Move DynamoDB policies into single IAM-resource (#72)

Flaconi · Oct 17, 2022 · cc8a292 · cc8a292
1 parent 9d64929
commit cc8a292
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 152 deletions.
diff --git a/iam.tf b/iam.tf
@@ -77,15 +77,13 @@ resource "aws_iam_access_key" "this" {
 # IAM DynamoDB resources
 # -------------------------------------------------------------------------------------------------
 data "aws_iam_policy_document" "dynamodb_full_access" {
-  count = var.dynamodb_enabled && var.iam_role_enabled ? 1 : 0
+  count = local.dynamodb_iam_enabled && var.iam_role_enabled ? 1 : 0
 
   statement {
     sid    = "ListDynamoDB"
     effect = "Allow"
 
-    resources = [
-      "arn:aws:dynamodb:*:*:table/${module.dynamodb.table_id}",
-    ]
+    resources = local.dynamodb_tables_arns
 
     actions = [
       "dynamodb:List*",
@@ -99,10 +97,10 @@ data "aws_iam_policy_document" "dynamodb_full_access" {
     sid    = "FullAccess"
     effect = "Allow"
 
-    resources = [
-      "arn:aws:dynamodb:*:*:table/${module.dynamodb.table_id}",
-      "arn:aws:dynamodb:*:*:table/${module.dynamodb.table_id}/*",
-    ]
+    resources = concat(
+      local.dynamodb_tables_arns,
+      local.dynamodb_tables_records
+    )
 
     actions = [
       "dynamodb:BatchGet*",
@@ -120,154 +118,22 @@ data "aws_iam_policy_document" "dynamodb_full_access" {
   }
 }
 
-resource "aws_iam_role_policy" "dynamodb_role_policy" {
-  count = var.dynamodb_enabled && var.iam_role_enabled ? 1 : 0
-  role  = element(concat(aws_iam_role.this.*.name, [""]), 0)
-
-  name = "dynamodb-policy"
-
-  # This defines what permissions our role will be given
-  policy = data.aws_iam_policy_document.dynamodb_full_access[0].json
-}
-
-resource "aws_iam_user_policy" "dynamodb_role_policy" {
-  count = var.dynamodb_enabled && var.iam_user_enabled ? 1 : 0
-  user  = concat(aws_iam_user.this.*.name, [""])[0]
-
-  name = "dynamodb-policy"
-
-  # This defines what permissions our role will be given
-  policy = data.aws_iam_policy_document.dynamodb_full_access[0].json
-}
-
-data "aws_iam_policy_document" "dynamodb2_full_access" {
-  count = var.dynamodb2_enabled && var.iam_role_enabled ? 1 : 0
-
-  statement {
-    sid    = "ListDynamoDB"
-    effect = "Allow"
-
-    resources = [
-      "arn:aws:dynamodb:*:*:table/${module.dynamodb2.table_id}",
-    ]
-
-    actions = [
-      "dynamodb:List*",
-      "dynamodb:DescribeReservedCapacity*",
-      "dynamodb:DescribeLimits",
-      "dynamodb:DescribeTimeToLive",
-    ]
-  }
-
-  statement {
-    sid    = "FullAccess"
-    effect = "Allow"
-
-    resources = [
-      "arn:aws:dynamodb:*:*:table/${module.dynamodb2.table_id}",
-      "arn:aws:dynamodb:*:*:table/${module.dynamodb2.table_id}/*",
-    ]
+resource "aws_iam_policy" "dynamodb_policy" {
+  count = local.dynamodb_iam_enabled && var.iam_role_enabled ? 1 : 0
 
-    actions = [
-      "dynamodb:BatchGet*",
-      "dynamodb:DescribeStream",
-      "dynamodb:DescribeTable",
-      "dynamodb:Get*",
-      "dynamodb:Query",
-      "dynamodb:Scan",
-      "dynamodb:BatchWrite*",
-      "dynamodb:CreateTable",
-      "dynamodb:DeleteItem",
-      "dynamodb:Update*",
-      "dynamodb:PutItem",
-    ]
-  }
+  name_prefix = "${var.name}-dynamodb-policy"
+  path        = "/svc/microservice/${var.name}/"
+  description = "DynamoDB policy for ${var.name}"
+  policy      = data.aws_iam_policy_document.dynamodb_full_access[0].json
 }
 
