Merge pull request #5 from ottertune/write_limited_policy

[FE-292] add permissions level to tf
ottertune · Sep 28, 2023 · 63f8b97 · 63f8b97
2 parents 4279b80 + 570bd13
commit 63f8b97
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 2 deletions.
diff --git a/main.tf b/main.tf
@@ -34,7 +34,7 @@ resource "aws_iam_role" "ottertune_role" {
 
 data "aws_iam_policy_document" "ottertune_db_policy" {
   statement {
-    actions = [
+    actions = flatten([
       "budgets:Describe*",
       "ce:Describe*",
       "ce:Get*",
@@ -47,7 +47,11 @@ data "aws_iam_policy_document" "ottertune_db_policy" {
       "pi:GetResourceMetrics",
       "rds:Describe*",
       "rds:List*",
-    ]
+      var.permissions_level == "write_limited" ? [
+      "rds:ModifyDBInstance",
+      "rds:ModifyDBCluster",
+      ] : []
+    ])
     resources = ["*"]
   }
 }
@@ -61,6 +65,42 @@ data "aws_iam_policy_document" "ottertune_connect_policy" {
 }
 
 
+data "aws_iam_policy_document" "ottertune_copy_pg_policy" {
+  statement {
+    actions   = [
+      "rds:CopyDBParameterGroup",
+      "rds:CopyDBClusterParameterGroup",
+    ]
+    resources = [
+      "arn:aws:rds:*:*:pg:*",
+      "arn:aws:rds:*:*:cluster-pg:*"
+    ]
+  }
+}
+
+
+data "aws_iam_policy_document" "ottertune_pg_policy" {
+  statement {
+    actions   = [
+      "rds:CreateDBParameterGroup",
+      "rds:ModifyDBParameterGroup",
+    ]
+    resources = ["arn:aws:rds:*:*:pg:ottertune*"]
+  }
+}
+
+
+data "aws_iam_policy_document" "ottertune_cluster_pg_policy" {
+  statement {
+    actions   = [
+      "rds:CreateDBClusterParameterGroup",
+      "rds:ModifyDBClusterParameterGroup",
+    ]
+    resources = ["arn:aws:rds:*:*:cluster-pg:ottertune*"]
+  }
+}
+
+
 data "aws_iam_policy_document" "ottertune_tuning_policy" {
   statement {
     actions   = ["rds:ModifyDBParameterGroup"]
@@ -78,6 +118,7 @@ data "aws_iam_policy_document" "ottertune_cluster_tuning_policy" {
 data "aws_iam_policy_document" "ottertune_policy_document_combined" {
   source_policy_documents = concat([data.aws_iam_policy_document.ottertune_db_policy.json,
     data.aws_iam_policy_document.ottertune_connect_policy.json],
+    var.permissions_level == "write_limited" ? [data.aws_iam_policy_document.ottertune_copy_pg_policy.json, data.aws_iam_policy_document.ottertune_pg_policy.json, data.aws_iam_policy_document.ottertune_cluster_pg_policy.json] :  [],
     length(var.tunable_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_tuning_policy.json] : [],
   length(var.tunable_aurora_cluster_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_cluster_tuning_policy.json] : [])
 }

diff --git a/variables.tf b/variables.tf
@@ -10,6 +10,12 @@ variable "iam_role_name" {
   default = "OtterTuneRole"
 }
 
+variable "permissions_level" {
+  description = "The permissions level associated with the created role. Currently the two options are: read_only | write_limited"
+  type    = string
+  default = "read_only"
+}
+
 variable "tunable_parameter_group_arns" {
   description = <<-EOT
                    Pass in the parameter group ARNs that you would like to allow OtterTune to optimize.