Skip to content

Commit

Permalink
initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@sjauld
sjauld committed Jul 29, 2019
0 parents commit db10066
Show file tree
Hide file tree
Showing 25 changed files with 1,271 additions and 0 deletions.
6 changes: 6 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Local .terraform directories
**/.terraform/*

# .tfstate files
*.tfstate
*.tfstate.*
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# CHANGELOG

## v0.0.1 (2019-07-29)

* Initial release!
35 changes: 35 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Terraform IAM Modules

This is a collection of modules designed to provide standardised access across
AWS accounts.

## ACE Teknologi Security Model

@TODO write this up properly and blog post

> _Step 1: [lock away your root user safely](
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)!_

Under the ACE Teknologi Security Model, users and groups are created in a
management account, while roles are created in sub-accounts that contain
infrastructure.

Users should never have permissions directly attached - instead they are added
to groups that allow them to do two things:
1. Manage their credentials
2. Assume roles so they can GSD

Roles should be created in all accounts following the principle of least
privilege, and users should use an appropriate role to carry out their tasks.

This repo contains some simple roles for some simple use cases, but generally
speaking you should create custom roles based on the least privilege needs of
staff members.

## Individal Modules

For more information, please read the readmes of the various modules:-

* [Groups](./groups)
* [Roles](./roles)
* [User](./user)
24 changes: 24 additions & 0 deletions all_readme.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/bash
# Update all the readmes!

set -euo pipefail

# Check the current tag
echo "Generating docs for the git tag $(git describe --tags)"

# Check for terraform-docs
TD_VERSION="$(terraform-docs --version)"
echo "You're running terraform-docs $TD_VERSION"

function generate_readme {
echo "Updating $1"
cd $1
terraform0.12 init > /dev/null
AWS_REGION=ap-southeast-2 terraform0.12 validate
./readme.sh
cd ..
}

generate_readme groups
generate_readme roles
generate_readme user
19 changes: 19 additions & 0 deletions groups/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@

# Terraform IAM Groups Module

This module generates generic IAM roles as follows.

* Devops
* DevopsProd
* ReadOnly
* ReadOnlyProd
* Superuser
* SuperuserProd
* Support
* SupportProd
* UserSelfManagement

## Usage

This section of the documentation is not currently available (see
https://github.com/segmentio/terraform-docs/issues/62)
293 changes: 293 additions & 0 deletions groups/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,293 @@
data "aws_caller_identity" "current" {
}
# ------------------------------------------------------------------------
# DevOps Groups
# ------------------------------------------------------------------------

resource "aws_iam_group" "devops_prod" {
name = "DevopsProduction"
}

resource "aws_iam_group_policy" "devops_prod" {
name = "DevopsProduction"
group = aws_iam_group.devops_prod.name
policy = data.aws_iam_policy_document.devops_prod.json
}

data "aws_iam_policy_document" "devops_prod" {
statement {
actions = ["sts:AssumeRole"]
resources = formatlist(
"arn:aws:iam::%s:role/${var.devops_role_name}",
var.production_account_ids,
)
}
}

resource "aws_iam_group" "devops" {
name = "Devops"
}

resource "aws_iam_group_policy" "devops" {
name = "Devops"
group = aws_iam_group.devops.name
policy = data.aws_iam_policy_document.devops.json
}

data "aws_iam_policy_document" "devops" {
statement {
actions = ["sts:AssumeRole"]
resources = formatlist(
"arn:aws:iam::%s:role/${var.devops_role_name}",
var.non_production_account_ids,
)
}
}

# ------------------------------------------------------------------------
# Superuser Group
# ------------------------------------------------------------------------

resource "aws_iam_group" "superuser_prod" {
name = "SuperuserProduction"
}

resource "aws_iam_group_policy" "superuser_prod" {
name = "SuperuserProduction"
group = aws_iam_group.superuser_prod.name
policy = data.aws_iam_policy_document.superuser_prod.json
}

data "aws_iam_policy_document" "superuser_prod" {
statement {
actions = ["sts:AssumeRole"]
resources = formatlist(
"arn:aws:iam::%s:role/${var.superuser_role_name}",
var.production_account_ids,
)
}
}

resource "aws_iam_group" "superuser" {
name = "Superuser"
}

resource "aws_iam_group_policy" "superuser" {
name = "Superuser"
group = aws_iam_group.superuser.name
policy = data.aws_iam_policy_document.superuser.json
}

data "aws_iam_policy_document" "superuser" {
statement {
actions = ["sts:AssumeRole"]
resources = formatlist(
"arn:aws:iam::%s:role/${var.superuser_role_name}",
var.non_production_account_ids,
)
}
}

