Skip to content

Commit

Permalink
add permissions level to tf
Browse files Browse the repository at this point in the history
  • Loading branch information
gormanstock committed Sep 28, 2023
1 parent 4279b80 commit ee9dbc8
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 1 deletion.
54 changes: 53 additions & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,22 @@ resource "aws_iam_role" "ottertune_role" {

data "aws_iam_policy_document" "ottertune_db_policy" {
statement {
actions = [
actions = var.permissions_level == "write_limited" ? [
"budgets:Describe*",
"ce:Describe*",
"ce:Get*",
"ce:List*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"iam:SimulatePrincipalPolicy",
"pi:DescribeDimensionKeys",
"pi:GetResourceMetrics",
"rds:Describe*",
"rds:List*",
"rds:ModifyDBInstance",
"rds:ModifyDBCluster",
] : [
"budgets:Describe*",
"ce:Describe*",
"ce:Get*",
Expand All @@ -61,6 +76,42 @@ data "aws_iam_policy_document" "ottertune_connect_policy" {
}


data "aws_iam_policy_document" "ottertune_copy_pg_policy" {
statement {
actions = [
"rds:CopyDBParameterGroup",
"rds:CopyDBClusterParameterGroup",
]
resources = [
"arn:aws:rds:*:*:pg:*",
"arn:aws:rds:*:*:cluster-pg:*"
]
}
}


data "aws_iam_policy_document" "ottertune_pg_policy" {
statement {
actions = [
"rds:CreateDBParameterGroup",
"rds:ModifyDBParameterGroup",
]
resources = ["arn:aws:rds:*:*:pg:ottertune*"]
}
}


data "aws_iam_policy_document" "ottertune_cluster_pg_policy" {
statement {
actions = [
"rds:CreateDBClusterParameterGroup",
"rds:ModifyDBClusterParameterGroup",
]
resources = ["arn:aws:rds:*:*:cluster-pg:ottertune*"]
}
}


data "aws_iam_policy_document" "ottertune_tuning_policy" {
statement {
actions = ["rds:ModifyDBParameterGroup"]
Expand All @@ -78,6 +129,7 @@ data "aws_iam_policy_document" "ottertune_cluster_tuning_policy" {
data "aws_iam_policy_document" "ottertune_policy_document_combined" {
source_policy_documents = concat([data.aws_iam_policy_document.ottertune_db_policy.json,
data.aws_iam_policy_document.ottertune_connect_policy.json],
var.permissions_level == "write_limited" ? [data.aws_iam_policy_document.ottertune_copy_pg_policy.json, data.aws_iam_policy_document.ottertune_pg_policy.json, data.aws_iam_policy_document.ottertune_cluster_pg_policy.json] : [],
length(var.tunable_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_tuning_policy.json] : [],
length(var.tunable_aurora_cluster_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_cluster_tuning_policy.json] : [])
}
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,12 @@ variable "iam_role_name" {
default = "OtterTuneRole"
}

variable "permissions_level" {
description = "The permissions level associated with the created role. Currently the two options are: read_only | write_limited"
type = string
default = "read_only"
}

variable "tunable_parameter_group_arns" {
description = <<-EOT
Pass in the parameter group ARNs that you would like to allow OtterTune to optimize.
Expand Down

0 comments on commit ee9dbc8

Please sign in to comment.