Merge pull request #1 from cloudtruth/push_access

Initial iam permissions to allow for cloudtruth push feature
cloudtruth · Nov 9, 2021 · 28656a5 · 28656a5
2 parents 66f212a + 8357dda
commit 28656a5
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -37,6 +37,7 @@ module "grant-cloudtruth-access" {
 | s3\_policy | A custom policy to use for s3 instead of the one this module would define | `string` | `""` | no |
 | s3\_resources | The s3 resources to explicitly grant access to, defaults to all, and listing<br>all buckets is always allowed (for bucket chooser in UI) even if access<br>isn't granted here | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | services\_enabled | The AWS services to grant cloudtruth access to, allowed values are s3, ssm, secrets | `list(string)` | n/a | yes |
+| services\_write\_enabled | The AWS services to grant cloudtruth write access to, allowed values are s3, ssm, secrets | `list(string)` | `[]` | no |
 | ssm\_policy | A custom policy to use for ssm instead of the one this module would define | `string` | `""` | no |
 | ssm\_resources | The ssm resources to explicitly grant access to, defaults to all, and listing<br>all is always allowed (for chooser in UI) even if access<br>isn't granted here | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | secrets\_policy | A custom policy to use for secrets manager instead of the one this module would define | `string` | `""` | no |

diff --git a/main.tf b/main.tf
@@ -52,6 +52,19 @@ data "aws_iam_policy_document" "s3" {
 
 }
 
+// This policy allows cloudtruth to write to your S3 buckets
+//
+data "aws_iam_policy_document" "s3-write" {
+
+  statement {
+    sid       = "BucketWrite"
+    actions   = ["s3:PutObject"]
+    effect    = "Allow"
+    resources = var.s3_resources
+  }
+
+}
+
 //  This policy allows cloudtruth to list and read your AWS SSM Parameter Store
 //
 data "aws_iam_policy_document" "ssm" {
@@ -68,6 +81,7 @@ data "aws_iam_policy_document" "ssm" {
   statement {
     sid = "ParameterAccess"
     actions = [
+      "ssm:DescribeParameters",
       "ssm:GetParameter",
       "ssm:GetParameters",
       "ssm:GetParametersByPath"
@@ -78,6 +92,34 @@ data "aws_iam_policy_document" "ssm" {
 
 }
 
+//  This policy allows cloudtruth to write to your AWS SSM Parameter Store
+//
+data "aws_iam_policy_document" "ssm-write" {
+
+  statement {
+    sid = "TagAccess"
+    actions = [
+      "tag:GetResources"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "ParameterWrite"
+    actions = [
+      "ssm:AddTagsToResource",
+      "ssm:DeleteParameter",
+      "ssm:ListTagsForResource",
+      "ssm:PutParameter",
+      "ssm:RemoveTagsFromResource"
+    ]
+    effect    = "Allow"
+    resources = var.ssm_resources
+  }
+
+}
+
 //  This policy allows cloudtruth to list and read your AWS Secret Store
 //
 data "aws_iam_policy_document" "secrets" {
@@ -103,12 +145,35 @@ data "aws_iam_policy_document" "secrets" {
 
 }
 
+//  This policy allows cloudtruth to write to your AWS Secret Store
+//
+data "aws_iam_policy_document" "secrets-write" {
+
+  statement {
+    sid = "SecretWrite"
+    actions = [
+      "secretsmanager:CreateSecret",
+      "secretsmanager:DeleteSecret",
+      "secretsmanager:TagResource",
+      "secretsmanager:UpdateSecret"
+    ]
+    effect    = "Allow"
+    resources = var.secrets_resources
+  }
+
+}
+
 locals {
   policy_lookup = {
     s3  = var.s3_policy != "" ? var.s3_policy : data.aws_iam_policy_document.s3.json
     ssm = var.ssm_policy != "" ? var.ssm_policy : data.aws_iam_policy_document.ssm.json
     secrets = var.secrets_policy != "" ? var.secrets_policy : data.aws_iam_policy_document.secrets.json
   }
+  write_policy_lookup = {
+    s3  = data.aws_iam_policy_document.s3-write.json
+    ssm = data.aws_iam_policy_document.ssm-write.json
+    secrets = data.aws_iam_policy_document.secrets-write.json
+  }
 }
 
 resource "aws_iam_role_policy" "cloudtruth-policies" {
@@ -118,3 +183,11 @@ resource "aws_iam_role_policy" "cloudtruth-policies" {
   role   = aws_iam_role.cloudtruth-access.id
   policy = local.policy_lookup[each.key]
 }
+
+resource "aws_iam_role_policy" "cloudtruth-write-policies" {
+  for_each = toset(var.services_write_enabled)
+
+  name   = "allow-cloudtruth-write-to-${each.key}"
+  role   = aws_iam_role.cloudtruth-access.id
+  policy = local.write_policy_lookup[each.key]
+}
diff --git a/variables.tf b/variables.tf
@@ -19,6 +19,14 @@ variable "services_enabled" {
   type        = list(string)
 }
 
+variable "services_write_enabled" {
+  description = <<-EOD
+    The AWS services to grant cloudtruth write access to, allowed values are s3, ssm, secrets
+  EOD
+  type        = list(string)
+  default = []
+}
+
 variable "s3_resources" {
   description = <<-EOD
     The s3 resources to explicitly grant access to, defaults to all, and listing