Merge pull request #274 from ovotech/improve-tf-module-perms

Improve tf module perms

Author: Chris Every

tf_module/README.md

@@ -29,14 +29,16 @@ provider "aws" {
 
 module "cloud-key-rotator" {
   source         = "terraform.ovotech.org.uk/pe/ckr/aws"
-  version = "0.0.5"
-  ckr_version = "0.27.18"
+  version = "0.1.0"
+  ckr_version = "0.27.28"
 }
 ```
 
 ## Variables
 
-* `version = "0.0.5"` -> The Terraform module version to use
-* `ckr_version = "0.27.18"` -> The Cloud Key Rotator binary version to use
-* (Optional) `ckr_schedule = "cron(0 10 ? * MON-FRI *)"` -> defaults to triggering 10am Monday-Friday
-* (OptionaL) `config_data = <string>` -> Pass a json blob from any source containing your config file.
+* `version = "0.1.0"` -> The Terraform module version to use.
+* `ckr_version = "0.27.28"` -> The Cloud Key Rotator binary version to use.
+* (Optional) `ckr_schedule = "cron(0 10 ? * MON-FRI *)"` -> Defaults to triggering 10am Monday-Friday.
+* (Optional) `config_data = <string>` -> Pass a json blob from any source containing your config file.
+* (Optional) `enable_ssm_location = false` -> Whether to create an IAM policy allowing `ssm:PutParameter`.
+Set this to `true` if using SSM as a `cloud-key-rotator` location.

tf_module/ckr/main.tf

@@ -56,8 +56,10 @@ resource "aws_iam_policy" "ckr_log_policy" {
 EOF
 }
 
-
+# SSM is a valid location of the cloud-key-rotator, so allow ssm:PutParameter
+# if enabled
 resource "aws_iam_policy" "ckr_ssm_policy" {
+  count = var.enable_ssm_location ? 1 : 0
   name = "CloudKeyRotatorSsmPolicy"
   path = "/"
 
@@ -79,30 +81,62 @@ resource "aws_iam_policy" "ckr_ssm_policy" {
 EOF
 }
 
+resource "aws_iam_policy" "ckr_policy" {
+    name   = "CloudKeyRotatorPolicy"
+    path   = "/"
+    policy = jsonencode(
+        {
+            Statement = [
+                {
+                    Action   = [
+                        "iam:DeleteAccessKey",
+                        "iam:CreateAccessKey",
+                        "iam:ListAccessKeys",
+                    ]
+                    Effect   = "Allow"
+                    Resource = [
+                        "arn:aws:iam::*:user/*",
+                    ]
+                },
+                {
+                    Action   = "iam:ListUsers"
+                    Effect   = "Allow"
+                    Resource = "arn:aws:iam::*:*"
+                },
+                {
+                    Action   = "secretsmanager:GetSecretValue"
+                    Effect   = "Allow"
+                    Resource = [
+                        aws_secretsmanager_secret.ckr-config.arn,
+                    ]
+                },
+            ]
+            Version   = "2012-10-17"
+        }
+    )
+}
 
 resource "aws_iam_role_policy_attachment" "attach-ckr-log-policy" {
   role       = aws_iam_role.cloudkeyrotator_role.name
   policy_arn = aws_iam_policy.ckr_log_policy.arn
 }
 
-resource "aws_iam_role_policy_attachment" "attach-ckr-iam-policy" {
-  role       = aws_iam_role.cloudkeyrotator_role.name
-  policy_arn = "arn:aws:iam::aws:policy/IAMFullAccess"
-}
-resource "aws_iam_role_policy_attachment" "attach-ckr-secret-policy" {
+resource "aws_iam_role_policy_attachment" "attach-ckr-policy" {
   role       = aws_iam_role.cloudkeyrotator_role.name
-  policy_arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
+  policy_arn = aws_iam_policy.ckr_policy.arn
 }
 
+# only create ssm attachment if SSM is enabled (indicating it's being used
+# as a cloud-key-rotator location)
 resource "aws_iam_role_policy_attachment" "attach-ckr-ssm-policy" {
+  count = var.enable_ssm_location ? 1 : 0
   role       = aws_iam_role.cloudkeyrotator_role.name
-  policy_arn = aws_iam_policy.ckr_ssm_policy.arn
+  policy_arn = aws_iam_policy.ckr_ssm_policy[0].arn
 }
 
-# Lambda
 
 resource "aws_lambda_function" "cloud_key_rotator" {
-
+  description   = "A function for rotating cloud keys"
   s3_bucket     = "ckr-terraform-module-code"
   s3_key        = "cloud-key-rotator_${var.ckr_version}_lambda.zip"
   function_name = "cloud-key-rotator"

tf_module/ckr/module_version.txt

@@ -1 +1 @@
-0.0.6
+0.1.0

tf_module/ckr/vars.tf

@@ -8,3 +8,8 @@ variable "ckr_version" {
 variable "ckr_schedule" {
   default = "cron(0 10 ? * MON-FRI *)"
 }
+
+variable "enable_ssm_location" {
+  type = bool
+  default = false
+}