-resource "aws_iam_role_policy" "dynamodb2_role_policy" {
-  count = var.dynamodb2_enabled && var.iam_role_enabled ? 1 : 0
-  role  = element(concat(aws_iam_role.this.*.name, [""]), 0)
-
-  name = "dynamodb2-policy"
-
-  # This defines what permissions our role will be given
-  policy = data.aws_iam_policy_document.dynamodb2_full_access[0].json
-}
+resource "aws_iam_policy_attachment" "dynamodb_policy_attachment" {
+  count = local.dynamodb_iam_enabled && var.iam_role_enabled ? 1 : 0
 
-
-resource "aws_iam_user_policy" "dynamodb2_role_policy" {
-  count = var.dynamodb2_enabled && var.iam_user_enabled ? 1 : 0
-
-  user = concat(aws_iam_user.this.*.name, [""])[0]
-  name = "dynamodb2-policy"
-
-  # This defines what permissions our role will be given
-  policy = data.aws_iam_policy_document.dynamodb2_full_access[0].json
-}
-
-data "aws_iam_policy_document" "dynamodb3_full_access" {
-  count = var.dynamodb3_enabled && var.iam_role_enabled ? 1 : 0
-
-  statement {
-    sid    = "ListDynamoDB"
-    effect = "Allow"
-
-    resources = [
-      "arn:aws:dynamodb:*:*:table/${module.dynamodb3.table_id}",
-    ]
-
-    actions = [
-      "dynamodb:List*",
-      "dynamodb:DescribeReservedCapacity*",
-      "dynamodb:DescribeLimits",
-      "dynamodb:DescribeTimeToLive",
-    ]
-  }
-
-  statement {
-    sid    = "FullAccess"
-    effect = "Allow"
-
-    resources = [
-      "arn:aws:dynamodb:*:*:table/${module.dynamodb3.table_id}",
-      "arn:aws:dynamodb:*:*:table/${module.dynamodb3.table_id}/*",
-    ]
-
-    actions = [
-      "dynamodb:BatchGet*",
-      "dynamodb:DescribeStream",
-      "dynamodb:DescribeTable",
-      "dynamodb:Get*",
-      "dynamodb:Query",
-      "dynamodb:Scan",
-      "dynamodb:BatchWrite*",
-      "dynamodb:CreateTable",
-      "dynamodb:DeleteItem",
-      "dynamodb:Update*",
-      "dynamodb:PutItem",
-    ]
-  }
-}
-
-resource "aws_iam_role_policy" "dynamodb3_role_policy" {
-  count = var.dynamodb3_enabled && var.iam_role_enabled ? 1 : 0
-  role  = element(concat(aws_iam_role.this.*.name, [""]), 0)
-
-  name = "dynamodb3-policy"
-
-  # This defines what permissions our role will be given
-  policy = data.aws_iam_policy_document.dynamodb3_full_access[0].json
-}
-
-
-resource "aws_iam_user_policy" "dynamodb3_role_policy" {
-  count = var.dynamodb3_enabled && var.iam_user_enabled ? 1 : 0
-
-  user = concat(aws_iam_user.this.*.name, [""])[0]
-  name = "dynamodb3-policy"
-
-  # This defines what permissions our role will be given
-  policy = data.aws_iam_policy_document.dynamodb3_full_access[0].json
+  name       = "${var.name}-dynamodb-policy-attachment"
+  users      = [concat(aws_iam_user.this.*.name, [""])[0]]
+  roles      = [element(concat(aws_iam_role.this.*.name, [""]), 0)]
+  policy_arn = aws_iam_policy.dynamodb_policy[0].arn
 }
 
 ##

diff --git a/locals.tf b/locals.tf
@@ -12,4 +12,12 @@ locals {
   )
 
   length_s3_lifecycle_rules = length(var.s3_lifecycle_rules)
+
+  dynamodb_iam_enabled = var.dynamodb_enabled || var.dynamodb2_enabled || var.dynamodb3_enabled
+  dynamodb_tables_arns = concat(
+    var.dynamodb_enabled && var.iam_role_enabled ? ["arn:aws:dynamodb:*:*:table/${module.dynamodb.table_id}"] : [],
+    var.dynamodb2_enabled && var.iam_role_enabled ? ["arn:aws:dynamodb:*:*:table/${module.dynamodb2.table_id}"] : [],
+    var.dynamodb3_enabled && var.iam_role_enabled ? ["arn:aws:dynamodb:*:*:table/${module.dynamodb3.table_id}"] : [],
+  )
+  dynamodb_tables_records = [for t in toset(local.dynamodb_tables_arns) : "${t}/*"]
 }