cloudability_iam.tf

# Sample Usage
# module "cloudability_iam_policy" {
#   is_payer = "true"  # Optional - defaults to false
#   billing_bucket = "my-aws-bills" # Optional - defaults to "aws-bill-info"
#   cloudability_role_name = "CloudabilityRole"   # Optional - defaults to CloudabilityRole
#   cloudability_arn = "arn:aws:iam::000000000000:user/cloudability"  # Required
#   cloudability_external_id = "abc123a-zzzz-zzzz-zzzz-abc123abc123"  # Required
#   source   = "../modules/aws/iam/cloudability_iam"
# }

variable "billing_bucket" {
  default = "aws-bill-info"
}

variable "is_payer" {
  default = "false"
}

variable "cloudability_role_name" {
    default = "CloudabilityRole"
}

variable "cloudability_external_id" {}

variable "cloudability_arn" {}

data "aws_iam_policy_document" "cloudability_payer" {
  statement {
    sid    = "masterpayerblock"
    effect = "Allow"

    actions = [
      "s3:ListBucket",
      "s3:GetObject",
      "s3:GetObjectVersion",
    ]

    resources = [
      "arn:aws:s3:::${var.billing_bucket}",
      "arn:aws:s3:::${var.billing_bucket}/*",
    ]
  }

  # Payer master acct also includes the linked acct block.
  # Would be nice to DRY this in the future to join the two policies
  statement {
    sid    = "linkedaccountblock"
    effect = "Allow"

    actions = [
      "organizations:ListAccounts",
      "cloudwatch:GetMetricStatistics",
      "dynamodb:DescribeTable",
      "dynamodb:ListTables",
      "ec2:DescribeImages",
      "ec2:DescribeInstances",
      "ec2:DescribeRegions",
      "ec2:DescribeReservedInstances",
      "ec2:DescribeReservedInstancesModifications",
      "ec2:DescribeSnapshots",
      "ec2:DescribeVolumes",
      "ecs:DescribeClusters",
      "ecs:DescribeContainerInstances",
      "ecs:ListClusters",
      "ecs:ListContainerInstances",
      "elasticache:DescribeCacheClusters",
      "elasticache:DescribeReservedCacheNodes",
      "elasticache:ListTagsForResource",
      "elasticmapreduce:DescribeCluster",
      "elasticmapreduce:ListClusters",
      "elasticmapreduce:ListInstances",
      "rds:DescribeDBClusters",
      "rds:DescribeDBInstances",
      "rds:DescribeReservedDBInstances",
      "rds:ListTagsForResource",
      "redshift:DescribeClusters",
      "redshift:DescribeReservedNodes",
      "redshift:DescribeTags",
    ]

    resources = ["*"]
  }
}

data "aws_iam_policy_document" "cloudability_linked" {
  statement {
    sid    = "linkedaccountblock"
    effect = "Allow"

    actions = [
      "organizations:ListAccounts",
      "cloudwatch:GetMetricStatistics",
      "dynamodb:DescribeTable",
      "dynamodb:ListTables",
      "ec2:DescribeImages",
      "ec2:DescribeInstances",
      "ec2:DescribeRegions",
      "ec2:DescribeReservedInstances",
      "ec2:DescribeReservedInstancesModifications",
      "ec2:DescribeSnapshots",
      "ec2:DescribeVolumes",
      "ecs:DescribeClusters",
      "ecs:DescribeContainerInstances",
      "ecs:ListClusters",
      "ecs:ListContainerInstances",
      "elasticache:DescribeCacheClusters",
      "elasticache:DescribeReservedCacheNodes",
      "elasticache:ListTagsForResource",
      "elasticmapreduce:DescribeCluster",
      "elasticmapreduce:ListClusters",
      "elasticmapreduce:ListInstances",
      "rds:DescribeDBClusters",
      "rds:DescribeDBInstances",
      "rds:DescribeReservedDBInstances",
      "rds:ListTagsForResource",
      "redshift:DescribeClusters",
      "redshift:DescribeReservedNodes",
      "redshift:DescribeTags",
    ]

    resources = ["*"]
  }
}

data "aws_iam_policy_document" "cloudability_sts_role" {
  statement {
    sid    = "MasterAssumeSTSRole"
    effect = "Allow"

    principals = {
      type        = "AWS"
      identifiers = ["${var.cloudability_arn}"]
    }

    actions = ["sts:AssumeRole"]

    condition = {
      test     = "StringEquals"
      variable = "sts:ExternalId"

      values = ["${var.cloudability_external_id}"]
    }
  }
}

# Use the linked-acct-policy if this is not the main payer acct (is_payer = false)
resource "aws_iam_policy" "cloudability_linked" {
  count       = "${var.is_payer  == "false" ? 1 : 0}"
  name        = "cloudability-linked"
  description = "Grant Cloudability read and list access to billing stats and usage data."
  policy      = "${data.aws_iam_policy_document.cloudability_linked.json}"
}

# Otherwise Use the payer-acct-policy (is_payer <> false)
resource "aws_iam_policy" "cloudability_payer" {
  count       = "${var.is_payer  != "false" ? 1 : 0}"
  name        = "cloudability-payer"
  description = "Grant Cloudability read and list access to billing stats, usage data, and list/get access to the s3 billing bucket."
  policy      = "${data.aws_iam_policy_document.cloudability_payer.json}"
}

# Cloudability is moving to a role based policy as of June 2017

# Create an IAM role to allow cloudability's account to assume a role in ours
resource "aws_iam_role" "cloudability_role" {
  name               = "${var.cloudability_role_name}"
  assume_role_policy = "${data.aws_iam_policy_document.cloudability_sts_role.json}"
  description        = "Creates a trust between this account and Cloudability for visibility into billing info."
}

# Attach the linked-acct-policy to the Cloudability role if this is not the main payer acct (is_payer = false)
resource "aws_iam_policy_attachment" "cloudability_attach_linked" {
  count      = "${var.is_payer  == "false" ? 1 : 0}"
  name       = "linked-role-attach"
  roles      = ["${aws_iam_role.cloudability_role.name}"]
  policy_arn = "${aws_iam_policy.cloudability_linked.arn}"
}

# Attach the payer-acct-policy to the Cloudability role if this is the payer acct (is_payer <> false)
resource "aws_iam_policy_attachment" "cloudability_attach_payer" {
  count      = "${var.is_payer  != "false" ? 1 : 0}"
  name       = "payer-role-attach"
  roles      = ["${aws_iam_role.cloudability_role.name}"]
  policy_arn = "${aws_iam_policy.cloudability_payer.arn}"
}