Manage Terraform policies (#44)

* Basic Policies

* Add some missing policies

.travis.yml

@@ -7,6 +7,7 @@ install:
 script:
   - docker run --rm -ti lint modules/traefik
   - docker run --rm -ti lint modules/rds
+  - docker run --rm -ti lint environments/staging/policies
   - docker run --rm -ti lint environments/staging/core
   - docker run --rm -ti lint environments/staging/rds
   - docker run --rm -ti lint environments/staging/traefik

environments/staging/README.md

@@ -1,5 +1,10 @@
 # L-Cloud Staging Environment Modules
 
+## Policies
+
+This module defines some policies that are used to manage users and keys. This module
+_MUST BE PROVSIONED FIRST_.
+
 ## Core
 
 Core infrastructure containing:

environments/staging/policies/README.md

@@ -0,0 +1,39 @@
+# Policies
+
+This module define the various policies for managing Terraform resources. This must be provisioned
+by an admin user or root user.
+
+## Manual Steps
+
+1. Create bucket for Terraform state
+1. Create DynamoDB table to lock Terraform state
+
+### Create bucket for Terraform state
+
+Create a bucket to hold Terraform state. You should configure this in the `backend-config.tfvars`.
+The default one used in this environment is `locus-terraform-state`.
+
+### Create DynamoDB table to lock Terraform state
+
+Create a DynamoDB table with a `LockID` index for Terraform to lock its state.
+You should configure this in the `backend-config.tfvars`.
+The default one used in this environment is `locus-terraform-state`.
+
+## What this module does
+
+- Create admin group and attach policies
+- Create terraformers group and attach policies
+- Manage terraform key policies
+- Manages terraform state bucket policies
+- Provision KMS Keys
+
+This module _DOES NOT_:
+
+- Manage users
+- Manage membership of groups
+
+### Provision KMS Keys
+
+The following keys with the following (default) aliases will be provisioned:
+
+- `terraform`: For managing terraform secrets

environments/staging/policies/backend-config.tfvars

@@ -0,0 +1,4 @@
+bucket = "locus-terraform-state"
+key = "policies"
+region = "ap-southeast-1"
+dynamodb_table = "locus-terraform-state"

environments/staging/policies/iam_groups.tf

@@ -0,0 +1,39 @@
+##################################################
+# Admin Group
+##################################################
+resource "aws_iam_group" "admins" {
+    name = "${var.iam_group_admins_name}"
+}
+
+# Admin access policy
+resource "aws_iam_group_policy_attachment" "admins" {
+    group = "${aws_iam_group.admins.name}"
+    policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+# Administrate all keys
+resource "aws_iam_group_policy_attachment" "admins_key_admins" {
+    group = "${aws_iam_group.admins.name}"
+    policy_arn = "${aws_iam_policy.all_keys_admin.arn}"
+}
+
+##################################################
+# Terraformers Group
+#
+# This group should only have the neccessary permissions to deploy applications.
+#
+# TODO: Restrict terraformers to whatever is needed to deploy applications.
+##################################################
+resource "aws_iam_group" "terraformers" {
+    name = "${var.iam_group_terraformers_name}"
+}
+
+resource "aws_iam_group_policy_attachment" "s3_bucket_state" {
+    group = "${aws_iam_group.terraformers.name}"
+    policy_arn = "${aws_iam_policy.s3_state_all_access.arn}"
+}
+
+resource "aws_iam_group_policy_attachment" "dynamo_state" {
+    group = "${aws_iam_group.terraformers.name}"
+    policy_arn = "${aws_iam_policy.dynamo_state.arn}"
+}

environments/staging/policies/kms.tf

@@ -0,0 +1,13 @@
+resource "aws_kms_key" "terraform" {
+    description = "Used for encrypting secrets for terraforming"
+    deletion_window_in_days = 30
+    enable_key_rotation = true
+    policy = "${data.template_file.iam_key_policy.rendered}"
+
+    tags = "${var.tags}"
+}
+
+resource "aws_kms_alias" "terraform" {
+    name = "${var.kms_terraform_alias}"
+    target_key_id = "${aws_kms_key.terraform.key_id}"
+}

environments/staging/policies/main.tf

@@ -0,0 +1,13 @@
+terraform {
+    backend "s3" { }
+}
+
+provider "aws" {
+    region = "${var.aws_region}"
+}
+
+data "aws_caller_identity" "current" {}
+
+locals {
+    account_id = "${data.aws_caller_identity.current.account_id}"
+}

