From cc8a2923f595863f73587ca2f478df57ba33ec23 Mon Sep 17 00:00:00 2001 From: Novikov Sergey Date: Mon, 17 Oct 2022 13:26:31 +0200 Subject: [PATCH] Move DynamoDB policies into single IAM-resource (#72) --- iam.tf | 170 ++++++------------------------------------------------ locals.tf | 8 +++ 2 files changed, 26 insertions(+), 152 deletions(-) diff --git a/iam.tf b/iam.tf index bab68dc..c0b5818 100644 --- a/iam.tf +++ b/iam.tf @@ -77,15 +77,13 @@ resource "aws_iam_access_key" "this" { # IAM DynamoDB resources # ------------------------------------------------------------------------------------------------- data "aws_iam_policy_document" "dynamodb_full_access" { - count = var.dynamodb_enabled && var.iam_role_enabled ? 1 : 0 + count = local.dynamodb_iam_enabled && var.iam_role_enabled ? 1 : 0 statement { sid = "ListDynamoDB" effect = "Allow" - resources = [ - "arn:aws:dynamodb:*:*:table/${module.dynamodb.table_id}", - ] + resources = local.dynamodb_tables_arns actions = [ "dynamodb:List*", @@ -99,10 +97,10 @@ data "aws_iam_policy_document" "dynamodb_full_access" { sid = "FullAccess" effect = "Allow" - resources = [ - "arn:aws:dynamodb:*:*:table/${module.dynamodb.table_id}", - "arn:aws:dynamodb:*:*:table/${module.dynamodb.table_id}/*", - ] + resources = concat( + local.dynamodb_tables_arns, + local.dynamodb_tables_records + ) actions = [ "dynamodb:BatchGet*", @@ -120,154 +118,22 @@ data "aws_iam_policy_document" "dynamodb_full_access" { } } -resource "aws_iam_role_policy" "dynamodb_role_policy" { - count = var.dynamodb_enabled && var.iam_role_enabled ? 1 : 0 - role = element(concat(aws_iam_role.this.*.name, [""]), 0) - - name = "dynamodb-policy" - - # This defines what permissions our role will be given - policy = data.aws_iam_policy_document.dynamodb_full_access[0].json -} - -resource "aws_iam_user_policy" "dynamodb_role_policy" { - count = var.dynamodb_enabled && var.iam_user_enabled ? 1 : 0 - user = concat(aws_iam_user.this.*.name, [""])[0] - - name = "dynamodb-policy" - - # This defines what permissions our role will be given - policy = data.aws_iam_policy_document.dynamodb_full_access[0].json -} - -data "aws_iam_policy_document" "dynamodb2_full_access" { - count = var.dynamodb2_enabled && var.iam_role_enabled ? 1 : 0 - - statement { - sid = "ListDynamoDB" - effect = "Allow" - - resources = [ - "arn:aws:dynamodb:*:*:table/${module.dynamodb2.table_id}", - ] - - actions = [ - "dynamodb:List*", - "dynamodb:DescribeReservedCapacity*", - "dynamodb:DescribeLimits", - "dynamodb:DescribeTimeToLive", - ] - } - - statement { - sid = "FullAccess" - effect = "Allow" - - resources = [ - "arn:aws:dynamodb:*:*:table/${module.dynamodb2.table_id}", - "arn:aws:dynamodb:*:*:table/${module.dynamodb2.table_id}/*", - ] +resource "aws_iam_policy" "dynamodb_policy" { + count = local.dynamodb_iam_enabled && var.iam_role_enabled ? 1 : 0 - actions = [ - "dynamodb:BatchGet*", - "dynamodb:DescribeStream", - "dynamodb:DescribeTable", - "dynamodb:Get*", - "dynamodb:Query", - "dynamodb:Scan", - "dynamodb:BatchWrite*", - "dynamodb:CreateTable", - "dynamodb:DeleteItem", - "dynamodb:Update*", - "dynamodb:PutItem", - ] - } + name_prefix = "${var.name}-dynamodb-policy" + path = "/svc/microservice/${var.name}/" + description = "DynamoDB policy for ${var.name}" + policy = data.aws_iam_policy_document.dynamodb_full_access[0].json } -resource "aws_iam_role_policy" "dynamodb2_role_policy" { - count = var.dynamodb2_enabled && var.iam_role_enabled ? 