From 7e1d8cdf1d1ce75e87ed965388fa7031a0ee70d8 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Tue, 18 Jan 2022 21:27:39 +0000 Subject: [PATCH 01/15] first attempt --- main.tf | 204 +++++++++++++++++++++++++++++++++++++++++++++++++++ outputs.tf | 0 variables.tf | 37 ++++++++++ 3 files changed, 241 insertions(+) create mode 100644 main.tf create mode 100644 outputs.tf create mode 100644 variables.tf diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..6569d31 --- /dev/null +++ b/main.tf @@ -0,0 +1,204 @@ + + +data "aws_iam_policy_document" "ottertune_db_policy" { + statement { + actions = [ + "aws-portal:ViewBilling", + "budgets:Describe*", + "ce:Describe*", + "ce:Get*", + "ce:List*", + "cloudwatch:Describe*", + "cloudwatch:Get*", + "cloudwatch:List*", + "iam:SimulatePrincipalPolicy", + "pi:DescribeDimensionKeys", + "pi:GetResourceMetrics", + "pricing:Describe*", + "pricing:Get*", + "rds:Describe*", + "rds:List*", + ] + resources = ["*"] + } +} + +data "aws_iam_policy_document" "ottertune_connect_policy" { + statement { + actions = ["rds-db:connect"] + resources = ["arn:aws:rds-db:*:*:dbuser:*/ottertune*"] + } +} + + +data "aws_iam_policy_document" "ottertune_tuning_policy" { + statement { + actions = ["rds:ModifyDBParameterGroup"] + resources = var.tunable_parameter_group_arns + } +} + +data "aws_iam_policy_document" "ottertune_cluster_tuning_policy" { + statement { + actions = ["rds:ModifyDBParameterGroup"] + resources = var.tunable_aurora_cluster_parameter_group_arns + } +} + +data "aws_iam_policy_document" "code_pipeline_full_access" { + statement { + actions = [ + "codepipeline:*", + "cloudformation:DescribeStacks", + "cloudformation:ListChangeSets", + "cloudtrail:CreateTrail", + "cloudtrail:DescribeTrails", + "cloudtrail:GetEventSelectors", + "cloudtrail:PutEventSelectors", + "cloudtrail:StartLogging", + "codebuild:BatchGetProjects", + "codebuild:CreateProject", + "codebuild:ListCuratedEnvironmentImages", + "codebuild:ListProjects", + "codecommit:GetBranch", + "codecommit:GetRepositoryTriggers", + "codecommit:ListBranches", + "codecommit:ListRepositories", + "codecommit:PutRepositoryTriggers", + "codecommit:GetReferences", + "codedeploy:GetApplication", + "codedeploy:BatchGetApplications", + "codedeploy:GetDeploymentGroup", + "codedeploy:BatchGetDeploymentGroups", + "codedeploy:ListApplications", + "codedeploy:ListDeploymentGroups", + "devicefarm:GetDevicePool", + "devicefarm:GetProject", + "devicefarm:ListDevicePools", + "devicefarm:ListProjects", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecs:ListClusters", + "ecs:ListServices", + "elasticbeanstalk:DescribeApplications", + "elasticbeanstalk:DescribeEnvironments", + "iam:ListRoles", + "iam:GetRole", + "lambda:GetFunctionConfiguration", + "lambda:ListFunctions", + "events:ListRules", + "events:ListTargetsByRule", + "events:DescribeRule", + "opsworks:DescribeApps", + "opsworks:DescribeLayers", + "opsworks:DescribeStacks", + "s3:GetBucketPolicy", + "s3:GetBucketVersioning", + "s3:GetObjectVersion", + "s3:ListAllMyBuckets", + "s3:ListBucket", + "sns:ListTopics", + "codestar-notifications:ListNotificationRules", + "codestar-notifications:ListTargets", + "codestar-notifications:ListTagsforResource", + "codestar-notifications:ListEventTypes", + "states:ListStateMachines" + ] + resources = ["*"] + } + statement { + actions = [ + "s3:GetObject", + "s3:CreateBucket", + "s3:PutBucketPolicy" + ] + resources = ["arn:aws:s3::*:codepipeline-*"] + } + statement { + actions = ["iam:PassRole"] + resources = ["arn:aws:iam::*:role/service-role/cwe-role-*"] + condition { + test = "StringEquals" + variable = "iam:PassedToService" + values = ["events.amazonaws.com"] + } + } + statement { + actions = ["iam:PassRole"] + resources = ["*"] + condition { + test = "StringEquals" + variable = "iam:PassedToService" + values = ["codepipeline.amazonaws.com"] + } + } + statement { + actions = [ + "events:PutRule", + "events:PutTargets", + "events:DeleteRule", + "events:DisableRule", + "events:RemoveTargets" + ] + resources = ["arn:aws:events:*:*:rule/codepipeline-*"] + } + statement { + actions = [ + "codestar-notifications:CreateNotificationRule", + "codestar-notifications:DescribeNotificationRule", + "codestar-notifications:UpdateNotificationRule", + "codestar-notifications:DeleteNotificationRule", + "codestar-notifications:Subscribe", + "codestar-notifications:Unsubscribe" + ] + resources = ["*"] + condition { + test = "StringLike" + variable = "codestar-notifications:NotificationsForResource" + values = ["arn:aws:codepipeline:*"] + } + } + statement { + sid = "CodeStarNotificationsSnsTopicCreateAccess" + actions = [ + "sns:CreateTopic", + "sns:SetTopicAttributes" + ] + resources = ["arn:aws:sns:*:*:codestar-notifications*"] + } + statement { + sid = "CodeStarNotificationsChatbotAccess" + actions = [ + "chatbot:DescribeSlackChannelConfigurations" + ] + resources = ["*"] + } +} + +module "aggregated_managed_policy" { + source = "cloudposse/iam-policy-document-aggregator/aws" + version = "0.8.0" + + source_documents = [ + data.aws_iam_policy_document.code_pipeline_approver_access.json, + data.aws_iam_policy_document.s3_full_access.json, + data.aws_iam_policy_document.code_build_developers_access.json, + data.aws_iam_policy_document.elasti_cache_read_only_access.json, + data.aws_iam_policy_document.cloud_watch_logs_read_only_access.json, + data.aws_iam_policy_document.rds_read_only_access.json, + data.aws_iam_policy_document.code_pipeline_full_access.json, + ] +} + +data "aws_iam_policy_document" "parameter_store" { + statement { + actions = ["ssm:GetParameter"] + resources = [ + "*" + ] + effect = "Allow" + } +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..18b7058 --- /dev/null +++ b/variables.tf @@ -0,0 +1,37 @@ + +# Terraform provider for aws +variable "aws_provider" { + type = string +} + +# External ID for the OtterTune role. Copy from OtterTune role setup wizard. +variable "external_id" { + type = string +} + +# External ID for the OtterTune role. Copy from OtterTune role setup wizard. +variable "iam_role_name" { + type = string + default = "OtterTuneRole" +} + +# Pass in the parameter group ARNs that you'd like to allow OtterTune to optimize. +# Leave blank if you would like to run OtterTune in monitoring-only mode for now. This can be updated later. +# ARN Format: arn:aws:rds:::pg: +variable "tunable_parameter_group_arns" { + type = list(string) + default = [] +} + +# Pass in the aurora cluster parameter group ARNs that you'd like to allow OtterTune to optimize. +# Leave blank if you would like to run OtterTune in monitoring-only mode for now. This can be updated later. +# ARN Format: arn:aws:rds:::pg: +variable "tunable_aurora_cluster_parameter_group_arns" { + type = list(string) + default = [] +} + +variable "ottertune_account_id" { + type = string + default = "691523222388" +} \ No newline at end of file From 02b46be70a05aaa3bc58d837e0769a9e185a8c64 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Tue, 18 Jan 2022 21:57:55 +0000 Subject: [PATCH 02/15] little more --- main.tf | 192 ++++++++++---------------------------------------------- 1 file changed, 33 insertions(+), 159 deletions(-) diff --git a/main.tf b/main.tf index 6569d31..08b8f1d 100644 --- a/main.tf +++ b/main.tf @@ -1,4 +1,36 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "3.72.0" + } + } +} +provider "aws" { + # Configuration options +} + +resource "aws_iam_role" "ottertune_role" { + name = var.iam_role_name + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + AWS = "arn:aws:iam::${var.ottertune_account_id}:root" + } + Condition = { + StringEquals = var.external_id + } + }, + ] + }) +} data "aws_iam_policy_document" "ottertune_db_policy" { statement { @@ -43,162 +75,4 @@ data "aws_iam_policy_document" "ottertune_cluster_tuning_policy" { actions = ["rds:ModifyDBParameterGroup"] resources = var.tunable_aurora_cluster_parameter_group_arns } -} - -data "aws_iam_policy_document" "code_pipeline_full_access" { - statement { - actions = [ - "codepipeline:*", - "cloudformation:DescribeStacks", - "cloudformation:ListChangeSets", - "cloudtrail:CreateTrail", - "cloudtrail:DescribeTrails", - "cloudtrail:GetEventSelectors", - "cloudtrail:PutEventSelectors", - "cloudtrail:StartLogging", - "codebuild:BatchGetProjects", - "codebuild:CreateProject", - "codebuild:ListCuratedEnvironmentImages", - "codebuild:ListProjects", - "codecommit:GetBranch", - "codecommit:GetRepositoryTriggers", - "codecommit:ListBranches", - "codecommit:ListRepositories", - "codecommit:PutRepositoryTriggers", - "codecommit:GetReferences", - "codedeploy:GetApplication", - "codedeploy:BatchGetApplications", - "codedeploy:GetDeploymentGroup", - "codedeploy:BatchGetDeploymentGroups", - "codedeploy:ListApplications", - "codedeploy:ListDeploymentGroups", - "devicefarm:GetDevicePool", - "devicefarm:GetProject", - "devicefarm:ListDevicePools", - "devicefarm:ListProjects", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecs:ListClusters", - "ecs:ListServices", - "elasticbeanstalk:DescribeApplications", - "elasticbeanstalk:DescribeEnvironments", - "iam:ListRoles", - "iam:GetRole", - "lambda:GetFunctionConfiguration", - "lambda:ListFunctions", - "events:ListRules", - "events:ListTargetsByRule", - "events:DescribeRule", - "opsworks:DescribeApps", - "opsworks:DescribeLayers", - "opsworks:DescribeStacks", - "s3:GetBucketPolicy", - "s3:GetBucketVersioning", - "s3:GetObjectVersion", - "s3:ListAllMyBuckets", - "s3:ListBucket", - "sns:ListTopics", - "codestar-notifications:ListNotificationRules", - "codestar-notifications:ListTargets", - "codestar-notifications:ListTagsforResource", - "codestar-notifications:ListEventTypes", - "states:ListStateMachines" - ] - resources = ["*"] - } - statement { - actions = [ - "s3:GetObject", - "s3:CreateBucket", - "s3:PutBucketPolicy" - ] - resources = ["arn:aws:s3::*:codepipeline-*"] - } - statement { - actions = ["iam:PassRole"] - resources = ["arn:aws:iam::*:role/service-role/cwe-role-*"] - condition { - test = "StringEquals" - variable = "iam:PassedToService" - values = ["events.amazonaws.com"] - } - } - statement { - actions = ["iam:PassRole"] - resources = ["*"] - condition { - test = "StringEquals" - variable = "iam:PassedToService" - values = ["codepipeline.amazonaws.com"] - } - } - statement { - actions = [ - "events:PutRule", - "events:PutTargets", - "events:DeleteRule", - "events:DisableRule", - "events:RemoveTargets" - ] - resources = ["arn:aws:events:*:*:rule/codepipeline-*"] - } - statement { - actions = [ - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DescribeNotificationRule", - "codestar-notifications:UpdateNotificationRule", - "codestar-notifications:DeleteNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe" - ] - resources = ["*"] - condition { - test = "StringLike" - variable = "codestar-notifications:NotificationsForResource" - values = ["arn:aws:codepipeline:*"] - } - } - statement { - sid = "CodeStarNotificationsSnsTopicCreateAccess" - actions = [ - "sns:CreateTopic", - "sns:SetTopicAttributes" - ] - resources = ["arn:aws:sns:*:*:codestar-notifications*"] - } - statement { - sid = "CodeStarNotificationsChatbotAccess" - actions = [ - "chatbot:DescribeSlackChannelConfigurations" - ] - resources = ["*"] - } -} - -module "aggregated_managed_policy" { - source = "cloudposse/iam-policy-document-aggregator/aws" - version = "0.8.0" - - source_documents = [ - data.aws_iam_policy_document.code_pipeline_approver_access.json, - data.aws_iam_policy_document.s3_full_access.json, - data.aws_iam_policy_document.code_build_developers_access.json, - data.aws_iam_policy_document.elasti_cache_read_only_access.json, - data.aws_iam_policy_document.cloud_watch_logs_read_only_access.json, - data.aws_iam_policy_document.rds_read_only_access.json, - data.aws_iam_policy_document.code_pipeline_full_access.json, - ] -} - -data "aws_iam_policy_document" "parameter_store" { - statement { - actions = ["ssm:GetParameter"] - resources = [ - "*" - ] - effect = "Allow" - } -} +} \ No newline at end of file From bd7efbd247ea352974004850a504269b6b923d34 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Wed, 19 Jan 2022 21:02:05 +0000 Subject: [PATCH 03/15] everything but provider working --- .terraform.lock.hcl | 21 +++++++++++++++++++++ main.tf | 21 ++++++++++++++++++++- variables.tf | 5 ----- 3 files changed, 41 insertions(+), 6 deletions(-) create mode 100755 .terraform.lock.hcl diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100755 index 0000000..fa76937 --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "3.72.0" + constraints = ">= 2.23.0" + hashes = [ + "h1:OH3yw9pasENmaAowGtukjSAGePqka6iKlBpWvviySoE=", + "zh:0c4615ff3c6bc9700d8f16a5a644ddfcb666eaddbf2f77d71616008a28e4db75", + "zh:29eb139a8fbb98391652fa1eb4668ad5a13a31d45a6c06fe2b1d66903c4e6509", + "zh:3e73a9cf67d30c400456011cc8ed036bce68df8fd8131d591a929186e43ab80b", + "zh:46090da59293464e1865190b2e67ae63103c9d87a16a5fcb982ce748369666d6", + "zh:4fb25d9b139cb1856e519bff4fd49695285fa63a1d57e1c0efc1791bb36532a8", + "zh:5acd99d2b22cd45f18c93905a6e5122712c48f432db3c3c3518af449c10ae7e6", + "zh:95e53770503127e6de9f71d02e0bafdf0c7e7490f93401e05b6015bc7fa94b29", + "zh:b31524932e804de5ef5613d3646892eb55656f062bcbb9d7c29cf6539f82397e", + "zh:d977b9f8657c3026340295015930ef58caba5c2f59fd2e63e230c0b9ddba1ee7", + "zh:fcb0202ad1b8de19f1cd58d0b60147cae5dd4f869a861f619e8e5d27f8a936a9", + "zh:fe85cf3c44834230c2aaa2d0c622ddde1e33398bbe9f7213011eba68130b1588", + ] +} diff --git a/main.tf b/main.tf index 08b8f1d..e18fbfe 100644 --- a/main.tf +++ b/main.tf @@ -8,7 +8,6 @@ terraform { } provider "aws" { - # Configuration options } resource "aws_iam_role" "ottertune_role" { @@ -55,6 +54,7 @@ data "aws_iam_policy_document" "ottertune_db_policy" { } } + data "aws_iam_policy_document" "ottertune_connect_policy" { statement { actions = ["rds-db:connect"] @@ -75,4 +75,23 @@ data "aws_iam_policy_document" "ottertune_cluster_tuning_policy" { actions = ["rds:ModifyDBParameterGroup"] resources = var.tunable_aurora_cluster_parameter_group_arns } +} + +data "aws_iam_policy_document" "ottertune_policy_document_combined" { + source_policy_documents = [ + data.aws_iam_policy_document.ottertune_db_policy.json, + data.aws_iam_policy_document.ottertune_connect_policy.json, + data.aws_iam_policy_document.ottertune_tuning_policy.json, + data.aws_iam_policy_document.ottertune_cluster_tuning_policy.json + ] +} + +resource "aws_iam_policy" "ottertune_policy" { + name = "ottertune_policy" + policy = data.aws_iam_policy_document.ottertune_policy_document_combined.json +} + +resource "aws_iam_role_policy_attachment" "attach_db_policy" { + role = "ottertune_role" + policy_arn = aws_iam_policy.ottertune_policy.arn } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 18b7058..b897475 100644 --- a/variables.tf +++ b/variables.tf @@ -1,9 +1,4 @@ -# Terraform provider for aws -variable "aws_provider" { - type = string -} - # External ID for the OtterTune role. Copy from OtterTune role setup wizard. variable "external_id" { type = string From 5e93172a2f3796b7808fdcfe4f3821c9055f5bef Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Wed, 19 Jan 2022 21:25:44 +0000 Subject: [PATCH 04/15] remove provider in main --- main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/main.tf b/main.tf index e18fbfe..635d137 100644 --- a/main.tf +++ b/main.tf @@ -7,9 +7,6 @@ terraform { } } -provider "aws" { -} - resource "aws_iam_role" "ottertune_role" { name = var.iam_role_name From 0bf2be6353d9013716ab9ce67a3a3c2c90025f17 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Wed, 19 Jan 2022 16:53:51 -0500 Subject: [PATCH 05/15] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 44b3ca8..8fa057f 