Updated IAM policy for James Jarrett for vmimport. Tag v0.6.1

base/shared_ami_key/main.tf

@@ -3,6 +3,18 @@ locals {
     for account in var.account_list:
       "arn:${var.aws_partition}:iam::${account}:root"
   ]
+
+  all_keys = concat([ "${module.shared_ami_key.key_arn}" ], var.vmimport_extra_keys)
+
+  buckets = [
+    for bucket in concat([ aws_s3_bucket.xdr-shared-amis.arn ], var.vmimport_extra_buckets):
+      "${bucket}"
+  ]
+  bucket_contents = [
+    for bucket in concat([ aws_s3_bucket.xdr-shared-amis.arn ], var.vmimport_extra_buckets):
+      "${bucket}/*"
+  ]
+  bucket_resources = concat(local.buckets, local.bucket_contents)
 }
 
 output other {
@@ -68,46 +80,30 @@ resource "aws_iam_role_policy" "vmimport" {
   role = aws_iam_role.vmimport.id
   policy = <<EOF
 {
-   "Version":"2012-10-17",
-   "Statement":[
+  "Version":"2012-10-17",
+  "Statement": [
     {
      "Sid": "AllowAccesstoImportsBucket", 
      "Effect": "Allow",
      "Action": [
       "s3:GetBucketLocation",
       "s3:GetObject",
-      "s3:ListBucket" 
+      "s3:GetBucketAcl",
+      "s3:ListBucket", 
+      "s3:PutObject"
      ],
-     "Resource": [
-      "${aws_s3_bucket.xdr-shared-amis.arn}",
-      "${aws_s3_bucket.xdr-shared-amis.arn}/*"
-     ]
+     "Resource": ${jsonencode(local.bucket_resources)}
     },
     {
-     "Sid": "AllowAccesstoExportsBucket", 
-     "Effect": "Allow",
-     "Action": [
-      "s3:GetBucketLocation",
-      "s3:GetObject",
-      "s3:ListBucket",
-      "s3:PutObject",
-      "s3:GetBucketAcl"
-     ],
-     "Resource": [
-      "${aws_s3_bucket.xdr-shared-amis.arn}",
-      "${aws_s3_bucket.xdr-shared-amis.arn}/*"
-     ]
-    },
-    {
-     "Sid": "AllowAccesstodoImportExportActions",
-     "Effect": "Allow",
-     "Action": [
-      "ec2:ModifySnapshotAttribute",
-      "ec2:CopySnapshot",
-      "ec2:RegisterImage",
-      "ec2:Describe*"
-     ],
-     "Resource": "*"
+      "Sid": "AllowAccesstodoImportExportActions",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:ModifySnapshotAttribute",
+        "ec2:CopySnapshot",
+        "ec2:RegisterImage",
+        "ec2:Describe*"
+      ],
+      "Resource": "*"
     },
     {
       "Sid": "AllowAccesstotheKMSkey",
@@ -120,9 +116,9 @@ resource "aws_iam_role_policy" "vmimport" {
         "kms:GenerateDataKey*",
         "kms:ReEncrypt*"
       ],
-      "Resource": "${module.shared_ami_key.key_arn}"
+      "Resource": ${jsonencode(local.all_keys)}
     }
-   ]
+  ]
 }
 EOF
 }

base/shared_ami_key/vars.tf

@@ -4,6 +4,17 @@ variable ami_bucket_name {
   type = string
   default = "xdr-shared-amis"
 }
+variable vmimport_extra_keys {
+  type = list(string)
+  default = []
+  description = "Extra keys to grant the vmimport role access to"
+}
+variable vmimport_extra_buckets {
+  type = list(string)
+  default = []
+  description = "Extra buckets to grant the vmimport role access to"
+}
+
 
 # inherited variables
 variable standard_tags { type = map }