diff --git a/main.tf b/main.tf index 8a283c3..8a8f5c2 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,22 @@ resource "aws_iam_role" "ottertune_role" { data "aws_iam_policy_document" "ottertune_db_policy" { statement { - actions = [ + actions = var.permissions_level == "write_limited" ? [ + "budgets:Describe*", + "ce:Describe*", + "ce:Get*", + "ce:List*", + "cloudwatch:Describe*", + "cloudwatch:Get*", + "cloudwatch:List*", + "iam:SimulatePrincipalPolicy", + "pi:DescribeDimensionKeys", + "pi:GetResourceMetrics", + "rds:Describe*", + "rds:List*", + "rds:ModifyDBInstance", + "rds:ModifyDBCluster", + ] : [ "budgets:Describe*", "ce:Describe*", "ce:Get*", @@ -61,6 +76,42 @@ data "aws_iam_policy_document" "ottertune_connect_policy" { } +data "aws_iam_policy_document" "ottertune_copy_pg_policy" { + statement { + actions = [ + "rds:CopyDBParameterGroup", + "rds:CopyDBClusterParameterGroup", + ] + resources = [ + "arn:aws:rds:*:*:pg:*", + "arn:aws:rds:*:*:cluster-pg:*" + ] + } +} + + +data "aws_iam_policy_document" "ottertune_pg_policy" { + statement { + actions = [ + "rds:CreateDBParameterGroup", + "rds:ModifyDBParameterGroup", + ] + resources = ["arn:aws:rds:*:*:pg:ottertune*"] + } +} + + +data "aws_iam_policy_document" "ottertune_cluster_pg_policy" { + statement { + actions = [ + "rds:CreateDBClusterParameterGroup", + "rds:ModifyDBClusterParameterGroup", + ] + resources = ["arn:aws:rds:*:*:cluster-pg:ottertune*"] + } +} + + data "aws_iam_policy_document" "ottertune_tuning_policy" { statement { actions = ["rds:ModifyDBParameterGroup"] @@ -78,6 +129,7 @@ data "aws_iam_policy_document" "ottertune_cluster_tuning_policy" { data "aws_iam_policy_document" "ottertune_policy_document_combined" { source_policy_documents = concat([data.aws_iam_policy_document.ottertune_db_policy.json, data.aws_iam_policy_document.ottertune_connect_policy.json], + var.permissions_level == "write_limited" ? [data.aws_iam_policy_document.ottertune_copy_pg_policy.json, data.aws_iam_policy_document.ottertune_pg_policy.json, data.aws_iam_policy_document.ottertune_cluster_pg_policy.json] : [], length(var.tunable_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_tuning_policy.json] : [], length(var.tunable_aurora_cluster_parameter_group_arns) > 0 ? [data.aws_iam_policy_document.ottertune_cluster_tuning_policy.json] : []) } diff --git a/variables.tf b/variables.tf index fa401bd..f9b07da 100644 --- a/variables.tf +++ b/variables.tf @@ -10,6 +10,12 @@ variable "iam_role_name" { default = "OtterTuneRole" } +variable "permissions_level" { + description = "The permissions level associated with the created role. Currently the two options are: read_only | write_limited" + type = string + default = "read_only" +} + variable "tunable_parameter_group_arns" { description = <<-EOT Pass in the parameter group ARNs that you would like to allow OtterTune to optimize.