -"Resource": "arn:aws:ec2:*:*:security-group/*", -"Condition": { -"StringEquals": { -"ec2:CreateAction": "CreateSecurityGroup" -}, -"Null": { -"aws:RequestTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"ec2:CreateTags", -"ec2:DeleteTags" -], -"Resource": "arn:aws:ec2:*:*:security-group/*", -"Condition": { -"Null": { -"aws:RequestTag/elbv2.k8s.aws/cluster": "true", -"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"ec2:AuthorizeSecurityGroupIngress", -"ec2:RevokeSecurityGroupIngress", -"ec2:DeleteSecurityGroup" -], -"Resource": "*", -"Condition": { -"Null": { -"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:CreateLoadBalancer", -"elasticloadbalancing:CreateTargetGroup" -], -"Resource": "*", -"Condition": { -"Null": { -"aws:RequestTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:CreateListener", -"elasticloadbalancing:DeleteListener", -"elasticloadbalancing:CreateRule", -"elasticloadbalancing:DeleteRule" -], -"Resource": "*" -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:AddTags", -"elasticloadbalancing:RemoveTags" -], -"Resource": [ -"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", -"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", -"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" -], -"Condition": { -"Null": { -"aws:RequestTag/elbv2.k8s.aws/cluster": "true", -"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:ModifyLoadBalancerAttributes", -"elasticloadbalancing:SetIpAddressType", -"elasticloadbalancing:SetSecurityGroups", -"elasticloadbalancing:SetSubnets", -"elasticloadbalancing:DeleteLoadBalancer", -"elasticloadbalancing:ModifyTargetGroup", -"elasticloadbalancing:ModifyTargetGroupAttributes", -"elasticloadbalancing:DeleteTargetGroup" -], -"Resource": "*", -"Condition": { -"Null": { -"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:RegisterTargets", -"elasticloadbalancing:DeregisterTargets" -], -"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:SetWebAcl", -"elasticloadbalancing:ModifyListener", -"elasticloadbalancing:AddListenerCertificates", -"elasticloadbalancing:RemoveListenerCertificates", -"elasticloadbalancing:ModifyRule" -], -"Resource": "*" -} -] -} -} - - -variable "assume_role_policy_document" { - default = { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::854489628483:oidc-provider/oidc.eks.ap-southeast-2.amazonaws.com/id/428AD43341BD31E3D94CF2A832841183" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "oidc.eks.ap-southeast-2.amazonaws.com/id/428AD43341BD31E3D94CF2A832841183:sub": "system:serviceaccount:kube-system:aws-load-balancer-controllerModuleTest" - } - } - } - ] -} } \ No newline at end of file diff --git a/examples/managed_role/vars.tf b/examples/managed_role/vars.tf new file mode 100644 index 0000000..7c2fccd --- /dev/null +++ b/examples/managed_role/vars.tf @@ -0,0 +1,32 @@ + +variable "region" { + type = string + default = "ap-southeast-2" +} + +variable "policy_name" { + description = "The name of the policy to create" +} + +variable "policy_description" { + description = "A description of the policy" + default = "" +} + +variable "policy_document" { + description = "JSON policy document" +} + +variable "assume_role_policy_document" { + description = "Json policy document" +} + +variable "tags" { + description = "Additional tags to add to IAM Role Resource." + type = map(any) + default = {} +} + +variable "role_name" { + description = "The name of the role" +} \ No newline at end of file diff --git a/examples/resources/policy/main.tf b/examples/resources/policy/main.tf deleted file mode 100644 index 73d2fcf..0000000 --- a/examples/resources/policy/main.tf +++ /dev/null @@ -1,215 +0,0 @@ -module "example" { - source = "../../../resources/policy" - - providers = { - aws = aws - } - - policy_name = "JSONTESTPolicyAWSLoadBalancerController" - policy_description = "JSONTESTPolicy testing AWSLoadBalancerController" - policy_document = var.policy_document - -} -provider "aws" { - region = var.region -} - -variable "region" { - default = "ap-southeast-2" -} - -variable "policy_document" { -default = { -"Version": "2012-10-17", -"Statement": [ -{ -"Effect": "Allow", -"Action": [ -"iam:CreateServiceLinkedRole", -"ec2:DescribeAccountAttributes", -"ec2:DescribeAddresses", -"ec2:DescribeInternetGateways", -"ec2:DescribeVpcs", -"ec2:DescribeSubnets", -"ec2:DescribeSecurityGroups", -"ec2:DescribeInstances", -"ec2:DescribeNetworkInterfaces", -"ec2:DescribeTags", -"ec2:GetCoipPoolUsage", -"ec2:DescribeCoipPools", -"elasticloadbalancing:DescribeLoadBalancers", -"elasticloadbalancing:DescribeLoadBalancerAttributes", -"elasticloadbalancing:DescribeListeners", -"elasticloadbalancing:DescribeListenerCertificates", -"elasticloadbalancing:DescribeSSLPolicies", -"elasticloadbalancing:DescribeRules", -"elasticloadbalancing:DescribeTargetGroups", -"elasticloadbalancing:DescribeTargetGroupAttributes", -"elasticloadbalancing:DescribeTargetHealth", -"elasticloadbalancing:DescribeTags" -], -"Resource": "*" -}, -{ -"Effect": "Allow", -"Action": [ -"cognito-idp:DescribeUserPoolClient", -"acm:ListCertificates", -"acm:DescribeCertificate", -"iam:ListServerCertificates", -"iam:GetServerCertificate", -"waf-regional:GetWebACL", -"waf-regional:GetWebACLForResource", -"waf-regional:AssociateWebACL", -"waf-regional:DisassociateWebACL", -"wafv2:GetWebACL", -"wafv2:GetWebACLForResource", -"wafv2:AssociateWebACL", -"wafv2:DisassociateWebACL", -"shield:GetSubscriptionState", -"shield:DescribeProtection", -"shield:CreateProtection", -"shield:DeleteProtection" -], -"Resource": "*" -}, -{ -"Effect": "Allow", -"Action": [ -"ec2:AuthorizeSecurityGroupIngress", -"ec2:RevokeSecurityGroupIngress" -], -"Resource": "*" -}, -{ -"Effect": "Allow", -"Action": [ -"ec2:CreateSecurityGroup" -], -"Resource": "*" -}, -{ -"Effect": "Allow", -"Action": [ -"ec2:CreateTags" -], -"Resource": "arn:aws:ec2:*:*:security-group/*", -"Condition": { -"StringEquals": { -"ec2:CreateAction": "CreateSecurityGroup" -}, -"Null": { -"aws:RequestTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"ec2:CreateTags", -"ec2:DeleteTags" -], -"Resource": "arn:aws:ec2:*:*:security-group/*", -"Condition": { -"Null": { -"aws:RequestTag/elbv2.k8s.aws/cluster": "true", -"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"ec2:AuthorizeSecurityGroupIngress", -"ec2:RevokeSecurityGroupIngress", -"ec2:DeleteSecurityGroup" -], -"Resource": "*", -"Condition": { -"Null": { -"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:CreateLoadBalancer", -"elasticloadbalancing:CreateTargetGroup" -], -"Resource": "*", -"Condition": { -"Null": { -"aws:RequestTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:CreateListener", -"elasticloadbalancing:DeleteListener", -"elasticloadbalancing:CreateRule", -"elasticloadbalancing:DeleteRule" -], -"Resource": "*" -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:AddTags", -"elasticloadbalancing:RemoveTags" -], -"Resource": [ -"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", -"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", -"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" -], -"Condition": { -"Null": { -"aws:RequestTag/elbv2.k8s.aws/cluster": "true", -"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:ModifyLoadBalancerAttributes", -"elasticloadbalancing:SetIpAddressType", -"elasticloadbalancing:SetSecurityGroups", -"elasticloadbalancing:SetSubnets", -"elasticloadbalancing:DeleteLoadBalancer", -"elasticloadbalancing:ModifyTargetGroup", -"elasticloadbalancing:ModifyTargetGroupAttributes", -"elasticloadbalancing:DeleteTargetGroup" -], -"Resource": "*", -"Condition": { -"Null": { -"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" -} -} -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:RegisterTargets", -"elasticloadbalancing:DeregisterTargets" -], -"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" -}, -{ -"Effect": "Allow", -"Action": [ -"elasticloadbalancing:SetWebAcl", -"elasticloadbalancing:ModifyListener", -"elasticloadbalancing:AddListenerCertificates", -"elasticloadbalancing:RemoveListenerCertificates", -"elasticloadbalancing:ModifyRule" -], -"Resource": "*" -} -] -} -} diff --git a/examples/resources/role/main.tf b/examples/resources/role/main.tf deleted file mode 100644 index 533b3e7..0000000 --- a/examples/resources/role/main.tf +++ /dev/null @@ -1,39 +0,0 @@ -module "example" { - source = "../../../resources/role" - - providers = { - aws = aws - } - - role_name = "JSONTESTROLEAWSLoadBalancerController" - assume_role_policy_document = var.assume_role_policy_document - -} -provider "aws" { - region = var.region -} - -variable "region" { - default = "ap-southeast-2" -} - - -variable "assume_role_policy_document" { - default = { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::854489628483:oidc-provider/oidc.eks.ap-southeast-2.amazonaws.com/id/428AD43341BD31E3D94CF2A832841183" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "oidc.eks.ap-southeast-2.amazonaws.com/id/428AD43341BD31E3D94CF2A832841183:sub": "system:serviceaccount:kube-system:aws-load-balancer-controllerModuleTest" - } - } - } - ] -} -} \ No newline at end of file diff --git a/managed-role/main.tf b/managed-role/main.tf index 1f5ed08..f7890f2 100644 --- a/managed-role/main.tf +++ b/managed-role/main.tf @@ -2,6 +2,7 @@ module "role" { source = "../resources/role" role_name = var.role_name assume_role_policy_document = var.assume_role_policy_document + tags = var.tags }