adding example terraform config for aws iam resources

chelseyklein · chelseyklein · commit 8ae9bdcff8ab · 2024-01-18T12:17:00.000-08:00
diff --git a/terraform/aws-custom-policies.tf b/terraform/aws-custom-policies.tf
@@ -0,0 +1,13 @@
+module "aws_iam_policies" {
+  source   = "./modules/policies"
+  policies = {
+    "ManageAccessKeys" = {
+      description = "Policy for creating, listing, and updating Access Keys"
+      filename    = "manage-access-keys-policy.json"
+    },
+    "FullAccessPolicy" = {
+      description = "Full access to specific resources"
+      filename    = "full-access-policy.json"
+    }
+  }
+}
diff --git a/terraform/aws-custom-policies/existing-policies/manage-access-keys-policy.json b/terraform/aws-custom-policies/existing-policies/manage-access-keys-policy.json
@@ -0,0 +1,21 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "ListUsersForConsole",
+            "Effect": "Allow",
+            "Action": "iam:ListUsers",
+            "Resource": "arn:aws:iam::*:*"
+        },
+        {
+            "Sid": "ViewAndUpdateAccessKeys",
+            "Effect": "Allow",
+            "Action": [
+                "iam:UpdateAccessKey",
+                "iam:CreateAccessKey",
+                "iam:ListAccessKeys"
+            ],
+            "Resource": "arn:aws:iam::*:user/*"
+        }
+    ]
+}
diff --git a/terraform/aws-custom-policies/existing-policies/self-manage-credentials-policy.json b/terraform/aws-custom-policies/existing-policies/self-manage-credentials-policy.json
@@ -0,0 +1,46 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowViewAccountInfo",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetAccountPasswordPolicy",
+                "iam:GetAccountSummary"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowManageOwnPasswords",
+            "Effect": "Allow",
+            "Action": [
+                "iam:ChangePassword",
+                "iam:GetUser"
+            ],
+            "Resource": "arn:aws:iam::*:user/${aws:username}"
+        },
+        {
+            "Sid": "AllowManageOwnAccessKeys",
+            "Effect": "Allow",
+            "Action": [
+                "iam:CreateAccessKey",
+                "iam:DeleteAccessKey",
+                "iam:ListAccessKeys",
+                "iam:UpdateAccessKey"
+            ],
+            "Resource": "arn:aws:iam::*:user/${aws:username}"
+        },
+        {
+            "Sid": "AllowManageOwnSSHPublicKeys",
+            "Effect": "Allow",
+            "Action": [
+                "iam:DeleteSSHPublicKey",
+                "iam:GetSSHPublicKey",
+                "iam:ListSSHPublicKeys",
+                "iam:UpdateSSHPublicKey",
+                "iam:UploadSSHPublicKey"
+            ],
+            "Resource": "arn:aws:iam::*:user/${aws:username}"
+        }
+    ]
+}
diff --git a/terraform/aws-custom-policies/existing-policies/terraform-policy.json b/terraform/aws-custom-policies/existing-policies/terraform-policy.json
@@ -0,0 +1,27 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:DescribeTargetGroupAttributes",
+                "elasticloadbalancing:DescribeTags",
+                "s3:ListAllMyBuckets",
+                "ecr:GetRegistryScanningConfiguration"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "RDS",
+            "Effect": "Allow",
+            "Action": [
+                "rds:DescribeDBInstances",
+                "rds:DescribeDBClusters",
+                "rds:DescribeGlobalClusters",
+                "rds:DescribeDBInstances"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
diff --git a/terraform/aws-custom-policies/existing-policies/terragrunt-s3-permissions-policy.json b/terraform/aws-custom-policies/existing-policies/terragrunt-s3-permissions-policy.json
@@ -0,0 +1,46 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowViewAccountInfo",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetAccountPasswordPolicy",
