From 829ae0380ae84211de1a656867ad42c5e9b389be Mon Sep 17 00:00:00 2001 From: dmtgrinevich Date: Mon, 22 Jul 2024 14:05:54 +0000 Subject: [PATCH 1/2] Described actions for terraform deploy/support/destroy --- .gitignore | 1 + README.md | 1 + deploy/provider.tf | 4 +- deploy/rds.tf | 2 +- deploy/vars.tf | 7 +- policies/ec2-terraform-policy.json | 103 +++++++++++++++ policies/terraform-policy.json | 205 +++++++++++++++++++++++++++++ 7 files changed, 319 insertions(+), 4 deletions(-) create mode 100644 policies/ec2-terraform-policy.json create mode 100644 policies/terraform-policy.json diff --git a/.gitignore b/.gitignore index 54b1ec3..a9b1fba 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ terraform.tfstate terraform.tfstate.backup *.terraform *.plan +111_*/ diff --git a/README.md b/README.md index f74da71..27dd43b 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ git clone https://github.com/zebrunner/e3s-terraform-deploy.git && cd ./e3s-terr * `enable_cloudwatch` - Value type: boolean. Default value: `false`. Enables tasks logs display at aws ecs console. * `e3s_server_instance_type` - Value type: string. Default value: `m5n.large`. Instance type for e3s-server. * `data_layer_remote` - Value type: boolean. Default value: `true`. Determines whether to create rds and elasticache services in aws cloud or use local ones instead. +* `profile` - Value type: string. Default value: `None`. Aws profile to use in terraform provider. * `remote_db` - Value type: object. Default value: `{ username = "postgres" diff --git a/deploy/provider.tf b/deploy/provider.tf index 6f29fcd..21b0c96 100644 --- a/deploy/provider.tf +++ b/deploy/provider.tf @@ -20,8 +20,8 @@ terraform { } provider "aws" { - region = var.region - + region = var.region + profile = var.profile default_tags { tags = { Environment = var.environment diff --git a/deploy/rds.tf b/deploy/rds.tf index 587c34e..3a986de 100644 --- a/deploy/rds.tf +++ b/deploy/rds.tf @@ -7,7 +7,7 @@ resource "aws_db_subnet_group" "rds" { resource "aws_db_instance" "postgres" { count = var.data_layer_remote ? 1 : 0 - db_name = local.e3s_rds_db_name + identifier = local.e3s_rds_db_name allocated_storage = 10 max_allocated_storage = 30 instance_class = "db.t4g.small" diff --git a/deploy/vars.tf b/deploy/vars.tf index b599c67..651569c 100644 --- a/deploy/vars.tf +++ b/deploy/vars.tf @@ -50,6 +50,11 @@ variable "data_layer_remote" { default = true } +variable "profile" { + type = string + default = "" +} + variable "remote_db" { type = object({ username = string @@ -137,6 +142,6 @@ locals { e3s_log_group_name = join("-", [local.service_name, var.environment, "log-group"]) e3s_rds_subnet_name = join("-", [local.service_name, var.environment, "rds", "subnet"]) - e3s_rds_db_name = join("_", [local.service_name, var.environment, "postgres"]) + e3s_rds_db_name = join("-", [local.service_name, var.environment, "postgres"]) e3s_serverless_cache_name = join("-", [local.service_name, var.environment, "redis"]) } diff --git a/policies/ec2-terraform-policy.json b/policies/ec2-terraform-policy.json new file mode 100644 index 0000000..9499d14 --- /dev/null +++ b/policies/ec2-terraform-policy.json @@ -0,0 +1,103 