100644 --- a/README.md +++ b/README.md @@ -1 +1,3 @@ -# terraform-aws-ottertune-iam-role \ No newline at end of file +# OtterTune IAM + +In order for OtterTune to provide maximum value to your AWS hosted database fleet. You will need to create an IAM role and policies to let OtterTune inspect and modify certain aspects of your databases and system. This Terraform module provides an easy way to quickly set up the necessary IAM reources. For more details on the needed permissions check out our documentation: https://docs.ottertune.com/info/aws-permissions From ce611b04149a0c8c73616d665e5f4361dd110719 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Wed, 19 Jan 2022 16:54:13 -0500 Subject: [PATCH 06/15] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8fa057f..5ceb6f8 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ -# OtterTune IAM +# OtterTune IAM Roles / Policies In order for OtterTune to provide maximum value to your AWS hosted database fleet. You will need to create an IAM role and policies to let OtterTune inspect and modify certain aspects of your databases and system. This Terraform module provides an easy way to quickly set up the necessary IAM reources. For more details on the needed permissions check out our documentation: https://docs.ottertune.com/info/aws-permissions From 4ee54c6e06b90db2f68691d80b90e340cd75b0c7 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Wed, 19 Jan 2022 16:54:57 -0500 Subject: [PATCH 07/15] newline --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index b897475..1679dce 100644 --- a/variables.tf +++ b/variables.tf @@ -29,4 +29,4 @@ variable "tunable_aurora_cluster_parameter_group_arns" { variable "ottertune_account_id" { type = string default = "691523222388" -} \ No newline at end of file +} From ab32e40de1770b763f9bbba24e91185598ee30d6 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Thu, 20 Jan 2022 15:49:26 +0000 Subject: [PATCH 08/15] add output --- outputs.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/outputs.tf b/outputs.tf index e69de29..485ecc9 100644 --- a/outputs.tf +++ b/outputs.tf @@ -0,0 +1,3 @@ +output "ottertune_role_arn" { + value = aws_iam_policy.ottertune_policy.arn +} \ No newline at end of file From 0a634d1238a50c7bd3f0ffd7f739a4ff13950108 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Thu, 20 Jan 2022 15:50:07 +0000 Subject: [PATCH 09/15] remove lock --- .terraform.lock.hcl | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100755 .terraform.lock.hcl diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl deleted file mode 100755 index fa76937..0000000 --- a/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "3.72.0" - constraints = ">= 2.23.0" - hashes = [ - "h1:OH3yw9pasENmaAowGtukjSAGePqka6iKlBpWvviySoE=", - "zh:0c4615ff3c6bc9700d8f16a5a644ddfcb666eaddbf2f77d71616008a28e4db75", - "zh:29eb139a8fbb98391652fa1eb4668ad5a13a31d45a6c06fe2b1d66903c4e6509", - "zh:3e73a9cf67d30c400456011cc8ed036bce68df8fd8131d591a929186e43ab80b", - "zh:46090da59293464e1865190b2e67ae63103c9d87a16a5fcb982ce748369666d6", - "zh:4fb25d9b139cb1856e519bff4fd49695285fa63a1d57e1c0efc1791bb36532a8", - "zh:5acd99d2b22cd45f18c93905a6e5122712c48f432db3c3c3518af449c10ae7e6", - "zh:95e53770503127e6de9f71d02e0bafdf0c7e7490f93401e05b6015bc7fa94b29", - "zh:b31524932e804de5ef5613d3646892eb55656f062bcbb9d7c29cf6539f82397e", - "zh:d977b9f8657c3026340295015930ef58caba5c2f59fd2e63e230c0b9ddba1ee7", - "zh:fcb0202ad1b8de19f1cd58d0b60147cae5dd4f869a861f619e8e5d27f8a936a9", - "zh:fe85cf3c44834230c2aaa2d0c622ddde1e33398bbe9f7213011eba68130b1588", - ] -} From e245c21237ec34b3ba6b33f04fb4317ed54d88f7 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Thu, 20 Jan 2022 15:50:32 +0000 Subject: [PATCH 10/15] newline --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 485ecc9..bcc0cce 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,3 +1,3 @@ output "ottertune_role_arn" { value = aws_iam_policy.ottertune_policy.arn -} \ No newline at end of file +} From c67d728446c7b7c051515bfce7c4b675b48499e1 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Thu, 20 Jan 2022 10:55:03 -0500 Subject: [PATCH 11/15] code review, fix documentation Co-authored-by: Robbie McKinstry --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 1679dce..93f668f 100644 --- a/variables.tf +++ b/variables.tf @@ -4,7 +4,7 @@ variable "external_id" { type = string } -# External ID for the OtterTune role. Copy from OtterTune role setup wizard. +# Role Name for the OtterTune role. This name can be whatever you like.``` variable "iam_role_name" { type = string default = "OtterTuneRole" From fc6d1eed2a0967262606a4293a3afc7201405a41 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Thu, 20 Jan 2022 16:59:35 +0000 Subject: [PATCH 12/15] get test working --- main.tf | 50 ++++++++++++++++++++++++++------------------------ outputs.tf | 2 +- 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/main.tf b/main.tf index 635d137..ba41526 100644 --- a/main.tf +++ b/main.tf @@ -7,25 +7,29 @@ terraform { } } +data "aws_iam_policy_document" "assume_role_policy" { + statement { + sid = "" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.ottertune_account_id}:root"] + } + + condition { + test = "StringEquals" + variable = "s3:ExternalId" + + values = [var.external_id] + } + } +} + resource "aws_iam_role" "ottertune_role" { name = var.iam_role_name - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Sid = "" - Principal = { - AWS = "arn:aws:iam::${var.ottertune_account_id}:root" - } - Condition = { - StringEquals = var.external_id - } - }, - ] - }) + assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json } data "aws_iam_policy_document" "ottertune_db_policy" { @@ -75,12 +79,10 @@ data "aws_iam_policy_document" "ottertune_cluster_tuning_policy" { } data "aws_iam_policy_document" "ottertune_policy_document_combined" { - source_policy_documents = [ - data.aws_iam_policy_document.ottertune_db_policy.json, - data.aws_iam_policy_document.ottertune_connect_policy.json, - data.aws_iam_policy_document.ottertune_tuning_policy.json, - data.aws_iam_policy_document.ottertune_cluster_tuning_policy.json - ] + source_policy_documents = concat([data.aws_iam_policy_document.ottertune_db_policy.json, + data.aws_iam_policy_document.ottertune_connect_policy.json], + length(var.tunable_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_tuning_policy.json]:[], + length(var.tunable_aurora_cluster_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_cluster_tuning_policy.json]:[]) } resource "aws_iam_policy" "ottertune_policy" { @@ -89,6 +91,6 @@ resource "aws_iam_policy" "ottertune_policy" { } resource "aws_iam_role_policy_attachment" "attach_db_policy" { - role = "ottertune_role" + role = aws_iam_role.ottertune_role.name policy_arn = aws_iam_policy.ottertune_policy.arn } \ No newline at end of file diff --git a/outputs.tf b/outputs.tf index bcc0cce..497b9d8 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,3 +1,3 @@ output "ottertune_role_arn" { - value = aws_iam_policy.ottertune_policy.arn + value = aws_iam_role.ottertune_role.arn } From bb8ad29fe0223553883dc0a77ab28c02694c0aa0 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Thu, 20 Jan 2022 17:19:12 +0000 Subject: [PATCH 13/15] bug fix s3 -> sts --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ba41526..a25b0f6 100644 --- a/main.tf +++ b/main.tf @@ -20,7 +20,7 @@ data "aws_iam_policy_document" "assume_role_policy" { condition { test = "StringEquals" - variable = "s3:ExternalId" + variable = "sts:ExternalId" values = [var.external_id] } From 5383f5daead1b675ba3e6cc92346012a2715a999 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Thu, 20 Jan 2022 17:26:19 +0000 Subject: [PATCH 14/15] format --- main.tf | 24 ++++++++++++------------ variables.tf | 8 ++++---- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/main.tf b/main.tf index