diff --git a/000000000000/iam/roles/data.tf b/000000000000/iam/roles/data.tf new file mode 100644 index 0000000..6bb7f58 --- /dev/null +++ b/000000000000/iam/roles/data.tf @@ -0,0 +1,37 @@ +data "template_file" "policy_a" { + template = file("../../templates/role_a_policy.tpl") +} + +data "template_file" "asume_role_policy" { + template = file("../../templates/asume_role_policy.tpl") + vars = { + prod_account_id = var.prod_account_id + } +} + +data "template_file" "asume_role" { + template = file("../../templates/assume_role.tpl") +} + + +data "terraform_remote_state" "group_2" { + backend = "s3" + + config = { + bucket = "mytesting-tf-states" + profile = "terra" + region = "eu-west-1" + key = "000000000000/iam/users_and_groups/normal_users/terraform.tfstate" + } +} + +data "terraform_remote_state" "group_1" { + backend = "s3" + + config = { + bucket = "mytesting-tf-states" + profile = "terra" + region = "eu-west-1" + key = "000000000000/iam/users_and_groups/cli_users/terraform.tfstate" + } +} \ No newline at end of file diff --git a/000000000000/iam/roles/main.tf b/000000000000/iam/roles/main.tf new file mode 100644 index 0000000..76171a9 --- /dev/null +++ b/000000000000/iam/roles/main.tf @@ -0,0 +1,72 @@ +terraform { + backend "s3" { + profile = "terra" + bucket = "mytesting-tf-states" + key = "000000000000/iam/roles/terraform.tfstate" + region = "eu-west-1" + } +} + +########################## +###"A" policy and role +########################## + +resource "aws_iam_policy" "role_a_policy" { + name = "role_a_policy" + path = "/service-role/" + description = "role_a_policy" + + policy = data.template_file.policy_a.rendered +} + +resource "aws_iam_role" "role_a" { + name = "role_a" + + assume_role_policy = data.template_file.asume_role.rendered + managed_policy_arns = [aws_iam_policy.role_a_policy.arn] +} + +########################## +###"B" policy and role +########################## + +resource "aws_iam_policy" "role_b_policy" { + name = "role_b_policy" + path = "/service-role/" + description = "" + policy = data.template_file.asume_role_policy.rendered +} + + +resource "aws_iam_role" "role_b" { + name = "role_b" + + assume_role_policy = data.template_file.asume_role.rendered + managed_policy_arns = [aws_iam_policy.role_b_policy.arn] +} + +####################################### +### Creating Ec2 instance role for "B" +####################################### + +resource "aws_iam_instance_profile" "test_profile" { + name = "s3_profile" + role = aws_iam_role.role_b.name +} + +#################################################### +### Attach "A" role policy to group 1 just for test +#################################################### + +resource "aws_iam_group_policy_attachment" "group_1" { + group = data.terraform_remote_state.group_1.outputs.user_group_1_name + policy_arn = aws_iam_policy.role_a_policy.arn + depends_on = [aws_iam_policy.role_a_policy] +} + +resource "aws_iam_group_policy_attachment" "group_2_role" { + group = data.terraform_remote_state.group_2.outputs.user_group_2_name + policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" + depends_on = [aws_iam_policy.role_a_policy] +} + diff --git a/000000000000/iam/roles/provider.tf b/000000000000/iam/roles/provider.tf new file mode 100644 index 0000000..963ee87 --- /dev/null +++ b/000000000000/iam/roles/provider.tf @@ -0,0 +1,4 @@ +provider "aws" { + region = var.region + profile = "terra" +} \ No newline at end of file diff --git a/000000000000/iam/roles/variables.tf b/000000000000/iam/roles/variables.tf new file mode 100644 index 0000000..cc24271 --- /dev/null +++ b/000000000000/iam/roles/variables.tf @@ -0,0 +1,9 @@ +variable "region" { + type = string + default = "eu-west-1" +} + +variable "prod_account_id" { + type = string + default = "184100688147" +} \ No newline at end of file diff --git a/000000000000/iam/users_and_groups/cli_users/main.tf b/000000000000/iam/users_and_groups/cli_users/main.tf new file mode 100644 index 0000000..7cd0bff --- /dev/null +++ b/000000000000/iam/users_and_groups/cli_users/main.tf @@ -0,0 +1,50 @@ +terraform { + backend "s3" { + profile = "terra" + bucket = "mytesting-tf-states" + key = "000000000000/iam/users_and_groups/cli_users/terraform.tfstate" + region = "eu-west-1" + } +} + +locals { + cli_users = { + "ci" = { + name = "ci" + email = "ci@home.co" + }, + "engine" = { + name = "engine" + email = "ci@home.co" + } + } +} + +####################################### +### creating group 1 and service users +####################################### + +resource "aws_iam_group" "group_1" { + name = var.group_name +} + +resource "aws_iam_user" "cli_users" { + for_each = local.cli_users + + name = each.key + force_destroy = false +} + +resource "aws_iam_access_key" "user_access_key" { + for_each = local.cli_users + user = each.key + depends_on = [aws_iam_user.cli_users] +} + +resource "aws_iam_group_membership" "group_1" { + for_each = local.cli_users + name = aws_iam_group.group_1.name + + users = [each.key] + group = aws_iam_group.group_1.name +} \ No newline at end of file diff --git a/000000000000/iam/users_and_groups/cli_users/outputs.tf b/000000000000/iam/users_and_groups/cli_users/outputs.tf new file mode 100644 index 0000000..993978e --- /dev/null +++ b/000000000000/iam/users_and_groups/cli_users/outputs.tf @@ -0,0 +1,13 @@ +output "user_access_keys" { + value = { + for k, v in local.cli_users : k => { + "key" = aws_iam_access_key.user_access_key[k].id + "secret" = aws_iam_access_key.user_access_key[k].secret + } + } + sensitive = true +} + +output "user_group_1_name" { + value = aws_iam_group.group_1.name +} \ No newline at end of file diff --git a/000000000000/iam/users_and_groups/cli_users/provider.tf b/000000000000/iam/users_and_groups/cli_users/provider.tf new file mode 100644 index 0000000..963ee87 --- /dev/null +++ b/000000000000/iam/users_and_groups/cli_users/provider.tf @@ -0,0 +1,4 @@ +provider "aws" { + region = var.region + profile = "terra" +} \ No newline at end of file diff --git a/000000000000/iam/users_and_groups/cli_users/variables.tf b/000000000000/iam/users_and_groups/cli_users/variables.tf new file mode 100644 index 0000000..929a09d --- /dev/null +++ b/000000000000/iam/users_and_groups/cli_users/variables.tf @@ -0,0 +1,9 @@ +variable "region" { + type = string + default = "eu-west-1" +} + +variable "group_name" { + type = string + default = "group_1" +} \ No newline at end of file diff --git a/000000000000/iam/users_and_groups/normal_users/main.tf b/000000000000/iam/users_and_groups/normal_users/main.tf new file mode 100644 index 0000000..635def5 --- /dev/null +++ b/000000000000/iam/users_and_groups/normal_users/main.tf @@ -0,0 +1,60 @@ +terraform { + backend "s3" { + profile = "terra" + bucket = "mytesting-tf-states" + key = "000000000000/iam/users_and_groups/normal_users/terraform.tfstate" + region = "eu-west-1" + } +} + + +locals { + normal_users = { + "Denys_Platon" = { + name = "denys_platon" + email = "denys_platon@work.co" + }, + "ivan_petrenko" = { + name = "ivan_petrenko" + email = "ivan_petrenko@work.co" + } + } +} + +####################################### +### creating group 2 and normal users +####################################### + +resource "aws_iam_group" "group_2" { + name = "group_2" +} + +resource "aws_iam_user" "normal_users" { + for_each = local.normal_users + + name = each.key + force_destroy = false +} + +resource "aws_iam_access_key" "user_access_key" { + for_each = local.normal_users + user = each.key + depends_on = [aws_iam_user.normal_users] +} + +resource "aws_iam_user_login_profile" "normal_user" { + for_each = local.normal_users + user = each.key + # password_reset_required = true + + depends_on = [aws_iam_user.normal_users] +} + +resource "aws_iam_group_membership" "group_2" { + for_each = local.normal_users + name = aws_iam_group.group_2.name + + users = [each.key] + group = aws_iam_group.group_2.name + depends_on = [aws_iam_user_login_profile.normal_user] +} \ No newline at end of file diff --git a/000000000000/iam/users_and_groups/normal_users/outputs.tf b/000000000000/iam/users_and_groups/normal_users/outputs.tf new file mode 100644 index 0000000..f1c4a78 --- /dev/null +++ b/000000000000/iam/users_and_groups/normal_users/outputs.tf @@ -0,0 +1,11 @@ +output "password" { + value = { + for k, v in local.normal_users : k => { + "password" = aws_iam_user_login_profile.normal_user[k].password + } + } +} + +output "user_group_2_name" { + value = aws_iam_group.group_2.name +} \ No newline at end of file diff --git a/000000000000/iam/users_and_groups/normal_users/provider.tf b/000000000000/iam/users_and_groups/normal_users/provider.tf new file mode 100644 index 0000000..963ee87 --- /dev/null +++ b/000000000000/iam/users_and_groups/normal_users/provider.tf @@ -0,0 +1,4 @@ +provider "aws" { + region = var.region + profile = "terra" +} \ No newline at end of file diff --git a/000000000000/iam/users_and_groups/normal_users/variables.tf b/000000000000/iam/users_and_groups/normal_users/variables.tf new file mode 100644 index 0000000..1b4313e --- /dev/null +++ b/000000000000/iam/users_and_groups/normal_users/variables.tf @@ -0,0 +1,7 @@ +variable "region" { + default = "eu-west-1" +} + +variable "group_name" { + default = "group_2" +} \ No newline at end of file diff --git a/000000000000/templates/assume_role.tpl b/000000000000/templates/assume_role.tpl new file mode 100644 index 0000000..680b6f8 --- /dev/null +++ b/000000000000/templates/assume_role.tpl @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Effect": "Allow", + "Sid": "" + } + ] +} \ No newline at end of file diff --git a/000000000000/templates/asume_role_policy.tpl b/000000000000/templates/asume_role_policy.tpl new file mode 100644 index 0000000..cfeb07f --- /dev/null +++ b/000000000000/templates/asume_role_policy.tpl @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sts:AssumeRole" + ], + "Resource": "arn:aws:iam::${prod_account_id}:role/role_c" + } + ] +} \ No newline at end of file diff --git a/000000000000/templates/role_a_policy.tpl b/000000000000/templates/role_a_policy.tpl new file mode 100644 index 0000000..0913a95 --- /dev/null +++ b/000000000000/templates/role_a_policy.tpl @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": "*", + "Resource": "*", + "Effect": "Allow", + "Sid": "" + }, + { + "Action": "iam:*", + "Resource": "*", + "Effect": "Deny", + "Sid": "" + } + ] +} \ No newline at end of file diff --git a/111111111111/iam/roles/data.tf b/111111111111/iam/roles/data.tf new file mode 100644 index 0000000..e31570c --- /dev/null +++ b/111111111111/iam/roles/data.tf @@ -0,0 +1,10 @@ +data "template_file" "s3_policy" { + template = file("../../templates/s3_bucker_access.tpl") +} + +data "template_file" "asume_role" { + template = file("../../templates/assume_role.tpl") + vars = { + dev_account_id = var.dev_account_id + } +} \ No newline at end of file diff --git a/111111111111/iam/roles/main.tf b/111111111111/iam/roles/main.tf new file mode 100644 index 0000000..46a4e81 --- /dev/null +++ b/111111111111/iam/roles/main.tf @@ -0,0 +1,24 @@ +terraform { + backend "s3" { + profile = "terra" + bucket = "mytesting-tf-states" + key = "111111111111/iam/roles/terraform.tfstate" + region = "eu-west-1" + } +} + + +resource "aws_iam_policy" "s3_bucker_access_policy" { + name = "s3_bucker_access_policy" + path = "/" + description = "s3_bucker_access_policy" + + policy = data.template_file.s3_policy.rendered +} + +resource "aws_iam_role" "role_c" { + name = "role_c" + + assume_role_policy = data.template_file.asume_role.rendered + managed_policy_arns = [aws_iam_policy.s3_bucker_access_policy.arn] +} \ No newline at end of file diff --git a/111111111111/iam/roles/provider.tf b/111111111111/iam/roles/provider.tf new file mode 100644 index 0000000..61b581d --- /dev/null +++ b/111111111111/iam/roles/provider.tf @@ -0,0 +1,4 @@ +provider "aws" { + region = var.region + profile = "monit" +} \ No newline at end of file diff --git a/111111111111/iam/roles/variables.tf b/111111111111/iam/roles/variables.tf new file mode 100644 index 0000000..e2f3f07 --- /dev/null +++ b/111111111111/iam/roles/variables.tf @@ -0,0 +1,7 @@ +variable "region" { + default = "eu-west-1" +} + +variable "dev_account_id" { + default = "449091252457" +} \ No newline at end of file diff --git a/111111111111/templates/assume_role.tpl b/111111111111/templates/assume_role.tpl new file mode 100644 index 0000000..b294251 --- /dev/null +++ b/111111111111/templates/assume_role.tpl @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::${dev_account_id}:root" + }, + "Action": "sts:AssumeRole", + "Condition": {} + } + ] +} \ No newline at end of file diff --git a/111111111111/templates/s3_bucker_access.tpl b/111111111111/templates/s3_bucker_access.tpl new file mode 100644 index 0000000..55126c1 --- /dev/null +++ b/111111111111/templates/s3_bucker_access.tpl @@ -0,0 +1,27 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": "arn:aws:s3:::monit-aws-test-bucket" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject" + ], + "Resource": "arn:aws:s3:::monit-aws-test-bucket/*" + } + ] +} \ No newline at end of file