Home Explore Help
Register Sign In
AFS
/
xdr-terraform-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Improves variables in IAM policies

Brad Poulton 4 years ago
parent
fbe7ff32e5
commit
e84f0b07dc
6 changed files with 34 additions and 41 deletions
Split View Show Diff Stats
  1. 8 6
      base/codebuild_ecr_base/iam.tf
  2. 5 5
      base/codebuild_ecr_base/kms.tf
  3. 14 22
      base/codebuild_ecr_base/s3.tf
  4. 3 0
      base/codebuild_ecr_base/vars.tf
  5. 1 8
      base/codebuild_ecr_customer_portal/main.tf
  6. 3 0
      base/codebuild_ecr_customer_portal/vars.tf

+ 8 - 6
base/codebuild_ecr_base/iam.tf
View File 

@@ -40,7 +40,7 @@ resource "aws_iam_policy" "codebuild_policy" {
 
         {
 
             "Effect": "Allow",
 
             "Resource": [
 
-                "arn:aws-us-gov:logs:us-gov-east-1:701290387780:log-group:/aws/codebuild/*"
 
+                "arn:${var.aws_partition}:logs:${var.aws_region}:${var.common_services_account}:log-group:/aws/codebuild/*"
 
             ],
 
             "Action": [
 
                 "logs:CreateLogGroup",
 
@@ -51,7 +51,7 @@ resource "aws_iam_policy" "codebuild_policy" {
 
         {
 
             "Effect": "Allow",
 
             "Resource": [
 
-                "arn:aws-us-gov:s3:::codepipeline-us-gov-east-1-*"
 
+                "arn:${var.aws_partition}:s3:::codepipeline-${var.aws_region}-*"
 
             ],
 
             "Action": [
 
                 "s3:PutObject",
 
@@ -62,7 +62,7 @@ resource "aws_iam_policy" "codebuild_policy" {
 
         {
 
             "Effect": "Allow",
 
             "Resource": [
 
-                "arn:aws-us-gov:codecommit:us-gov-east-1:701290387780:*"
 
+                "arn:${var.aws_partition}:codecommit:${var.aws_region}:${var.common_services_account}:*"
 
             ],
 
             "Action": [
 
                 "codecommit:GitPull"
 
@@ -71,8 +71,8 @@ resource "aws_iam_policy" "codebuild_policy" {
 
         {
 
             "Effect": "Allow",
 
             "Resource": [
 
-                "arn:aws-us-gov:s3:::xdr-codebuild-artifacts/*",
 
-                "arn:aws-us-gov:s3:::*"
 
+                "arn:${var.aws_partition}:s3:::xdr-codebuild-artifacts/*",
 
+                "arn:${var.aws_partition}:s3:::*"
 
             ],
 
             "Action": [
 
                 "s3:PutObject",
 
@@ -157,4 +157,6 @@ EOF
 
 
 # output "pop_service_account_secret" {
 
 #   value = "${aws_iam_access_key.pop_service_account.encrypted_secret}"
 
-# }
 
+# }
 
+
 
+# !!!!!    END OF RETAINED FOR FUTURE USE   !!!!!

+ 5 - 5
base/codebuild_ecr_base/kms.tf
View File 

@@ -22,8 +22,8 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
 
       principals {
 
         type = "AWS"
 
         identifiers = [ 
-          "arn:aws-us-gov:iam::${var.aws_account_id}:role/user/mdr_terraformer",
 
-          "arn:aws-us-gov:iam::${var.aws_account_id}:user/MDRAdmin"
 
+          "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
 
+          "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
 
           ]
 
       }
 
       actions = [ "kms:*" ]
 
@@ -36,7 +36,7 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
 
       principals {
 
         type = "AWS"
 
         identifiers = [
 
-          "arn:aws-us-gov:iam::${var.aws_account_id}:role/user/mdr_terraformer",
 
+          "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
 
         ]
 
       }
 
 
@@ -65,7 +65,7 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
 
       principals {
 
         type = "AWS"
 
         identifiers = [
 
-          "arn:aws-us-gov:iam::${var.aws_account_id}:role/msoc-default-instance-role"
 
