Last active
November 29, 2019 00:57
-
-
Save kgmoore431/89cb0c193a2170504655c39ef3fec676 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Sample Usage | |
# module "cloudability_iam_policy" { | |
# is_payer = "true" # Optional - defaults to false | |
# billing_bucket = "my-aws-bills" # Optional - defaults to "aws-bill-info" | |
# cloudability_role_name = "CloudabilityRole" # Optional - defaults to CloudabilityRole | |
# cloudability_arn = "arn:aws:iam::000000000000:user/cloudability" # Required | |
# cloudability_external_id = "abc123a-zzzz-zzzz-zzzz-abc123abc123" # Required | |
# source = "../modules/aws/iam/cloudability_iam" | |
# } | |
variable "billing_bucket" { | |
default = "aws-bill-info" | |
} | |
variable "is_payer" { | |
default = "false" | |
} | |
variable "cloudability_role_name" { | |
default = "CloudabilityRole" | |
} | |
variable "cloudability_external_id" {} | |
variable "cloudability_arn" {} | |
data "aws_iam_policy_document" "cloudability_payer" { | |
statement { | |
sid = "masterpayerblock" | |
effect = "Allow" | |
actions = [ | |
"s3:ListBucket", | |
"s3:GetObject", | |
"s3:GetObjectVersion", | |
] | |
resources = [ | |
"arn:aws:s3:::${var.billing_bucket}", | |
"arn:aws:s3:::${var.billing_bucket}/*", | |
] | |
} | |
# Payer master acct also includes the linked acct block. | |
# Would be nice to DRY this in the future to join the two policies | |
statement { | |
sid = "linkedaccountblock" | |
effect = "Allow" | |
actions = [ | |
"organizations:ListAccounts", | |
"cloudwatch:GetMetricStatistics", | |
"dynamodb:DescribeTable", | |
"dynamodb:ListTables", | |
"ec2:DescribeImages", | |
"ec2:DescribeInstances", | |
"ec2:DescribeRegions", | |
"ec2:DescribeReservedInstances", | |
"ec2:DescribeReservedInstancesModifications", | |
"ec2:DescribeSnapshots", | |
"ec2:DescribeVolumes", | |
"ecs:DescribeClusters", | |
"ecs:DescribeContainerInstances", | |
"ecs:ListClusters", | |
"ecs:ListContainerInstances", | |
"elasticache:DescribeCacheClusters", | |
"elasticache:DescribeReservedCacheNodes", | |
"elasticache:ListTagsForResource", | |
"elasticmapreduce:DescribeCluster", | |
"elasticmapreduce:ListClusters", | |
"elasticmapreduce:ListInstances", | |
"rds:DescribeDBClusters", | |
"rds:DescribeDBInstances", | |
"rds:DescribeReservedDBInstances", | |
"rds:ListTagsForResource", | |
"redshift:DescribeClusters", | |
"redshift:DescribeReservedNodes", | |
"redshift:DescribeTags", | |
] | |
resources = ["*"] | |
} | |
} | |
data "aws_iam_policy_document" "cloudability_linked" { | |
statement { | |
sid = "linkedaccountblock" | |
effect = "Allow" | |
actions = [ | |
"organizations:ListAccounts", | |
"cloudwatch:GetMetricStatistics", | |
"dynamodb:DescribeTable", | |
"dynamodb:ListTables", | |
"ec2:DescribeImages", | |
"ec2:DescribeInstances", | |
"ec2:DescribeRegions", | |
"ec2:DescribeReservedInstances", | |
"ec2:DescribeReservedInstancesModifications", | |
"ec2:DescribeSnapshots", | |
"ec2:DescribeVolumes", | |
"ecs:DescribeClusters", | |
"ecs:DescribeContainerInstances", | |
"ecs:ListClusters", | |
"ecs:ListContainerInstances", | |
"elasticache:DescribeCacheClusters", | |
"elasticache:DescribeReservedCacheNodes", | |
"elasticache:ListTagsForResource", | |
"elasticmapreduce:DescribeCluster", | |
"elasticmapreduce:ListClusters", | |
"elasticmapreduce:ListInstances", | |
"rds:DescribeDBClusters", | |
"rds:DescribeDBInstances", | |
"rds:DescribeReservedDBInstances", | |
"rds:ListTagsForResource", | |
"redshift:DescribeClusters", | |
"redshift:DescribeReservedNodes", | |
"redshift:DescribeTags", | |
] | |
resources = ["*"] | |
} | |
} | |
data "aws_iam_policy_document" "cloudability_sts_role" { | |
statement { | |
sid = "MasterAssumeSTSRole" | |
effect = "Allow" | |
principals = { | |
type = "AWS" | |
identifiers = ["${var.cloudability_arn}"] | |
} | |
actions = ["sts:AssumeRole"] | |
condition = { | |
test = "StringEquals" | |
variable = "sts:ExternalId" | |
values = ["${var.cloudability_external_id}"] | |
} | |
} | |
} | |
# Use the linked-acct-policy if this is not the main payer acct (is_payer = false) | |
resource "aws_iam_policy" "cloudability_linked" { | |
count = "${var.is_payer == "false" ? 1 : 0}" | |
name = "cloudability-linked" | |
description = "Grant Cloudability read and list access to billing stats and usage data." | |
policy = "${data.aws_iam_policy_document.cloudability_linked.json}" | |
} | |
# Otherwise Use the payer-acct-policy (is_payer <> false) | |
resource "aws_iam_policy" "cloudability_payer" { | |
count = "${var.is_payer != "false" ? 1 : 0}" | |
name = "cloudability-payer" | |
description = "Grant Cloudability read and list access to billing stats, usage data, and list/get access to the s3 billing bucket." | |
policy = "${data.aws_iam_policy_document.cloudability_payer.json}" | |
} | |
# Cloudability is moving to a role based policy as of June 2017 | |
# Create an IAM role to allow cloudability's account to assume a role in ours | |
resource "aws_iam_role" "cloudability_role" { | |
name = "${var.cloudability_role_name}" | |
assume_role_policy = "${data.aws_iam_policy_document.cloudability_sts_role.json}" | |
description = "Creates a trust between this account and Cloudability for visibility into billing info." | |
} | |
# Attach the linked-acct-policy to the Cloudability role if this is not the main payer acct (is_payer = false) | |
resource "aws_iam_policy_attachment" "cloudability_attach_linked" { | |
count = "${var.is_payer == "false" ? 1 : 0}" | |
name = "linked-role-attach" | |
roles = ["${aws_iam_role.cloudability_role.name}"] | |
policy_arn = "${aws_iam_policy.cloudability_linked.arn}" | |
} | |
# Attach the payer-acct-policy to the Cloudability role if this is the payer acct (is_payer <> false) | |
resource "aws_iam_policy_attachment" "cloudability_attach_payer" { | |
count = "${var.is_payer != "false" ? 1 : 0}" | |
name = "payer-role-attach" | |
roles = ["${aws_iam_role.cloudability_role.name}"] | |
policy_arn = "${aws_iam_policy.cloudability_payer.arn}" | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment