Added initial module for creating CloudCheckr IAM role/policies

bff7face · Rob Greenwood · bff7face · bff7face · bff7face · bff7face
Commit bff7face authored Nov 08, 2016 by Rob Greenwood
Showing with 241 additions and 0 deletions

.gitlab-ci.yml .gitlab-ci.yml +12 -0

README.md README.md +14 -0

assume_role.json.tpl assume_role.json.tpl +17 -0

main.tf main.tf +41 -0

role_policy.json role_policy.json +157 -0

No files found.
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+image: alpine:latest
+
+variables:
+  TERRAFORM_URL: "https://releases.hashicorp.com/terraform/0.7.1/terraform_0.7.1_linux_amd64.zip"
+
+before_script:
+  - apk update && apk add ca-certificates && update-ca-certificates && apk add openssl
+  - wget -O /tmp/terraform.zip $TERRAFORM_URL
+  - unzip /tmp/terraform.zip -d /usr/local/bin 
+
+test:
+  script: terraform validate
--- a/README.md
+++ b/README.md
+tf_mod_aws_cloudcheckr
+==============
+A Terraform module for creating the required IAM policies for CloudCheckr access.
+
+1.) Adding a module resource to your template, e.g. `main.tf`
+
+```
+module "cloudcheckr" {
+  source = "git::https://git.steamhaus.co.uk/steamhaus/tf_mod_aws_cloudcheckr"
+
+  account_id  = "cloudcheckr_aws_account_id"
+  external_id = "cloudcheckr_external_id"
+}
+```
--- a/assume_role.json.tpl
+++ b/assume_role.json.tpl
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::${account_id}:root"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${external_id}"
+        }
+      }
+    }
+  ]
+}
--- a/main.tf
+++ b/main.tf
+ variable "account_id" {
+   description = "ID of the CloudCheckr AWS account"
+   default     = "352813966189"
+ }
+
+ variable "external_id" {
+   description = "External ID for the CloudCheckr account"
+}
+
+data "template_file" "assume_role" {
+  template = "${file("${path.module}/assume_role.json.tpl")}"
+   
+  vars {
+    account_id  = "${var.account_id}"
+    external_id = "${var.external_id}"
+  }
+}
+
+resource "aws_iam_role" "main" {
+  name               = "cloudcheckr"
+  assume_role_policy = "${data.template_file.assume_role.rendered}"
+}
+
+resource "aws_iam_policy" "main" {
+  name = "cloudcheckr"
+  policy = "${file("${path.module}/role_policy.json")}"
+}
+
+resource "aws_iam_policy_attachment" "main" {
+  ame        = "cloudcheckr"
+  roles      = ["${aws_iam_role.main.name}"]
+  policy_arn = "${aws_iam_policy.main.arn}"
+}
+
+output "name" { 
+  value = "${aws_iam_role.main.name}"
+}
+
+output "policy" {
+  value = "${aws_iam_policy.main.name}"
+}
--- a/role_policy.json
+++ b/role_policy.json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "FullPolicy",
+            "Action": [
+                "acm:DescribeCertificate",
+                "acm:ListCertificates",
+                "acm:GetCertificate",
+                "autoscaling:Describe*",
+                "cloudformation:DescribeStacks",
+                "cloudformation:GetStackPolicy",
+                "cloudformation:GetTemplate",
+                "cloudformation:ListStackResources",
+                "cloudfront:List*",
+                "cloudfront:GetDistributionConfig",
+                "cloudfront:GetStreamingDistributionConfig",
+                "cloudhsm:Describe*",
+                "cloudhsm:List*",
+                "cloudsearch:DescribeDomains",
+                "cloudsearch:DescribeServiceAccessPolicies",
+                "cloudsearch:DescribeStemmingOptions",
+                "cloudsearch:DescribeStopwordOptions",
+                "cloudsearch:DescribeSynonymOptions",
+                "cloudsearch:DescribeDefaultSearchField",
+                "cloudsearch:DescribeIndexFields",
+                "cloudsearch:DescribeRankExpressions",
+                "cloudtrail:DescribeTrails",
+                "cloudtrail:GetTrailStatus",
+                "cloudwatch:DescribeAlarms",
+                "cloudwatch:GetMetricStatistics",
+                "cloudwatch:ListMetrics",
+                "config:DescribeDeliveryChannels",
+                "config:DescribeDeliveryChannelStatus",
+                "config:DescribeConfigurationRecorders",
+                "config:DescribeConfigurationRecorderStatus",
+                "datapipeline:ListPipelines",
+                "datapipeline:GetPipelineDefinition",
+                "datapipeline:DescribePipelines",
+                "directconnect:DescribeLocations",
+                "directconnect:DescribeConnections",
+                "directconnect:DescribeVirtualInterfaces",
+                "dynamodb:ListTables",
+                "dynamodb:DescribeTable",
+                "ec2:Describe*",
+                "ec2:GetConsoleOutput",