+          "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/msoc-default-instance-role"
 
         ]
 
       }
 
       actions = [
 
@@ -132,7 +132,7 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
 
      principals {
 
        type = "AWS"
 
        identifiers = [
 
-         "arn:aws-us-gov:iam::${var.aws_account_id}:role/msoc-default-instance-role"
 
+         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/msoc-default-instance-role"
 
        ]
 
      }
 
      actions = [

+ 14 - 22
base/codebuild_ecr_base/s3.tf
View File 

@@ -16,27 +16,19 @@ resource "aws_s3_bucket" "artifacts" {
 
 
 resource "aws_s3_bucket_policy" "artifacts" {
 
   bucket = aws_s3_bucket.artifacts.id
 
-  policy =<<POLICY
 
-{
 
-  "Id": "Policy1532015005972",
 
-  "Version": "2012-10-17",
 
-  "Statement": [
 
-    {
 
-      "Sid": "Stmt1532015002611",
 
-      "Action": [
 
-        "s3:GetObject",
 
-        "s3:GetObjectVersion"
 
-      ],
 
-      "Effect": "Allow",
 
-      "Resource": "${aws_s3_bucket.artifacts.arn}/*",
 
-      "Principal": {
 
-        "AWS": [
 
-          "arn:aws-us-gov:iam::738800754746:root",
 
-          "arn:aws-us-gov:iam::721817724804:root"
 
-        ]
 
-      }
 
-    }
 
-  ]
 
+  policy = data.aws_iam_policy_document.artifacts.json
 
 }
 
-POLICY
 
+
 
+data "aws_iam_policy_document" "artifacts" {
 
+  statement {
 
+    sid = "AllowS3Access"
 
+    actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
 
+    effect = "Allow"
 
+    resources = [ "${aws_s3_bucket.artifacts.arn}/*" ]
 
+    principals {
 
+      type = "AWS"
 
+      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
 
+    }
 
+  }
 
 }
 
+

+ 3 - 0
base/codebuild_ecr_base/vars.tf
View File 

@@ -6,5 +6,8 @@ variable "tags" {
 
 variable "standard_tags" { type = map }
 
 variable "environment" { type = string }
 
 variable "aws_partition" { type = string }
 
+variable "aws_region" { type = string }
 
 variable "aws_partition_alias" { type = string }
 
 variable "aws_account_id" { type = string }
 
+variable "common_services_account" { type = string }
 
+variable "responsible_accounts" { type = map(list(string)) }

+ 1 - 8
base/codebuild_ecr_customer_portal/main.tf
View File 

@@ -42,9 +42,7 @@ resource "aws_ecr_repository" "this-nginx" {
 
 data "aws_iam_policy_document" "ecr_cross_account_policy" {
 
   statement {
 
     sid = "ECRWrite"
 
-
 
     effect = "Allow"
 
-
 
     actions = [
 
       "ecr:GetAuthorizationToken",
 
       "ecr:GetDownloadUrlForLayer",
 
@@ -58,13 +56,8 @@ data "aws_iam_policy_document" "ecr_cross_account_policy" {
 
       "ecr:ListImages",
 
       "ecr:DescribeImages",
 
     ]
 
-
 
     principals {
 
-      identifiers = [
 
-        "arn:aws-us-gov:iam::721817724804:root",
 
-        "arn:aws-us-gov:iam::738800754746:root",
 
-        "arn:aws-us-gov:iam::701290387780:root",
 
-      ]
 
+      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
 
       type        = "AWS"
 
     }
 
   }

+ 3 - 0
base/codebuild_ecr_customer_portal/vars.tf
View File 

@@ -7,7 +7,10 @@ variable "standard_tags" { type = map }
 
 variable "environment" { type = string }
 
 variable "aws_partition" { type = string }
 
 variable "aws_partition_alias" { type = string }
 
+variable "aws_region" { type = string }
 
 variable "aws_account_id" { type = string }
 
+variable "common_services_account" { type = string }
 
+variable "responsible_accounts" { type = map(list(string)) }
 
 variable "name" { type = string }
 
 variable "service_role" { type = string }
 
 variable "artifact_s3_bucket" { type = string }