+                "iam:GetAccountSummary"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowManageOwnPasswords",
+            "Effect": "Allow",
+            "Action": [
+                "iam:ChangePassword",
+                "iam:GetUser"
+            ],
+            "Resource": "arn:aws:iam::*:user/${aws:username}"
+        },
+        {
+            "Sid": "AllowManageOwnAccessKeys",
+            "Effect": "Allow",
+            "Action": [
+                "iam:CreateAccessKey",
+                "iam:DeleteAccessKey",
+                "iam:ListAccessKeys",
+                "iam:UpdateAccessKey"
+            ],
+            "Resource": "arn:aws:iam::*:user/${aws:username}"
+        },
+        {
+            "Sid": "AllowManageOwnSSHPublicKeys",
+            "Effect": "Allow",
+            "Action": [
+                "iam:DeleteSSHPublicKey",
+                "iam:GetSSHPublicKey",
+                "iam:ListSSHPublicKeys",
+                "iam:UpdateSSHPublicKey",
+                "iam:UploadSSHPublicKey"
+            ],
+            "Resource": "arn:aws:iam::*:user/${aws:username}"
+        }
+    ]
+}
diff --git a/terraform/aws-custom-policies/level-2-project-admin-policy.json b/terraform/aws-custom-policies/level-2-project-admin-policy.json
@@ -0,0 +1,27 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "",
+            "Effect": "",
+            "Action": [
+                "",
+                "",
+                "",
+                ""
+            ],
+            "Resource": ""
+        },
+        {
+            "Sid": "",
+            "Effect": "",
+            "Action": [
+                "",
+                "",
+                "",
+                ""
+            ],
+            "Resource": ""
+        }
+    ]
+}
diff --git a/terraform/aws-custom-policies/level-3-ops-mentor-policy.json b/terraform/aws-custom-policies/level-3-ops-mentor-policy.json
@@ -0,0 +1,27 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "",
+            "Effect": "",
+            "Action": [
+                "",
+                "",
+                "",
+                ""
+            ],
+            "Resource": ""
+        },
+        {
+            "Sid": "",
+            "Effect": "",
+            "Action": [
+                "",
+                "",
+                "",
+                ""
+            ],
+            "Resource": ""
+        }
+    ]
+}
diff --git a/terraform/aws-custom-policies/level-4-iam-services-admin-policy.json b/terraform/aws-custom-policies/level-4-iam-services-admin-policy.json
@@ -0,0 +1,27 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "",
+            "Effect": "",
+            "Action": [
+                "",
+                "",
+                "",
+                ""
+            ],
+            "Resource": ""
+        },
+        {
+            "Sid": "",
+            "Effect": "",
+            "Action": [
+                "",
+                "",
+                "",
+                ""
+            ],
+            "Resource": ""
+        }
+    ]
+}
diff --git a/terraform/aws-groups.tf b/terraform/aws-groups.tf
@@ -0,0 +1,42 @@
+// Create groups and attach policies
+module "iam_read_only_group" {
+  source = "./modules/groups"
+
+  group_name = "read-only-group"
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
+module "iam_project_admin_group" {
+  source = "./modules/groups"
+
+  group_name = "project-admin-group"
+  policy_arn = [ # here we can pass a list of policies that are aws managed or customer managed
+    "arn:aws:iam::aws:policy/SomeAWSPolicy",
+    module.iam_policies.policy_arns["ManageAccessKeys"]
+  ]
+}
+
+module "iam_ops_mentor_group" {
+  source = "./modules/groups"
+
+  group_name = "project-admin-group"
+  policy_arn = [ # here we can pass a list of policies that are aws managed or customer managed
+    "arn:aws:iam::aws:policy/SomeAWSPolicy",
+    "arn:aws:iam::aws:policy/SomeAWSPolicy",