+                "ecs:ListClusters",
+                "ecs:DescribeClusters",
+                "ecs:ListContainerInstances",
+                "ecs:DescribeContainerInstances",
+                "ecs:ListServices",
+                "ecs:DescribeServices",
+                "ecs:ListTaskDefinitions",
+                "ecs:DescribeTaskDefinition",
+                "ecs:ListTasks",
+                "ecs:DescribeTasks",
+                "elasticache:DescribeCacheClusters",
+                "elasticache:DescribeReservedCacheNodes",
+                "elasticache:DescribeCacheSecurityGroups",
+                "elasticache:DescribeCacheParameterGroups",
+                "elasticache:DescribeCacheParameters",
+                "elasticache:DescribeCacheSubnetGroups",
+                "elasticbeanstalk:DescribeApplications",
+                "elasticbeanstalk:DescribeConfigurationSettings",
+                "elasticbeanstalk:DescribeEnvironments",
+                "elasticbeanstalk:DescribeEvents",
+                "elasticloadbalancing:DescribeLoadBalancers",
+                "elasticloadbalancing:DescribeInstanceHealth",
+                "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                "elasticloadbalancing:DescribeTags",
+                "elasticmapreduce:DescribeJobFlows",
+                "elasticmapreduce:DescribeStep",
+                "elasticmapreduce:DescribeCluster",
+                "elasticmapreduce:DescribeTags",
+                "elasticmapreduce:ListSteps",
+                "elasticmapreduce:ListInstanceGroups",
+                "elasticmapreduce:ListBootstrapActions",
+                "elasticmapreduce:ListClusters",
+                "elasticmapreduce:ListInstances",
+                "glacier:List*",
+                "glacier:DescribeVault",
+                "glacier:GetVaultNotifications",
+                "glacier:DescribeJob",
+                "glacier:GetJobOutput",
+                "iam:Get*",
+                "iam:List*",
+                "iam:GenerateCredentialReport",
+                "kinesis:ListStreams",
+                "kinesis:DescribeStream",
+                "kinesis:GetShardIterator",
+                "kinesis:GetRecords",
+                "kms:Describe*",                
+                "kms:Get*",         
+                "kms:List*",
+                "lambda:ListFunctions",
+                "rds:Describe*",
+                "rds:ListTagsForResource",
+                "redshift:Describe*",
+                "redshift:ViewQueriesInConsole",
+                "route53:ListHealthChecks",
+                "route53:ListHostedZones",
+                "route53:ListResourceRecordSets",
+                "s3:GetBucketACL",
+                "s3:GetBucketLocation",
+                "s3:GetBucketLogging",
+                "s3:GetBucketPolicy",
+                "s3:GetBucketTagging",
+                "s3:GetBucketWebsite",
+                "s3:GetBucketNotification",
+                "s3:GetLifecycleConfiguration",
+                "s3:GetNotificationConfiguration",
+                "s3:GetObject",
+                "s3:GetObjectMetadata",
+                "s3:List*",
+                "sdb:ListDomains",
+                "sdb:DomainMetadata",
+                "ses:ListIdentities",
+                "ses:GetSendStatistics",
+                "ses:GetIdentityDkimAttributes",
+                "ses:GetIdentityVerificationAttributes",
+                "ses:GetSendQuota",
+                "sns:GetSnsTopic",
+                "sns:GetTopicAttributes",
+                "sns:GetSubscriptionAttributes",
+                "sns:ListTopics",
+                "sns:ListSubscriptionsByTopic",
+                "sqs:ListQueues",
+                "sqs:GetQueueAttributes",
+                "storagegateway:Describe*",
+                "storagegateway:List*",
+                "support:*",
+                "swf:ListClosedWorkflowExecutions",
+                "swf:ListDomains",
+                "swf:ListActivityTypes",
+                "swf:ListWorkflowTypes",
+                "workspaces:DescribeWorkspaceDirectories",
+                "workspaces:DescribeWorkspaceBundles",
+                "workspaces:DescribeWorkspaces"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        },
+        {
+            "Sid": "CloudWatchLogsSpecific",
+            "Effect": "Allow",
+            "Action": [
+                "logs:GetLogEvents",
+                "logs:DescribeLogGroups",
+                "logs:DescribeLogStreams"
+            ],
+            "Resource": [
+                "arn:aws:logs:*:*:*"
+            ]
+        }
+    ]
+}
\ No newline at end of file