From ee9dbc8447b2a8a4c3f6a31400a534f3153bf116 Mon Sep 17 00:00:00 2001 From: Gorman Stock Date: Thu, 28 Sep 2023 15:49:22 +0000 Subject: [PATCH 1/2] add permissions level to tf --- main.tf | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++- variables.tf | 6 ++++++ 2 files changed, 59 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 8a283c3..8a8f5c2 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,22 @@ resource "aws_iam_role" "ottertune_role" { data "aws_iam_policy_document" "ottertune_db_policy" { statement { - actions = [ + actions = var.permissions_level == "write_limited" ? [ + "budgets:Describe*", + "ce:Describe*", + "ce:Get*", + "ce:List*", + "cloudwatch:Describe*", + "cloudwatch:Get*", + "cloudwatch:List*", + "iam:SimulatePrincipalPolicy", + "pi:DescribeDimensionKeys", + "pi:GetResourceMetrics", + "rds:Describe*", + "rds:List*", + "rds:ModifyDBInstance", + "rds:ModifyDBCluster", + ] : [ "budgets:Describe*", "ce:Describe*", "ce:Get*", @@ -61,6 +76,42 @@ data "aws_iam_policy_document" "ottertune_connect_policy" { } +data "aws_iam_policy_document" "ottertune_copy_pg_policy" { + statement { + actions = [ + "rds:CopyDBParameterGroup", + "rds:CopyDBClusterParameterGroup", + ] + resources = [ + "arn:aws:rds:*:*:pg:*", + "arn:aws:rds:*:*:cluster-pg:*" + ] + } +} + + +data "aws_iam_policy_document" "ottertune_pg_policy" { + statement { + actions = [ + "rds:CreateDBParameterGroup", + "rds:ModifyDBParameterGroup", + ] + resources = ["arn:aws:rds:*:*:pg:ottertune*"] + } +} + + +data "aws_iam_policy_document" "ottertune_cluster_pg_policy" { + statement { + actions = [ + "rds:CreateDBClusterParameterGroup", + "rds:ModifyDBClusterParameterGroup", + ] + resources = ["arn:aws:rds:*:*:cluster-pg:ottertune*"] + } +} + + data "aws_iam_policy_document" "ottertune_tuning_policy" { statement { actions = ["rds:ModifyDBParameterGroup"] @@ -78,6 +129,7 @@ data "aws_iam_policy_document" "ottertune_cluster_tuning_policy" { data "aws_iam_policy_document" "ottertune_policy_document_combined" { source_policy_documents = concat([data.aws_iam_policy_document.ottertune_db_policy.json, data.aws_iam_policy_document.ottertune_connect_policy.json], + var.permissions_level == "write_limited" ? [data.aws_iam_policy_document.ottertune_copy_pg_policy.json, data.aws_iam_policy_document.ottertune_pg_policy.json, data.aws_iam_policy_document.ottertune_cluster_pg_policy.json] : [], length(var.tunable_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_tuning_policy.json] : [], length(var.tunable_aurora_cluster_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_cluster_tuning_policy.json] : []) } diff --git a/variables.tf b/variables.tf index fa401bd..f9b07da 100644 --- a/variables.tf +++ b/variables.tf @@ -10,6 +10,12 @@ variable "iam_role_name" { default = "OtterTuneRole" } +variable "permissions_level" { + description = "The permissions level associated with the created role. Currently the two options are: read_only | write_limited" + type = string + default = "read_only" +} + variable "tunable_parameter_group_arns" { description = <<-EOT Pass in the parameter group ARNs that you would like to allow OtterTune to optimize. From 570bd13c2c95fee412413852022a0e892da7b6ec Mon Sep 17 00:00:00 2001 From: Gorman Stock Date: Thu, 28 Sep 2023 16:01:08 +0000 Subject: [PATCH 2/2] flatten --- main.tf | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/main.tf b/main.tf index 8a8f5c2..7ad7566 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,7 @@ resource "aws_iam_role" "ottertune_role" { data "aws_iam_policy_document" "ottertune_db_policy" { statement { - actions = var.permissions_level == "write_limited" ? [ + actions = flatten([ "budgets:Describe*", "ce:Describe*", "ce:Get*", @@ -47,22 +47,11 @@ data "aws_iam_policy_document" "ottertune_db_policy" { "pi:GetResourceMetrics", "rds:Describe*", "rds:List*", + var.permissions_level == "write_limited" ? [ "rds:ModifyDBInstance", "rds:ModifyDBCluster", - ] : [ - "budgets:Describe*", - "ce:Describe*", - "ce:Get*", - "ce:List*", - "cloudwatch:Describe*", - "cloudwatch:Get*", - "cloudwatch:List*", - "iam:SimulatePrincipalPolicy", - "pi:DescribeDimensionKeys", - "pi:GetResourceMetrics", - "rds:Describe*", - "rds:List*", - ] + ] : [] + ]) resources = ["*"] } }