# ------------------------------------------------------------------------
# Support group
# ------------------------------------------------------------------------

resource "aws_iam_group" "support_prod" {
name = "SupportProduction"
}

resource "aws_iam_group_policy" "support_prod" {
name = "SupportProduction"
group = aws_iam_group.support_prod.name
policy = data.aws_iam_policy_document.support_prod.json
}

data "aws_iam_policy_document" "support_prod" {
statement {
actions = ["sts:AssumeRole"]
resources = formatlist(
"arn:aws:iam::%s:role/${var.support_role_name}",
var.production_account_ids,
)
}
}

resource "aws_iam_group" "support" {
name = "Support"
}

resource "aws_iam_group_policy" "support" {
name = "Support"
group = aws_iam_group.support.name
policy = data.aws_iam_policy_document.support.json
}

data "aws_iam_policy_document" "support" {
statement {
actions = ["sts:AssumeRole"]
resources = formatlist(
"arn:aws:iam::%s:role/${var.support_role_name}",
var.non_production_account_ids,
)
}
}

# ------------------------------------------------------------------------
# ReadOnly group
# ------------------------------------------------------------------------

resource "aws_iam_group" "readonly_prod" {
name = "ReadOnlyProduction"
}

resource "aws_iam_group_policy" "readonly_prod" {
name = "ReadOnlyProduction"
group = aws_iam_group.readonly_prod.name
policy = data.aws_iam_policy_document.readonly_prod.json
}

data "aws_iam_policy_document" "readonly_prod" {
statement {
actions = ["sts:AssumeRole"]
resources = formatlist(
"arn:aws:iam::%s:role/${var.readonly_role_name}",
var.production_account_ids,
)
}
}

resource "aws_iam_group" "readonly" {
name = "ReadOnly"
}

resource "aws_iam_group_policy" "readonly" {
name = "ReadOnly"
group = aws_iam_group.readonly.name
policy = data.aws_iam_policy_document.readonly.json
}

data "aws_iam_policy_document" "readonly" {
statement {
actions = ["sts:AssumeRole"]
resources = formatlist(
"arn:aws:iam::%s:role/${var.readonly_role_name}",
var.non_production_account_ids,
)
}
}

# ------------------------------------------------------------------------
# UserSelfManagement group
# ------------------------------------------------------------------------

resource "aws_iam_group" "self_management" {
name = "UserSelfManagement"
}

resource "aws_iam_group_policy" "self_management" {
name = "UserSelfManagement"
group = aws_iam_group.self_management.name
policy = data.aws_iam_policy_document.self_management.json
}

data "aws_iam_policy_document" "self_management" {
statement {
sid = "AllowUsersToDeactivateTheirOwnVirtualMFADevice"

actions = [
"iam:DeactivateMFADevice",
]

resources = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:mfa/&{aws:username}",
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}",
]

condition {
test = "Bool"
variable = "aws:MultiFactorAuthPresent"
values = ["true"]
}
}

statement {
sid = "AllowUsersToDeleteTheirOwnVirtualMFADevice"

actions = [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
]

resources = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:mfa/&{aws:username}",
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}",
]

condition {
test = "Bool"
variable = "aws:MultiFactorAuthPresent"
values = ["true"]
}
}

statement {
sid = "AllowUsersToListMFADevicesandUsersForConsole"

actions = [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
]

resources = [
"*",
]
}

statement {
actions = ["iam:ChangePassword"]

resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}"]
}

statement {
actions = ["iam:GetAccountPasswordPolicy"]
resources = ["*"]
}

statement {
actions = ["iam:GetLoginProfile"]

resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}"]

condition {
test = "Bool"
variable = "aws:MultiFactorAuthPresent"
values = ["true"]
}
}

statement {
actions = [
"iam:DeleteAccessKey",
"iam:GetAccessKeyLastUsed",
"iam:UpdateAccessKey",
"iam:GetUser",
"iam:CreateAccessKey",
"iam:ListAccessKeys",
]

resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}"]

condition {
test = "Bool"
variable = "aws:MultiFactorAuthPresent"
values = ["true"]
}
}
}
Loading

0 comments on commit db10066

Please sign in to comment.