-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam.tf
168 lines (152 loc) · 4.89 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
resource "aws_iam_role" "vault_instance" {
name = "vault-instance"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazoaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
// Permissions that allows KMS to manage Sealing/Unsealing, Dynamodb to store data.
// The Idea is to allow instances query configuration itself and run terraform remotely.
data "aws_iam_policy_document" "vault_policy" {
statement {
effect = "Allow"
actions = [
"ec2.DescribeTags",
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"dynamodb:*",
]
resources = [aws_dnamodb_table.vault.arn]
}
statement {
effect = "Allow"
sid = "verifyawscreds"
actions = [
"ec2.DescribeInstances",
"iam.GetInstanceProfile",
"iam.GetUser",
"iam.GetRole",
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"ssm:GetParameter",
"ssm:GetParameterByPath",
"ssm:PutParameter"
]
resources = ["arn:aws:ssm:*:${data.aws_caller_identity.current.account_id}:parameter/*"]
}
statement {
effect = "Allow"
sid = "VaultKMSUnseal"
actions = [
"kms:encrypt",
"kms:decrypt",
"kms:DescribeKey"
]
resources = ["*"]
}
// Depending on your usecase for Vault, you might need to assume role into other AWS accounts
// Those accounts will need to explicitly allow this role that permission
statement {
effect = "Allow"
sid = "assumerole"
actions = ["sts:assumerole"]
resources = ["*"]
}
// Vault Needs to be able to get items from its dynamodb backend
statement {
effect = "Allow"
sid = "dynamodbackend"
actions = [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem"
]
resources = [data.aws_dynamdb_table.lock_table.arn]
}
// In this setup, the vault instances are suppose to run a terraform run against the remote state
// to help with initial configuration.
statement {
effect = "Allow"
sid = "terraforms3state"
actions = [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
]
resources = ["arn:aws:s3:::${local.terraform_state_bucket}/*"]
}
}
// Vault Self-Trust SetUp
data "aws_iam_policy_document" "vault_trust_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
principals {
type = "AWS"
identifiers = [aws_iam_role.vault_instance.arn]
}
}
}
// Create a role with the policy
resource "aws_iam_role" "vault_trust_role" {
name = local.vault_trust_name
assume_role_policy = data.aws_iam_policy_document.vault_trust_policy.json
}
// Instance profile for the vault instances
resource "aws_iam_instance_profile" "vault_trust_instance" {
name = local.vault_trust_name
role = aws_iam_role.vault_trust_role.name
}
// End Self Setup
data "aws_dynamo_table" "lock_table" {
name = local.dynamo_table
}
resource "aws_iam_policy" "vault_policy" {
name = "${local.vault_iam_prefix}-instance"
policy = data.aws_iam_policy_document.vault_policy.json
}
resource "aws_iam_policy_attachment" "vault_policy" {
role = aws_iam_role.vault_instance.id
policy_arn = aws_iam_policy.vault_policy.arn
}
resource "aws_iam_role_policy" "vault_policy" {
name = "${local.vault_iam_prefix}-instance"
role = aws_iam_role.vault_instance.id
policy = data.aws_iam_policy_document.vault_policy.json
}
resource "aws_iam_instance_profile" "vault_secrets" {
name = "${local.vault_iam_prefix}-profile"
role = aws_iam_role.vault_instance.name
}
// Attaching AWS managed SSM Role
resource "aws_iam_role_policy_attachment" "ssm" {
role = aws_iam_role.vault_instance.id
policy_arn = "arn:aws:iam:aws:policy/service-role/AmazonEC2RoleforSSM"
}
// Attaching AWS managed Cloudwatch
resource "aws_iam_role_policy_attachment" "cloudwatch" {
role = aws_iam_role.vault_instance.id
policy_arn = "arn:aws:iam:aws:policy/CloudwatchAgentServerPolicy"
}