Relocated custom IAM policies from micronode/bedrock

.gitignore

@@ -0,0 +1,2 @@
+# Created by .ignore support plugin (hsz.mobi)
+terraform-aws-bedrock-iam-policies.iml

Makefile

@@ -0,0 +1,23 @@
+SHELL:=/bin/bash
+REGISTRY?=bedrock
+DOCKERFILES=$(shell find * -mindepth 1 -type f -name Dockerfile)
+IMAGES=$(subst /,-,$(subst /Dockerfile,,$(DOCKERFILES)))
+DEPENDS=.depends.mk
+TAGS?=latest
+BUILD_ARGS?=
+
+.PHONY: all clean test docs format
+
+all: test docs format
+
+clean:
+	rm -rf .terraform/
+
+test:
+	terraform init && terraform validate
+
+docs:
+	docker run --rm -v "${PWD}:/work" tmknom/terraform-docs markdown ./ >./README.md
+
+format:
+	terraform fmt -list=true ./

README.md

@@ -1,2 +1,34 @@
-# terraform-aws-bedrock-iam-policies
-A collection of custom IAM policies to augment the available defaults.
+# AWS IAM role configuration
+
+Purpose: Provision IAM roles in AWS.
+
+Rationale: Bedrock blueprints use IAM roles to restrict the privileges of the provisioner.
+
+This script will create a role that has the following privileges:
+
+* IAM access to assume other IAM roles specific a blueprint
+* Access to read/write Terraform state associated with the account
+* Access to manage Terraform state locks associated with the blueprint
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| aws | >= 2.7.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | >= 2.7.0 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| region | Selected AWS region | `any` | n/a | yes |
+
+## Outputs
+
+No output.
+

acm.tf

@@ -0,0 +1,17 @@
+data "aws_iam_policy_document" "acm_import_certificate" {
+  statement {
+    actions = [
+      "acm:ImportCertificate",
+      "acm:DescribeCertificate",
+      "acm:ListTagsForCertificate",
+      "acm:DeleteCertificate",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "acm_import_certificate" {
+  name        = "bedrock-acm-importcert"
+  description = "Import certificates provisioned externally"
+  policy      = data.aws_iam_policy_document.acm_import_certificate.json
+}

autoscaling.tf

@@ -0,0 +1,14 @@
+data "aws_iam_policy_document" "application_autoscaling_fullaccess" {
+  statement {
+    actions = [
+      "application-autoscaling:*",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "application_autoscaling_fullaccess" {
+  name        = "bedrock-appautoscaling-fullaccess"
+  description = "Allow full control over application autoscaling"
+  policy      = data.aws_iam_policy_document.application_autoscaling_fullaccess.json
+}

cloudformation.tf

@@ -0,0 +1,16 @@
+data "aws_iam_policy_document" "cloudformation_create_policy" {
+  statement {
+    actions = [
+      "cloudformation:Create*",
+      "cloudformation:Update*",
+      "cloudformation:Delete*",
+    ]
+    resources = ["arn:aws:cloudformation:${var.region}:${data.aws_caller_identity.current.account_id}:stack/*"]
+  }
+}
+
+resource "aws_iam_policy" "cloudformation_create" {
+  name        = "bedrock-cloudformation-create"
+  description = "Manage CloudFormation stacks"
+  policy      = data.aws_iam_policy_document.cloudformation_create_policy.json
+}

cloudwatch.tf

@@ -0,0 +1,34 @@
+data "aws_iam_policy_document" "cloudwatch_logs" {
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogStreams",
+    ]
+    resources = ["arn:aws:logs:${data.aws_caller_identity.current.account_id}:log-group:*"]
+  }
+}
+
+data "aws_iam_policy_document" "cloudwatch_log_groups" {
+  statement {
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:DeleteLogGroup",
+      "logs:DescribeLogGroups",
+      "logs:PutRetentionPolicy",
+    ]
+    resources = ["arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:*"]
+  }
+}
+
+resource "aws_iam_policy" "cloudwatch_logs" {
+  name        = "bedrock-cloudwatch-logs"
+  description = "Manage CloudWatch log entries"
+  policy      = data.aws_iam_policy_document.cloudwatch_logs.json
+}
+
+resource "aws_iam_policy" "cloudwatch_log_groups" {
+  name        = "bedrock-cloudwatch-log-groups"
+  description = "Manage CloudWatch log groups"
+  policy      = data.aws_iam_policy_document.cloudwatch_log_groups.json
+}

codebuild.tf

@@ -0,0 +1,34 @@
+data "aws_iam_policy_document" "codebuild_vpc" {
+  statement {
+    actions = [
+      "ec2:CreateNetworkInterface",
+      "ec2:DescribeDhcpOptions",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DeleteNetworkInterface",
+      "ec2:DescribeSubnets",
+      "ec2:DescribeSecurityGroups",
+      "ec2:DescribeVpcs",
+    ]
+    resources = ["*"]
+  }
+  statement {
+    actions   = ["ec2:CreateNetworkInterfacePermission"]
+    resources = ["arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:network-interfaces/*"]
+    condition {
+      test     = "StringEquals"
+      variable = "ec2:Subnet"
+      values   = ["arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:subnet/*"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "ec2:AuthorizedService"
+      values   = ["codebuild.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "codebuild_vpc" {
+  name        = "bedrock-codebuild-vpc"
+  description = "Permissions required for CodeBuild to run in a VPC"
+  policy      = data.aws_iam_policy_document.codebuild_vpc.json
+}