a25b0f6..5ea626d 100644 --- a/main.tf +++ b/main.tf @@ -1,20 +1,20 @@ terraform { required_providers { aws = { - source = "hashicorp/aws" - version = "3.72.0" + source = "hashicorp/aws" + version = ">= 3.72.0" } } } data "aws_iam_policy_document" "assume_role_policy" { statement { - sid = "" - effect = "Allow" + sid = "" + effect = "Allow" actions = ["sts:AssumeRole"] principals { - type = "AWS" + type = "AWS" identifiers = ["arn:aws:iam::${var.ottertune_account_id}:root"] } @@ -28,7 +28,7 @@ data "aws_iam_policy_document" "assume_role_policy" { } resource "aws_iam_role" "ottertune_role" { - name = var.iam_role_name + name = var.iam_role_name assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json } @@ -58,7 +58,7 @@ data "aws_iam_policy_document" "ottertune_db_policy" { data "aws_iam_policy_document" "ottertune_connect_policy" { statement { - actions = ["rds-db:connect"] + actions = ["rds-db:connect"] resources = ["arn:aws:rds-db:*:*:dbuser:*/ottertune*"] } } @@ -66,23 +66,23 @@ data "aws_iam_policy_document" "ottertune_connect_policy" { data "aws_iam_policy_document" "ottertune_tuning_policy" { statement { - actions = ["rds:ModifyDBParameterGroup"] + actions = ["rds:ModifyDBParameterGroup"] resources = var.tunable_parameter_group_arns } } data "aws_iam_policy_document" "ottertune_cluster_tuning_policy" { statement { - actions = ["rds:ModifyDBParameterGroup"] + actions = ["rds:ModifyDBParameterGroup"] resources = var.tunable_aurora_cluster_parameter_group_arns } } data "aws_iam_policy_document" "ottertune_policy_document_combined" { source_policy_documents = concat([data.aws_iam_policy_document.ottertune_db_policy.json, - data.aws_iam_policy_document.ottertune_connect_policy.json], - length(var.tunable_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_tuning_policy.json]:[], - length(var.tunable_aurora_cluster_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_cluster_tuning_policy.json]:[]) + data.aws_iam_policy_document.ottertune_connect_policy.json], + length(var.tunable_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_tuning_policy.json] : [], + length(var.tunable_aurora_cluster_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_cluster_tuning_policy.json] : []) } resource "aws_iam_policy" "ottertune_policy" { diff --git a/variables.tf b/variables.tf index 93f668f..ff91121 100644 --- a/variables.tf +++ b/variables.tf @@ -6,7 +6,7 @@ variable "external_id" { # Role Name for the OtterTune role. This name can be whatever you like.``` variable "iam_role_name" { - type = string + type = string default = "OtterTuneRole" } @@ -14,7 +14,7 @@ variable "iam_role_name" { # Leave blank if you would like to run OtterTune in monitoring-only mode for now. This can be updated later. # ARN Format: arn:aws:rds:::pg: variable "tunable_parameter_group_arns" { - type = list(string) + type = list(string) default = [] } @@ -22,11 +22,11 @@ variable "tunable_parameter_group_arns" { # Leave blank if you would like to run OtterTune in monitoring-only mode for now. This can be updated later. # ARN Format: arn:aws:rds:::pg: variable "tunable_aurora_cluster_parameter_group_arns" { - type = list(string) + type = list(string) default = [] } variable "ottertune_account_id" { - type = string + type = string default = "691523222388" } From 5677448065130a318cc5b87bade0bf5fca426897 Mon Sep 17 00:00:00 2001 From: Neal Kaviratna Date: Thu, 20 Jan 2022 17:34:51 +0000 Subject: [PATCH 15/15] fix version reqs --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 5ea626d..2492b9b 100644 --- a/main.tf +++ b/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.72.0" + version = ">= 3.53.0" } } } @@ -86,7 +86,7 @@ data "aws_iam_policy_document" "ottertune_policy_document_combined" { } resource "aws_iam_policy" "ottertune_policy" { - name = "ottertune_policy" + name = "${var.iam_role_name}_policy" policy = data.aws_iam_policy_document.ottertune_policy_document_combined.json }