environments/staging/policies/policies.tf

@@ -0,0 +1,98 @@
+#####################################
+# Allow IAM access to keys
+# See https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+# for more information on key policies
+#####################################
+
+data "template_file" "iam_key_policy" {
+    template = "${file("${path.module}/templates/iam_key_policy.json")}"
+
+    vars {
+        account_id = "${local.account_id}"
+    }
+}
+
+#####################################
+# Allow administration for all keys
+#####################################
+data "aws_iam_policy_document" "all_keys_admin" {
+    policy_id = "AllKeysAdministration"
+
+    statement {
+        effect = "Allow"
+        actions = [
+            "kms:Create*",
+            "kms:Describe*",
+            "kms:Enable*",
+            "kms:List*",
+            "kms:Put*",
+            "kms:Update*",
+            "kms:Revoke*",
+            "kms:Disable*",
+            "kms:Get*",
+            "kms:Delete*",
+            "kms:TagResource",
+            "kms:UntagResource",
+            "kms:ScheduleKeyDeletion",
+            "kms:CancelKeyDeletion"
+        ]
+
+        resources  = [
+             "arn:aws:kms:*:${local.account_id}:key/*"
+        ]
+    }
+}
+
+resource "aws_iam_policy" "all_keys_admin" {
+    name = "AllKeysAdministration"
+    description = "Allows administration to all KMS keys in the account"
+    policy = "${data.aws_iam_policy_document.all_keys_admin.json}"
+}
+
+#################################################
+# Allow access to all objects in State bucket
+#################################################
+data "aws_iam_policy_document" "s3_state_all_access" {
+    policy_id = "S3StateAllAccess"
+
+    statement {
+        effect = "Allow"
+        actions = [
+            "s3:*"
+        ]
+
+        resources  = [
+             "arn:aws:s3:::${var.s3_state_bucket}/*"
+        ]
+    }
+}
+
+resource "aws_iam_policy" "s3_state_all_access" {
+    name = "S3StateAllAccess"
+    description = "Allows all actions on the S3 bucket containing state"
+    policy = "${data.aws_iam_policy_document.s3_state_all_access.json}"
+}
+
+#################################################
+# Allow access to all objects in state locking DynamoDB table
+#################################################
+data "aws_iam_policy_document" "dynamo_state" {
+    policy_id = "DyanamoDBStateAllAccess"
+
+    statement {
+        effect = "Allow"
+        actions = [
+            "dynamodb:*"
+        ]
+
+        resources  = [
+             "arn:aws:dynamodb:${var.aws_region}:${local.account_id}-id:${var.dynamodb_state}/*"
+        ]
+    }
+}
+
+resource "aws_iam_policy" "dynamo_state" {
+    name = "DyanamoDBStateAllAccess"
+    description = "Allows all actions on the terraform locking DynamoDB table"
+    policy = "${data.aws_iam_policy_document.dynamo_state.json}"
+}

environments/staging/policies/templates/iam_key_policy.json

@@ -0,0 +1,15 @@
+{
+    "Version": "2012-10-17",
+    "Id": "terraform-policy",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${account_id}:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        }
+    ]
+}

environments/staging/policies/variables.tf

@@ -0,0 +1,49 @@
+variable "aws_region" {
+    description = "AWS region to terraform in"
+    default = "ap-southeast-1"
+}
+
+########################################################################
+# IAM Group
+########################################################################
+variable "iam_group_admins_name" {
+    description = "Name of IAM admin group"
+    default = "admins"
+}
+variable "iam_group_terraformers_name" {
+    description = "Name of IAM terraformer group"
+    default = "terraformers"
+}
+
+########################################################################
+# KMS keys
+########################################################################
+variable "kms_terraform_alias" {
+    description = "Alias for the Terraform key"
+    default = "alias/terraform"
+}
+
+
+########################################################################
+# Terraform state
+########################################################################
+variable "s3_state_bucket" {
+    description = "S3 Bucket storing Terraform state"
+    default = "locus-terraform-state"
+}
+
+variable "dynamodb_state" {
+    description = "Name of the DynamoDB table that Terraform uses to lock state"
+    default = "locus-terraform-state"
+}
+
+########################################################################
+# Others
+########################################################################
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  default     = {
+    Terraform = "true"
+    Environment = "staging"
+  }
+}