dynamodb.tf

@@ -0,0 +1,17 @@
+data "aws_iam_policy_document" "dynamodb_fullaccess" {
+  statement {
+    actions = [
+      "dynamodb:List*",
+      "dynamodb:Describe*",
+      "dynamodb:Get*",
+      "dynamodb:PutItem",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "dynamodb_fullaccess" {
+  name        = "bedrock-dynamodb-fullaccess"
+  description = "Manage DynamoDB table entries"
+  policy      = data.aws_iam_policy_document.dynamodb_fullaccess.json
+}

ec2.tf

@@ -0,0 +1,42 @@
+data "aws_iam_policy_document" "ec2_subnet_fullaccess" {
+  statement {
+    actions = [
+      "ec2:CreateSubnet",
+      "ec2:DeleteSubnet",
+      "ec2:DisassociateSubnetCidrBlock",
+      "ec2:ModifySubnetAttribute",
+      "ec2:DescribeSubnets",
+      "ec2:AssociateSubnetCidrBlock",
+      "ec2:CreateDefaultSubnet",
+    ]
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "ec2_securitygroup_fullaccess" {
+  statement {
+    actions = [
+      "ec2:CreateSecurityGroup",
+      "ec2:DeleteSecurityGroup",
+      "ec2:AuthorizeSecurityGroup*",
+      "ec2:RevokeSecurityGroup*",
+      "ec2:UpdateSecurityGroupRuleDescriptions*",
+      "ec2:CreateTags",
+      "ec2:DeleteTags",
+      "ec2:Describe*",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "ec2_subnet_fullaccess" {
+  name        = "bedrock-ec2-subnet-fullaccess"
+  description = "Manage VPC Subnets"
+  policy      = data.aws_iam_policy_document.ec2_subnet_fullaccess.json
+}
+
+resource "aws_iam_policy" "ec2_securitygroup_fullaccess" {
+  name        = "bedrock-ec2-securitygroup-fullaccess"
+  description = "Manage VPC Security Groups"
+  policy      = data.aws_iam_policy_document.ec2_securitygroup_fullaccess.json
+}

iam.tf

@@ -0,0 +1,127 @@
+data "aws_iam_policy_document" "iam_passrole_policy" {
+  statement {
+    actions   = ["iam:PassRole"]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*"]
+  }
+}
+
+data "aws_iam_policy_document" "cloudformation_passrole_policy" {
+  statement {
+    actions   = ["iam:PassRole"]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*-cloudformation-role"]
+  }
+}
+
+data "aws_iam_policy_document" "iam_keyrotation" {
+  statement {
+    actions = [
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:UpdateAccessKey",
+    ]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/*"]
+  }
+}
+
+data "aws_iam_policy_document" "iam_servicerole_create" {
+  statement {
+    actions = [
+      "iam:CreateServiceLinkedRole",
+    ]
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "iam_assumerole" {
+  statement {
+    actions = [
+      "iam:ListRoles",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+    resources = [
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*-blueprint-role",
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "iam_groupadmin" {
+  statement {
+    actions = [
+      "iam:ListGroups",
+      "iam:CreateGroup",
+      "iam:DeleteGroup",
+    ]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:*"]
+  }
+}
+
+data "aws_iam_policy_document" "instance_profile_fullaccess" {
+  statement {
+    actions = [
+      "iam:GetRole",
+      "iam:CreateRole",
+      "iam:DeleteRole",
+      "iam:AttachRolePolicy",
+      "iam:DetachRolePolicy",
+    ]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*"]
+  }
+  statement {
+    actions = [
+      "iam:CreateInstanceProfile",
+      "iam:DeleteInstanceProfile",
+      "iam:GetInstanceProfile",
+      "iam:AddRoleToInstanceProfile",
+      "iam:RemoveRoleFromInstanceProfile",
+    ]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/*"]
+  }
+}
+
+resource "aws_iam_policy" "iam_passrole" {
+  name        = "bedrock-iam-passrole"
+  description = "Deprecated: use bedrock-cloudformation-passrole"
+  policy      = data.aws_iam_policy_document.iam_passrole_policy.json
+}
+
+resource "aws_iam_policy" "cloudformation_passrole" {
+  name        = "bedrock-cloudformation-passrole"
+  description = "Permission to pass role to cloudformation"
+  policy      = data.aws_iam_policy_document.cloudformation_passrole_policy.json
+}
+
+resource "aws_iam_policy" "iam_keyrotation" {
+  name        = "bedrock-iam-keyrotation"
+  description = "Manage IAM access keys"
+  policy      = data.aws_iam_policy_document.iam_keyrotation.json
+}
+
+resource "aws_iam_policy" "iam_servicerole_create" {
+  name        = "bedrock-iam-servicerole-create"
+  description = "Create IAM service-linked roles"
+  policy      = data.aws_iam_policy_document.iam_servicerole_create.json
+}
+
+resource "aws_iam_policy" "iam_assumerole" {
+  name        = "bedrock-iam-assumerole"
+  description = "Assume blueprint IAM roles"
+  policy      = data.aws_iam_policy_document.iam_assumerole.json
+}
+
+resource "aws_iam_policy" "iam_groupadmin" {
+  name        = "bedrock-iam-groupadmin"
+  description = "Manage IAM user groups"
+  policy      = data.aws_iam_policy_document.iam_groupadmin.json
+}
+
+resource "aws_iam_policy" "iam_instance_profile" {
+  name        = "bedrock-instance-profile-fullaccess"
+  description = "Manage IAM instance profiles"
+  policy      = data.aws_iam_policy_document.instance_profile_fullaccess.json
+}