1 : 0 - role = element(concat(aws_iam_role.this.*.name, [""]), 0) - - name = "dynamodb2-policy" - - # This defines what permissions our role will be given - policy = data.aws_iam_policy_document.dynamodb2_full_access[0].json -} +resource "aws_iam_policy_attachment" "dynamodb_policy_attachment" { + count = local.dynamodb_iam_enabled && var.iam_role_enabled ? 1 : 0 - -resource "aws_iam_user_policy" "dynamodb2_role_policy" { - count = var.dynamodb2_enabled && var.iam_user_enabled ? 1 : 0 - - user = concat(aws_iam_user.this.*.name, [""])[0] - name = "dynamodb2-policy" - - # This defines what permissions our role will be given - policy = data.aws_iam_policy_document.dynamodb2_full_access[0].json -} - -data "aws_iam_policy_document" "dynamodb3_full_access" { - count = var.dynamodb3_enabled && var.iam_role_enabled ? 1 : 0 - - statement { - sid = "ListDynamoDB" - effect = "Allow" - - resources = [ - "arn:aws:dynamodb:*:*:table/${module.dynamodb3.table_id}", - ] - - actions = [ - "dynamodb:List*", - "dynamodb:DescribeReservedCapacity*", - "dynamodb:DescribeLimits", - "dynamodb:DescribeTimeToLive", - ] - } - - statement { - sid = "FullAccess" - effect = "Allow" - - resources = [ - "arn:aws:dynamodb:*:*:table/${module.dynamodb3.table_id}", - "arn:aws:dynamodb:*:*:table/${module.dynamodb3.table_id}/*", - ] - - actions = [ - "dynamodb:BatchGet*", - "dynamodb:DescribeStream", - "dynamodb:DescribeTable", - "dynamodb:Get*", - "dynamodb:Query", - "dynamodb:Scan", - "dynamodb:BatchWrite*", - "dynamodb:CreateTable", - "dynamodb:DeleteItem", - "dynamodb:Update*", - "dynamodb:PutItem", - ] - } -} - -resource "aws_iam_role_policy" "dynamodb3_role_policy" { - count = var.dynamodb3_enabled && var.iam_role_enabled ? 1 : 0 - role = element(concat(aws_iam_role.this.*.name, [""]), 0) - - name = "dynamodb3-policy" - - # This defines what permissions our role will be given - policy = data.aws_iam_policy_document.dynamodb3_full_access[0].json -} - - -resource "aws_iam_user_policy" "dynamodb3_role_policy" { - count = var.dynamodb3_enabled && var.iam_user_enabled ? 1 : 0 - - user = concat(aws_iam_user.this.*.name, [""])[0] - name = "dynamodb3-policy" - - # This defines what permissions our role will be given - policy = data.aws_iam_policy_document.dynamodb3_full_access[0].json + name = "${var.name}-dynamodb-policy-attachment" + users = [concat(aws_iam_user.this.*.name, [""])[0]] + roles = [element(concat(aws_iam_role.this.*.name, [""]), 0)] + policy_arn = aws_iam_policy.dynamodb_policy[0].arn } ## diff --git a/locals.tf b/locals.tf index 4866e02..c377845 100644 --- a/locals.tf +++ b/locals.tf @@ -12,4 +12,12 @@ locals { ) length_s3_lifecycle_rules = length(var.s3_lifecycle_rules) + + dynamodb_iam_enabled = var.dynamodb_enabled || var.dynamodb2_enabled || var.dynamodb3_enabled + dynamodb_tables_arns = concat( + var.dynamodb_enabled && var.iam_role_enabled ? ["arn:aws:dynamodb:*:*:table/${module.dynamodb.table_id}"] : [], + var.dynamodb2_enabled && var.iam_role_enabled ? ["arn:aws:dynamodb:*:*:table/${module.dynamodb2.table_id}"] : [], + var.dynamodb3_enabled && var.iam_role_enabled ? ["arn:aws:dynamodb:*:*:table/${module.dynamodb3.table_id}"] : [], + ) + dynamodb_tables_records = [for t in toset(local.dynamodb_tables_arns) : "${t}/*"] }