Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#254] Prevent creating the login credential for IAM bot account #266

Merged
merged 1 commit into from
Dec 1, 2023
+33 −40
Merged

[#254] Prevent creating the login credential for IAM bot account #266

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 22 additions & 29 deletions src/generators/addons/aws/modules/core/iamUserAndGroup.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ const iamVariablesContent = dedent`
type = list(string)
}

variable "iam_bot_emails" {
description = "List of bot emails to provision IAM user account"
variable "iam_infra_service_account_emails" {
description = "List of infra service account emails to provision IAM user account"
type = list(string)
}

Expand All @@ -43,35 +43,33 @@ const iamUsersModuleContent = dedent`
usernames = var.iam_developer_emails
}

module "iam_bot_users" {
module "iam_infra_service_account_users" {
source = "../modules/iam_users"

usernames = var.iam_bot_emails
usernames = var.iam_infra_service_account_emails
has_login = false
}`;

const iamGroupMembershipModuleContent = dedent`
module "iam_admin_group_membership" {
module "iam_group_membership" {
source = "../modules/iam_group_membership"

name = "admin-group-membership"
group = module.iam_groups.admin_group
users = var.iam_admin_emails
}

module "iam_bot_group_membership" {
source = "../modules/iam_group_membership"

name = "bot-group-membership"
group = module.iam_groups.bot_group
users = var.iam_bot_emails
}

module "iam_developer_group_membership" {
source = "../modules/iam_group_membership"

name = "developer-group-membership"
group = module.iam_groups.developer_group
users = var.iam_developer_emails
for_each = {
admin = { group = module.iam_groups.admin_group, users = var.iam_admin_emails },
infra_service_account = { group = module.iam_groups.infra_service_account_group, users = var.iam_infra_service_account_emails },
developer = { group = module.iam_groups.developer_group, users = var.iam_developer_emails }
}

name = "\${each.key}-group-membership"
group = each.value.group
users = each.value.users

depends_on = [
module.iam_groups,
module.iam_admin_users,
module.iam_developer_users,
module.iam_infra_service_account_users,
]
}`;

const iamOutputsContent = dedent`
Expand All @@ -83,11 +81,6 @@ const iamOutputsContent = dedent`
output "iam_developer_temporary_passwords" {
description = "List of first time passwords for developer accounts. Must be changed at first time login and will no longer be valid."
value = module.iam_developer_users.temporary_passwords
}

output "iam_bot_temporary_passwords" {
description = "List of first time passwords for bot accounts. Must be changed at first time login and will no longer be valid."
value = module.iam_bot_users.temporary_passwords
}`;

const applyAwsIamUserAndGroup = async ({ projectName }: AwsOptions) => {
Expand Down
2 changes: 1 addition & 1 deletion templates/addons/aws/modules/iam_groups/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ locals {
]
})

# For the bot account
# For the infra-service-account account
# It must be able to manage policies during terraform apply & create/delete users, permissions, etc. during terraform apply
full_iam_access_policy = jsonencode({
Version = "2012-10-17"
Expand Down
14 changes: 7 additions & 7 deletions templates/addons/aws/modules/iam_groups/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ resource "aws_iam_group" "admin" {
}

#tfsec:ignore:aws-iam-enforce-group-mfa
resource "aws_iam_group" "bot" {
name = "Bot-group"
resource "aws_iam_group" "infra-service-account" {
name = "Infra-service-account-group"
}

#tfsec:ignore:aws-iam-enforce-group-mfa
Expand All @@ -30,15 +30,15 @@ resource "aws_iam_group_policy_attachment" "developer_power_user_access" {
policy_arn = data.aws_iam_policy.power_user_access.arn
}

resource "aws_iam_group_policy_attachment" "bot_power_user_access" {
group = aws_iam_group.bot.name
resource "aws_iam_group_policy_attachment" "infra_service_account_power_user_access" {
group = aws_iam_group.infra-service-account.name
policy_arn = data.aws_iam_policy.power_user_access.arn
}

# This IAM policy is needed for the bot account to manage IAM users & groups
# This IAM policy is needed for the infra-service-account account to manage IAM users & groups
# tfsec:ignore:aws-iam-no-policy-wildcards
resource "aws_iam_group_policy" "bot_full_iam_access" {
resource "aws_iam_group_policy" "infra_service_account_full_iam_access" {
name = "AllowFullIamAccess"
group = aws_iam_group.bot.name
group = aws_iam_group.infra-service-account.name
policy = local.full_iam_access_policy
}
6 changes: 3 additions & 3 deletions templates/addons/aws/modules/iam_groups/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ output "developer_group" {
value = aws_iam_group.developer.name
}

output "bot_group" {
description = "IAM Group with bot permissions"
value = aws_iam_group.bot.name
output "infra_service_account_group" {
description = "IAM Group with infra-service-account permissions"
value = aws_iam_group.infra-service-account.name
}