+    "arn:aws:iam::aws:policy/SomeAWSPolicy",
+    "arn:aws:iam::aws:policy/SomeAWSPolicy",
+  ]
+}
+
+// Assign users to groups
+resource "aws_iam_group_membership" "project_admin_group_membership" {
+  name = "project_admin_group_membership"  # A unique name for the group membership
+
+  users = [
+    module.iam_user_gwenstacy.user_name,
+    module.iam_user_miles_morales.user_name,
+    "chelseybeck"
+  ]
+
+  group = module.iam_project_admin_group.group_name
+}
diff --git a/terraform/aws-users.tf b/terraform/aws-users.tf
@@ -0,0 +1,21 @@
+module "iam_user_gwenstacy" {
+  source = "./modules/users"
+
+  user_name = "gwenstacy"
+  user_tags = {
+    "Environment" = "Development"
+    "Project"     = "spiderverse"
+  }
+  pgp_key = "user_provided_public_key_here"
+}
+
+module "iam_user_milesmorales" {
+  source = "./modules/users"
+
+  user_name = "miles_morales"
+  user_tags = {
+    "Environment" = "Production"
+    "Project"     = "spiderverse"
+  }
+  pgp_key = "user_provided_public_key_here"
+}
diff --git a/terraform/backend.tf b/terraform/backend.tf
@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket         = "my-terraform-state-bucket"   # Replace with S3 bucket name
+    key            = "path/to/terraform.tfstate" # Path to the state file within the bucket
+    region         = "us-west-2"                    # AWS region of the S3 bucket
+    dynamodb_table = "my-terraform-state-lock"     # DynamoDB table name for state locking
+    encrypt        = true
+  }
+}
diff --git a/terraform/modules/aws-groups/main.tf b/terraform/modules/aws-groups/main.tf
@@ -0,0 +1,13 @@
+# groups/main.tf
+
+resource "aws_iam_group" "group" {
+  name = var.group_name
+  path = var.group_path
+}
+
+# Attaching policies to the group
+resource "aws_iam_group_policy_attachment" "group_policy_attachment" {
+  for_each   = toset(var.policy_arns)
+  group      = aws_iam_group.group.name
+  policy_arn = each.value
+}
diff --git a/terraform/modules/aws-groups/outputs.tf b/terraform/modules/aws-groups/outputs.tf
@@ -0,0 +1,11 @@
+# groups/outputs.tf
+
+output "group_name" {
+  value = aws_iam_group.group.name
+  description = "The name of the IAM group"
+}
+
+output "group_arn" {
+  value = aws_iam_group.group.arn
+  description = "The ARN of the IAM group"
+}
diff --git a/terraform/modules/aws-groups/variables.tf b/terraform/modules/aws-groups/variables.tf
@@ -0,0 +1,22 @@
+# groups/variables.tf
+
+variable "group_name" {
+  description = "The name of the IAM group"
+  type        = string
+}
+
+variable "group_path" {
+  description = "Path in which to create the group"
+  type        = string
+  default     = "/"
+}
+
+variable "policy_arn" {
+  description = "The ARN of the policy to attach to the group"
+  type        = string
+}
+
+variable "policy_arns" {
+  description = "List of policy ARNs to attach to the group"
+  type        = list(string)
+}
diff --git a/terraform/modules/aws-policies/main.tf b/terraform/modules/aws-policies/main.tf
@@ -0,0 +1,9 @@
+# policies/main.tf
+
+resource "aws_iam_policy" "custom_policy" {
+  for_each = var.policies
+
+  name        = each.key
+  description = each.value["description"]
+  policy      = file("${path.module}/policies-json/${each.value["filename"]}")
+}
diff --git a/terraform/modules/aws-policies/outputs.tf b/terraform/modules/aws-policies/outputs.tf
@@ -0,0 +1,6 @@
+# policies/outputs.tf
+
+output "policy_arns" {
+  value = { for k, v in aws_iam_policy.custom_policy : k => v.arn }
+  description = "Map of policy names to their ARNs"
+}
diff --git a/terraform/modules/aws-policies/variables.tf b/terraform/modules/aws-policies/variables.tf
diff --git a/terraform/modules/aws-users/main.tf b/terraform/modules/aws-users/main.tf
diff --git a/terraform/modules/aws-users/outputs.tf b/terraform/modules/aws-users/outputs.tf
diff --git a/terraform/modules/aws-users/variables.tf b/terraform/modules/aws-users/variables.tf