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "EC2ByRegion", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeImages", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeKeyPairs", + "ec2:DescribeVpcs", + "ec2:DescribeAddresses", + "ec2:DescribeAddressesAttribute", + "ec2:DescribeInternetGateways", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSecurityGroupRules", + "ec2:DescribeSubnets", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRouteTables", + "ec2:DescribeNatGateways", + "ec2:DescribeVpcEndpoints", + "ec2:DescribePrefixLists", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeInstances", + "ec2:DescribeInstanceTypes", + "ec2:DescribeTags", + "ec2:DescribeVolumes" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:Region": "{region}" + } + } + }, + { + "Sid": "EC2", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:ImportKeyPair", + "ec2:DeleteKeyPair", + "ec2:CreateVpc", + "ec2:DescribeVpcAttribute", + "ec2:DeleteVpc", + "ec2:ModifyVpcAttribute", + "ec2:CreateSecurityGroup", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupIngress", + "ec2:RevokeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:CreateSubnet", + "ec2:DeleteSubnet", + "ec2:ModifySubnetAttribute", + "ec2:AllocateAddress", + "ec2:ReleaseAddress", + "ec2:DisassociateAddress", + "ec2:CreateInternetGateway", + "ec2:AttachInternetGateway", + "ec2:DeleteInternetGateway", + "ec2:DetachInternetGateway", + "ec2:CreateRouteTable", + "ec2:DeleteRouteTable", + "ec2:CreateRoute", + "ec2:AssociateRouteTable", + "ec2:DisassociateRouteTable", + "ec2:CreateVpcEndpoint", + "ec2:DeleteVpcEndpoints", + "ec2:CreateNatGateway", + "ec2:DeleteNatGateway", + "ec2:DescribeVpcEndpoints", + "ec2:CreateLaunchTemplate", + "ec2:DeleteLaunchTemplate", + "ec2:CreateLaunchTemplateVersion", + "ec2:DeleteLaunchTemplateVersions", + "ec2:DescribeInstanceAttribute", + "ec2:RunInstances", + "ec2:TerminateInstances" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:key-pair/e3s-{environment}-agent", + "arn:aws:ec2:{region}:{account}:vpc/*", + "arn:aws:ec2:{region}:{account}:security-group/*", + "arn:aws:ec2:{region}:{account}:security-group-rule/*", + "arn:aws:ec2:{region}:{account}:subnet/*", + "arn:aws:ec2:{region}:{account}:elastic-ip/*", + "arn:aws:ec2:{region}:{account}:internet-gateway/*", + "arn:aws:ec2:{region}:{account}:network-interface/*", + "arn:aws:ec2:{region}:{account}:route-table/*", + "arn:aws:ec2:{region}:{account}:vpc-endpoint/*", + "arn:aws:ec2:{region}:{account}:natgateway/*", + "arn:aws:ec2:{region}:{account}:launch-template/*", + "arn:aws:ec2:{region}:{account}:instance/*", + "arn:aws:ec2:{region}:{account}:key-pair/{e3s_key_name}", + "arn:aws:ec2:{region}:{account}:volume/*", + "arn:aws:ec2:{region}::image/*" + ] + } + ] +} diff --git a/policies/terraform-policy.json b/policies/terraform-policy.json new file mode 100644 index 0000000..2cd185e --- /dev/null +++ b/policies/terraform-policy.json @@ -0,0 +1,205 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "NoConstraints", + "Effect": "Allow", + "Action": [ + "logs:DescribeLogGroups", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeListeners", + "rds:DescribeDBInstances", + "autoscaling:DescribeScalingActivities", + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribePolicies" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "ECS", + "Effect": "Allow", + "Action": [ + "ecs:TagResource", + "ecs:CreateCluster", + "ecs:PutClusterCapacityProviders", + "ecs:DescribeClusters", + "ecs:DeleteCluster", + "ecs:CreateCapacityProvider", + "ecs:DescribeCapacityProviders", + "ecs:DeleteCapacityProvider" + ], + "Resource": [ + "arn:aws:ecs:{region}:{account}:cluster/e3s-{environment}", + "arn:aws:ecs:{region}:{account}:capacity-provider/e3s-{environment}-linux-capacityprovider", + "arn:aws:ecs:{region}:{account}:capacity-provider/e3s-{environment}-windows-capacityprovider" + ] + }, + { + "Sid": "Autoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateOrUpdateTags", + "autoscaling:CreateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:PutScalingPolicy", + "autoscaling:DeletePolicy", + "autoscaling:UpdateAutoScalingGroup" + ], + "Resource": [ + "arn:aws:autoscaling:{region}:{account}:autoScalingGroup:*:autoScalingGroupName/e3s-{environment}-linux-asg", + "arn:aws:autoscaling:{region}:{account}:autoScalingGroup:*:autoScalingGroupName/e3s-{environment}-windows-asg" + ] + }, + { + "Sid": "IAM", + "Effect": "Allow", + "Action": [ + "iam:TagRole", + "iam:TagPolicy", + "iam:TagInstanceProfile", + "iam:CreatePolicy", + "iam:GetPolicy", + "iam:ListPolicyVersions", + "iam:GetPolicyVersion", + "iam:DeletePolicy", + "iam:CreateRole", + "iam:AttachRolePolicy", + "iam:GetRole", + "iam:ListRolePolicies", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfilesForRole", + "iam:DetachRolePolicy", + "iam:DeleteRole", + "iam:CreateInstanceProfile", + "iam:GetInstanceProfile", + "iam:DeleteInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:RemoveRoleFromInstanceProfile" + ], + "Resource": [ + "arn:aws:iam::{account}:policy/e3s-{environment}-policy", + "arn:aws:iam::{account}:policy/e3s-{environment}-agent-policy", + "arn:aws:iam::{account}:policy/e3s-{environment}-task-policy", + "arn:aws:iam::{account}:policy/{bucket_name}-policy", + "arn:aws:iam::{account}:role/e3s-{environment}-role", + "arn:aws:iam::{account}:role/e3s-{environment}-agent-role", + "arn:aws:iam::{account}:role/e3s-{environment}-task-role", + "arn:aws:iam::{account}:instance-profile/e3s-{environment}-role", + "arn:aws:iam::{account}:instance-profile/e3s-{environment}-agent-role" + ] + }, + { + "Sid": "IAMRoleAssign", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::{account}:role/e3s-{environment}-role", + "arn:aws:iam::{account}:role/e3s-{environment}-agent-role", + "arn:aws:iam::{account}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" + ] + }, + { + "Sid": "CloudWatch", + "Effect": "Allow", + "Action": [ + "logs:TagResource", + "logs:CreateLogGroup", + "logs:PutRetentionPolicy", + "logs:DescribeLogGroups", + "logs:ListTagsForResource", + "logs:DeleteLogGroup" + ], + "Resource": [ + "arn:aws:logs:{region}:{account}:log-group:e3s-{environment}-log-group*" + ] + }, + { + "Sid": "S3", + "Effect": "Allow", + "Action": [ + "s3:CreateBucket", + "s3:ListBucket", + "s3:GetBucketPolicy", + "s3:GetBucketAcl", + "s3:GetBucketCors", + "s3:GetBucketWebsite", + "s3:GetBucketVersioning", + "s3:GetAccelerateConfiguration", + "s3:GetBucketRequestPayment", + "s3:GetBucketLogging", + "s3:GetLifecycleConfiguration", + "s3:GetReplicationConfiguration", + "s3:GetEncryptionConfiguration", + "s3:GetBucketObjectLockConfiguration", + "s3:GetBucketTagging", + "s3:DeleteBucket", + "s3:PutBucketTagging", + "s3:PutBucketPolicy", + "s3:DeleteBucketPolicy" + ], + "Resource": [ + "arn:aws:s3:::{bucket_name}", + "arn:aws:s3:::{bucket_name}/*" + ] + }, + { + "Sid": "ELBV2", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DeleteListener" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:{region}:{account}:targetgroup/e3s-{environment}-tg/*", + "arn:aws:elasticloadbalancing:{region}:{account}:loadbalancer/app/e3s-{environment}-alb/*", + "arn:aws:elasticloadbalancing:{region}:{account}:listener/app/e3s-{environment}-alb/*" + ] + }, + { + "Sid": "RDS", + "Effect": "Allow", + "Action": [ + "rds:AddTagsToResource", + "rds:ListTagsForResource", + "rds:CreateDBSubnetGroup", + "rds:DescribeDBSubnetGroups", + "rds:DeleteDBSubnetGroup", + "rds:CreateDBInstance", + "rds:DeleteDBInstance" + ], + "Resource": [ + "arn:aws:rds:{region}:{account}:subgrp:e3s-{environment}-rds-subnet", + "arn:aws:rds:{region}:{account}:db:e3s-{environment}-postgres*" + ] + }, + { + "Sid": "ElastiCache", + "Effect": "Allow", + "Action": [ + "elasticache:AddTagsToResource", + "elasticache:ListTagsForResource", + "elasticache:CreateServerlessCache", + "elasticache:DescribeServerlessCaches", + "elasticache:DeleteServerlessCache" + ], + "Resource": [ + "arn:aws:elasticache:{region}:{account}:serverlesscache:e3s-{environment}-redis" + ] + } + ] +} \ No newline at end of file From fcd45e95a7ea3f2252c9fe72330bfea28ac0b3ed Mon Sep 17 00:00:00 2001 From: dmtgrinevich Date: Tue, 30 Jul 2024 11:48:20 +0000 Subject: [PATCH 2/2] added conditions --- deploy/rds.tf | 1 + policies/terraform-ec2-deploy-policy.json | 274 ++++++++++++++++++ ...cy.json => terraform-ec2-view-policy.json} | 82 ++---- policies/terraform-policy.json | 80 +++-- 4 files changed, 363 insertions(+), 74 deletions(-) create mode 100644 policies/terraform-ec2-deploy-policy.json rename policies/{ec2-terraform-policy.json => terraform-ec2-view-policy.json} (50%) diff --git a/deploy/rds.tf b/deploy/rds.tf index 3a986de..0ae1013 100644 --- a/deploy/rds.tf +++ b/deploy/rds.tf @@ -8,6 +8,7 @@ resource "aws_db_subnet_group" "rds" { resource "aws_db_instance" "postgres" { count = var.data_layer_remote ? 1 : 0 identifier = local.e3s_rds_db_name + db_name = "postgres" allocated_storage = 10 max_allocated_storage = 30 instance_class = "db.t4g.small" diff --git a/policies/terraform-ec2-deploy-policy.json b/policies/terraform-ec2-deploy-policy.json new file mode 100644 index 0000000..9ddac57 --- /dev/null +++ b/policies/terraform-ec2-deploy-policy.json @@ -0,0 +1,274 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "EC2OnResourcesByTags", + "Effect": "Allow", + "Action": [ + "ec2:DeleteKeyPair", + "ec2:DescribeVpcAttribute", + "ec2:DeleteVpc", + "ec2:ModifyVpcAttribute", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupIngress", + "ec2:RevokeSecurityGroupEgress", + "ec2:DeleteSubnet", + "ec2:ModifySubnetAttribute", + "ec2:ReleaseAddress", + "ec2:AttachInternetGateway", + "ec2:DeleteInternetGateway", + "ec2:DetachInternetGateway", + "ec2:DeleteRouteTable", + "ec2:CreateRoute", + "ec2:AssociateRouteTable", + "ec2:DisassociateRouteTable", + "ec2:DeleteVpcEndpoints", + "ec2:DeleteNatGateway", + "ec2:DeleteLaunchTemplate", + "ec2:CreateLaunchTemplateVersion", + "ec2:DeleteLaunchTemplateVersions" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:vpc/*", + "arn:aws:ec2:{region}:{account}:key-pair/e3s-{env}-agent", + "arn:aws:ec2:{region}:{account}:security-group/*", + "arn:aws:ec2:{region}:{account}:subnet/*", + "arn:aws:ec2:{region}:{account}:elastic-ip/*", + "arn:aws:ec2:{region}:{account}:internet-gateway/*", + "arn:aws:ec2:{region}:{account}:route-table/*", + "arn:aws:ec2:{region}:{account}:vpc-endpoint/*", + "arn:aws:ec2:{region}:{account}:natgateway/*", + "arn:aws:ec2:{region}:{account}:launch-template/*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/Name": "e3s", + "ec2:ResourceTag/Environment": "{env}" + } + } + }, + { + "Sid": "DisassociateAddress", + "Effect": "Allow", + "Action": [ + "ec2:DisassociateAddress" + ], + "Resource": "arn:aws:ec2:{region}:{account}:*/*" + }, + { + "Sid": "E3SServerTermination", + "Effect": "Allow", + "Action": [ + "ec2:TerminateInstances" + ], + "Resource": "arn:aws:ec2:{region}:{account}:instance/*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/Name": "e3s-{env}", + "ec2:ResourceTag/Environment": "{env}" + } + } + }, + { + "Sid": "EC2CreateWithTag", + "Effect": "Allow", + "Action": [ + "ec2:ImportKeyPair", + "ec2:CreateVpc", + "ec2:AllocateAddress", + "ec2:CreateInternetGateway", + "ec2:CreateLaunchTemplate" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:key-pair/e3s-{env}-agent", + "arn:aws:ec2:{region}:{account}:vpc/*", + "arn:aws:ec2:{region}:{account}:elastic-ip/*", + "arn:aws:ec2:{region}:{account}:internet-gateway/*", + "arn:aws:ec2:{region}:{account}:launch-template/*" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/Name": "e3s", + "aws:RequestTag/Environment": "{env}" + } + } + }, + { + "Sid": "EC2VpcWithTag", + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateRouteTable" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:security-group/*", + "arn:aws:ec2:{region}:{account}:subnet/*", + "arn:aws:ec2:{region}:{account}:route-table/*" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/Name": "e3s", + "aws:RequestTag/Environment": "{env}" + } + } + }, + { + "Sid": "EC2VpcByTag", + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateRouteTable" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:vpc/*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/Name": "e3s", + "ec2:ResourceTag/Environment": "{env}" + } + } + }, + { + "Sid": "SGRuleWithTag", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:security-group-rule/*" + ], + "Condition": { + "StringEquals": { + "ec2:RequestTag/Name": "e3s", + "ec2:RequestTag/Environment": "{env}" + } + } + }, + { + "Sid": "SGRuleByTag", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:security-group/*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/Name": "e3s", + "ec2:ResourceTag/Environment": "{env}" + } + } + }, + { + "Sid": "Nat", + "Effect": "Allow", + "Action": [ + "ec2:CreateNatGateway" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:natgateway/*" + ] + }, + { + "Sid": "NatByTags", + "Effect": "Allow", + "Action": [ + "ec2:CreateNatGateway" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:subnet/*", + "arn:aws:ec2:{region}:{account}:elastic-ip/*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/Name": "e3s", + "ec2:ResourceTag/Environment": "{env}" + } + } + }, + { + "Sid": "VpcEndpointWithTags", + "Effect": "Allow", + "Action": [ + "ec2:CreateVpcEndpoint" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:vpc-endpoint/*" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/Name": "e3s", + "aws:RequestTag/Environment": "{env}" + } + } + }, + { + "Sid": "VpcEndpointByTags", + "Effect": "Allow", + "Action": [ + "ec2:CreateVpcEndpoint" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:vpc/*", + "arn:aws:ec2:{region}:{account}:subnet/*", + "arn:aws:ec2:{region}:{account}:route-table/*", + "arn:aws:ec2:{region}:{account}:security-group/*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/Name": "e3s", + "ec2:ResourceTag/Environment": "{env}" + } + } + }, + { + "Sid": "E3SKeyPar", + "Effect": "Allow", + "Action": [ + "ec2:ImportKeyPair" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:key-pair/{e3s-key-name}" + ] + }, + { + "Sid": "EC2RunInstances", + "Effect": "Allow", + "Action": [ + "ec2:RunInstances" + ], + "Resource": [ + "arn:aws:ec2:{region}::image/*", + "arn:aws:ec2:{region}:{account}:instance/*", + "arn:aws:ec2:{region}:{account}:volume/*", + "arn:aws:ec2:{region}:{account}:network-interface/*", + "arn:aws:ec2:{region}:{account}:key-pair/{e3s-key-name}", + "arn:aws:ec2:{region}:{account}:key-pair/e3s-{env}-agent" + ] + }, + { + "Sid": "EC2RunInstancesByTags", + "Effect": "Allow", + "Action": [ + "ec2:RunInstances" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:security-group/*", + "arn:aws:ec2:{region}:{account}:subnet/*", + "arn:aws:ec2:{region}:{account}:launch-template/*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/Name": "e3s", + "ec2:ResourceTag/Environment": "{env}" + } + } + } + ] +} \ No newline at end of file diff --git a/policies/ec2-terraform-policy.json b/policies/terraform-ec2-view-policy.json similarity index 50% rename from policies/ec2-terraform-policy.json rename to policies/terraform-ec2-view-policy.json index 9499d14..9fe45e8 100644 --- a/policies/ec2-terraform-policy.json +++ b/policies/terraform-ec2-view-policy.json @@ -26,7 +26,8 @@ "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeTags", - "ec2:DescribeVolumes" + "ec2:DescribeVolumes", + "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Condition": { @@ -36,68 +37,47 @@ } }, { - "Sid": "EC2", + "Sid": "Tagging", "Effect": "Allow", "Action": [ - "ec2:CreateTags", - "ec2:ImportKeyPair", - "ec2:DeleteKeyPair", - "ec2:CreateVpc", - "ec2:DescribeVpcAttribute", - "ec2:DeleteVpc", - "ec2:ModifyVpcAttribute", - "ec2:CreateSecurityGroup", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress", - "ec2:RevokeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:CreateSubnet", - "ec2:DeleteSubnet", - "ec2:ModifySubnetAttribute", - "ec2:AllocateAddress", - "ec2:ReleaseAddress", - "ec2:DisassociateAddress", - "ec2:CreateInternetGateway", - "ec2:AttachInternetGateway", - "ec2:DeleteInternetGateway", - "ec2:DetachInternetGateway", - "ec2:CreateRouteTable", - "ec2:DeleteRouteTable", - "ec2:CreateRoute", - "ec2:AssociateRouteTable", - "ec2:DisassociateRouteTable", - "ec2:CreateVpcEndpoint", - "ec2:DeleteVpcEndpoints", - "ec2:CreateNatGateway", - "ec2:DeleteNatGateway", - "ec2:DescribeVpcEndpoints", - "ec2:CreateLaunchTemplate", - "ec2:DeleteLaunchTemplate", - "ec2:CreateLaunchTemplateVersion", - "ec2:DeleteLaunchTemplateVersions", - "ec2:DescribeInstanceAttribute", - "ec2:RunInstances", - "ec2:TerminateInstances" + "ec2:CreateTags" ], "Resource": [ - "arn:aws:ec2:{region}:{account}:key-pair/e3s-{environment}-agent", "arn:aws:ec2:{region}:{account}:vpc/*", "arn:aws:ec2:{region}:{account}:security-group/*", - "arn:aws:ec2:{region}:{account}:security-group-rule/*", "arn:aws:ec2:{region}:{account}:subnet/*", + "arn:aws:ec2:{region}:{account}:key-pair/e3s-{env}-agent", "arn:aws:ec2:{region}:{account}:elastic-ip/*", "arn:aws:ec2:{region}:{account}:internet-gateway/*", - "arn:aws:ec2:{region}:{account}:network-interface/*", "arn:aws:ec2:{region}:{account}:route-table/*", "arn:aws:ec2:{region}:{account}:vpc-endpoint/*", "arn:aws:ec2:{region}:{account}:natgateway/*", "arn:aws:ec2:{region}:{account}:launch-template/*", - "arn:aws:ec2:{region}:{account}:instance/*", - "arn:aws:ec2:{region}:{account}:key-pair/{e3s_key_name}", - "arn:aws:ec2:{region}:{account}:volume/*", - "arn:aws:ec2:{region}::image/*" - ] + "arn:aws:ec2:{region}:{account}:security-group-rule/*", + "arn:aws:ec2:{region}:{account}:volume/*" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/Name": "e3s", + "aws:RequestTag/Environment": "{env}" + } + } + }, + { + "Sid": "E3SServerTagging", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:instance/*" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/Name": "e3s-{env}", + "aws:RequestTag/Environment": "{env}" + } + } } ] -} +} \ No newline at end of file diff --git a/policies/terraform-policy.json b/policies/terraform-policy.json index 2cd185e..072e162 100644 --- a/policies/terraform-policy.json +++ b/policies/terraform-policy.json @@ -35,9 +35,9 @@ "ecs:DeleteCapacityProvider" ], "Resource": [ - "arn:aws:ecs:{region}:{account}:cluster/e3s-{environment}", - "arn:aws:ecs:{region}:{account}:capacity-provider/e3s-{environment}-linux-capacityprovider", - "arn:aws:ecs:{region}:{account}:capacity-provider/e3s-{environment}-windows-capacityprovider" + "arn:aws:ecs:{region}:{account}:cluster/e3s-{env}", + "arn:aws:ecs:{region}:{account}:capacity-provider/e3s-{env}-linux-capacityprovider", + "arn:aws:ecs:{region}:{account}:capacity-provider/e3s-{env}-windows-capacityprovider" ] }, { @@ -52,8 +52,8 @@ "autoscaling:UpdateAutoScalingGroup" ], "Resource": [ - "arn:aws:autoscaling:{region}:{account}:autoScalingGroup:*:autoScalingGroupName/e3s-{environment}-linux-asg", - "arn:aws:autoscaling:{region}:{account}:autoScalingGroup:*:autoScalingGroupName/e3s-{environment}-windows-asg" + "arn:aws:autoscaling:{region}:{account}:autoScalingGroup:*:autoScalingGroupName/e3s-{env}-linux-asg", + "arn:aws:autoscaling:{region}:{account}:autoScalingGroup:*:autoScalingGroupName/e3s-{env}-windows-asg" ] }, { @@ -83,15 +83,15 @@ "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ - "arn:aws:iam::{account}:policy/e3s-{environment}-policy", - "arn:aws:iam::{account}:policy/e3s-{environment}-agent-policy", - "arn:aws:iam::{account}:policy/e3s-{environment}-task-policy", + "arn:aws:iam::{account}:policy/e3s-{env}-policy", + "arn:aws:iam::{account}:policy/e3s-{env}-agent-policy", + "arn:aws:iam::{account}:policy/e3s-{env}-task-policy", "arn:aws:iam::{account}:policy/{bucket_name}-policy", - "arn:aws:iam::{account}:role/e3s-{environment}-role", - "arn:aws:iam::{account}:role/e3s-{environment}-agent-role", - "arn:aws:iam::{account}:role/e3s-{environment}-task-role", - "arn:aws:iam::{account}:instance-profile/e3s-{environment}-role", - "arn:aws:iam::{account}:instance-profile/e3s-{environment}-agent-role" + "arn:aws:iam::{account}:role/e3s-{env}-role", + "arn:aws:iam::{account}:role/e3s-{env}-agent-role", + "arn:aws:iam::{account}:role/e3s-{env}-task-role", + "arn:aws:iam::{account}:instance-profile/e3s-{env}-role", + "arn:aws:iam::{account}:instance-profile/e3s-{env}-agent-role" ] }, { @@ -101,8 +101,8 @@ "iam:PassRole" ], "Resource": [ - "arn:aws:iam::{account}:role/e3s-{environment}-role", - "arn:aws:iam::{account}:role/e3s-{environment}-agent-role", + "arn:aws:iam::{account}:role/e3s-{env}-role", + "arn:aws:iam::{account}:role/e3s-{env}-agent-role", "arn:aws:iam::{account}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" ] }, @@ -118,7 +118,7 @@ "logs:DeleteLogGroup" ], "Resource": [ - "arn:aws:logs:{region}:{account}:log-group:e3s-{environment}-log-group*" + "arn:aws:logs:{region}:{account}:log-group:e3s-{env}-log-group*" ] }, { @@ -127,6 +127,7 @@ "Action": [ "s3:CreateBucket", "s3:ListBucket", + "s3:ListBucketVersions", "s3:GetBucketPolicy", "s3:GetBucketAcl", "s3:GetBucketCors", @@ -143,7 +144,9 @@ "s3:DeleteBucket", "s3:PutBucketTagging", "s3:PutBucketPolicy", - "s3:DeleteBucketPolicy" + "s3:DeleteBucketPolicy", + "s3:DeleteObject", + "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::{bucket_name}", @@ -165,9 +168,9 @@ "elasticloadbalancing:DeleteListener" ], "Resource": [ - "arn:aws:elasticloadbalancing:{region}:{account}:targetgroup/e3s-{environment}-tg/*", - "arn:aws:elasticloadbalancing:{region}:{account}:loadbalancer/app/e3s-{environment}-alb/*", - "arn:aws:elasticloadbalancing:{region}:{account}:listener/app/e3s-{environment}-alb/*" + "arn:aws:elasticloadbalancing:{region}:{account}:targetgroup/e3s-{env}-tg/*", + "arn:aws:elasticloadbalancing:{region}:{account}:loadbalancer/app/e3s-{env}-alb/*", + "arn:aws:elasticloadbalancing:{region}:{account}:listener/app/e3s-{env}-alb/*" ] }, { @@ -183,8 +186,8 @@ "rds:DeleteDBInstance" ], "Resource": [ - "arn:aws:rds:{region}:{account}:subgrp:e3s-{environment}-rds-subnet", - "arn:aws:rds:{region}:{account}:db:e3s-{environment}-postgres*" + "arn:aws:rds:{region}:{account}:subgrp:e3s-{env}-rds-subnet", + "arn:aws:rds:{region}:{account}:db:e3s-{env}-postgres*" ] }, { @@ -198,8 +201,39 @@ "elasticache:DeleteServerlessCache" ], "Resource": [ - "arn:aws:elasticache:{region}:{account}:serverlesscache:e3s-{environment}-redis" + "arn:aws:elasticache:{region}:{account}:serverlesscache:e3s-{env}-redis" ] + }, + { + "Sid": "ElastiCacheEC2DependentCreate", + "Effect": "Allow", + "Action": [ + "ec2:CreateVpcEndpoint", + "ec2:CreateTags" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:vpc-endpoint/*" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/AmazonElastiCacheManaged": true + } + } + }, + { + "Sid": "ElastiCacheEC2DependentDelete", + "Effect": "Allow", + "Action": [ + "ec2:DeleteVpcEndpoints" + ], + "Resource": [ + "arn:aws:ec2:{region}:{account}:vpc-endpoint/*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/AmazonElastiCacheManaged": true + } + } } ] } \ No newline at end of file