Skip to content

Commit

Permalink
[#254] Prevent creating the login credential for IAM bot account
Browse files Browse the repository at this point in the history
  • Loading branch information
Nihisil committed Dec 1, 2023
1 parent 3e1c307 commit 99a74de
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 40 deletions.
51 changes: 22 additions & 29 deletions src/generators/addons/aws/modules/core/iamUserAndGroup.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ const iamVariablesContent = dedent`
type = list(string)
}
variable "iam_bot_emails" {
description = "List of bot emails to provision IAM user account"
variable "iam_infra_service_account_emails" {
description = "List of infra service account emails to provision IAM user account"
type = list(string)
}
Expand All @@ -43,35 +43,33 @@ const iamUsersModuleContent = dedent`
usernames = var.iam_developer_emails
}
module "iam_bot_users" {
module "iam_infra_service_account_users" {
source = "../modules/iam_users"
usernames = var.iam_bot_emails
usernames = var.iam_infra_service_account_emails
has_login = false
}`;

const iamGroupMembershipModuleContent = dedent`
module "iam_admin_group_membership" {
module "iam_group_membership" {
source = "../modules/iam_group_membership"
name = "admin-group-membership"
group = module.iam_groups.admin_group
users = var.iam_admin_emails
}
module "iam_bot_group_membership" {
source = "../modules/iam_group_membership"
name = "bot-group-membership"
group = module.iam_groups.bot_group
users = var.iam_bot_emails
}
module "iam_developer_group_membership" {
source = "../modules/iam_group_membership"
name = "developer-group-membership"
group = module.iam_groups.developer_group
users = var.iam_developer_emails
for_each = {
admin = { group = module.iam_groups.admin_group, users = var.iam_admin_emails },
infra_service_account = { group = module.iam_groups.infra_service_account_group, users = var.iam_infra_service_account_emails },
developer = { group = module.iam_groups.developer_group, users = var.iam_developer_emails }
}
name = "\${each.key}-group-membership"
group = each.value.group
users = each.value.users
depends_on = [
module.iam_groups,
module.iam_admin_users,
module.iam_developer_users,
module.iam_infra_service_account_users,
]
}`;

const iamOutputsContent = dedent`
Expand All @@ -83,11 +81,6 @@ const iamOutputsContent = dedent`
output "iam_developer_temporary_passwords" {
description = "List of first time passwords for developer accounts. Must be changed at first time login and will no longer be valid."
value = module.iam_developer_users.temporary_passwords
}
output "iam_bot_temporary_passwords" {
description = "List of first time passwords for bot accounts. Must be changed at first time login and will no longer be valid."
value = module.iam_bot_users.temporary_passwords
}`;

const applyAwsIamUserAndGroup = async ({ projectName }: AwsOptions) => {
Expand Down
2 changes: 1 addition & 1 deletion templates/addons/aws/modules/iam_groups/data.tf
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ locals {
]
})

# For the bot account
# For the infra-service-account account
# It must be able to manage policies during terraform apply & create/delete users, permissions, etc. during terraform apply
full_iam_access_policy = jsonencode({
Version = "2012-10-17"
Expand Down
14 changes: 7 additions & 7 deletions templates/addons/aws/modules/iam_groups/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ resource "aws_iam_group" "admin" {
}

#tfsec:ignore:aws-iam-enforce-group-mfa
resource "aws_iam_group" "bot" {
name = "Bot-group"
resource "aws_iam_group" "infra-service-account" {
name = "Infra-service-account-group"
}

#tfsec:ignore:aws-iam-enforce-group-mfa
Expand All @@ -30,15 +30,15 @@ resource "aws_iam_group_policy_attachment" "developer_power_user_access" {
policy_arn = data.aws_iam_policy.power_user_access.arn
}

resource "aws_iam_group_policy_attachment" "bot_power_user_access" {
group = aws_iam_group.bot.name
resource "aws_iam_group_policy_attachment" "infra_service_account_power_user_access" {
group = aws_iam_group.infra-service-account.name
policy_arn = data.aws_iam_policy.power_user_access.arn
}

# This IAM policy is needed for the bot account to manage IAM users & groups
# This IAM policy is needed for the infra-service-account account to manage IAM users & groups
# tfsec:ignore:aws-iam-no-policy-wildcards
resource "aws_iam_group_policy" "bot_full_iam_access" {
resource "aws_iam_group_policy" "infra_service_account_full_iam_access" {
name = "AllowFullIamAccess"
group = aws_iam_group.bot.name
group = aws_iam_group.infra-service-account.name
policy = local.full_iam_access_policy
}
6 changes: 3 additions & 3 deletions templates/addons/aws/modules/iam_groups/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ output "developer_group" {
value = aws_iam_group.developer.name
}

output "bot_group" {
description = "IAM Group with bot permissions"
value = aws_iam_group.bot.name
output "infra_service_account_group" {
description = "IAM Group with infra-service-account permissions"
value = aws_iam_group.infra-service-account.name
}

0 comments on commit 99a74de

Please sign in to comment.