Skip to content

Commit

Permalink
fix: adjusting the permissions on the secret resource policy
Browse files Browse the repository at this point in the history
gambol99 committed Oct 8, 2024
1 parent 6de3e41 commit fc2c9a0
Showing 4 changed files with 27 additions and 22 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -142,7 +142,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
| <a name="input_log_group_name"></a> [log\_group\_name](#input\_log\_group\_name) | The name of the log group to create | `string` | `null` | no |
| <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The number of days to retain logs for | `number` | `7` | no |
| <a name="input_schedule_expression"></a> [schedule\_expression](#input\_schedule\_expression) | The schedule expression to use for the event rule | `string` | `"cron(0 0 * * ? *)"` | no |
| <a name="input_task_role_additional_policies"></a> [task\_role\_additional\_policies](#input\_task\_role\_additional\_policies) | A map of inline policies to attach to the IAM role | <pre>map(object({<br/> policy = string<br/> }))</pre> | `null` | no |
| <a name="input_task_role_additional_policies"></a> [task\_role\_additional\_policies](#input\_task\_role\_additional\_policies) | A map of inline policies to attach to the IAM role | <pre>map(object({<br/> policy = string<br/> }))</pre> | `{}` | no |
| <a name="input_task_role_permissions_arns"></a> [task\_role\_permissions\_arns](#input\_task\_role\_permissions\_arns) | A list of permissions to attach to the IAM role | `list(string)` | <pre>[<br/> "arn:aws:iam::aws:policy/AdministratorAccess"<br/>]</pre> | no |
| <a name="input_task_role_permissions_boundary_arn"></a> [task\_role\_permissions\_boundary\_arn](#input\_task\_role\_permissions\_boundary\_arn) | The boundary policy to attach to the IAM role | `string` | `null` | no |

39 changes: 24 additions & 15 deletions iam.tf
Original file line number Diff line number Diff line change
@@ -21,10 +21,19 @@ resource "aws_iam_role" "task" {
tags = var.tags
}

## Provision the ECS execution IAM role; this is used by the task to execute within
## the ECS cluster
resource "aws_iam_role" "execution" {
assume_role_policy = data.aws_iam_policy_document.ecs_assume.json
description = "Used by the ECS task to execute within the ECS cluster by the nuke service"
name = format("execution-%s", local.name)
tags = var.tags
}

## Allow any additional permissions to be attached to the task role - these are inline
## policies applied to the task
resource "aws_iam_role_policy" "task_permissions" {
for_each = var.task_role_additional_policies != null ? var.task_role_additional_policies : {}
for_each = var.task_role_additional_policies

role = aws_iam_role.task.name
name = each.key
@@ -40,39 +49,39 @@ resource "aws_iam_role_policy_attachment" "task_permissions" {
policy_arn = each.value
}

#
## Permissions for the ECS Execution role
#

## Attach the Amazon ECS task execution role policy to the execution role
resource "aws_iam_role_policy_attachment" "execution" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
role = aws_iam_role.execution.name
}

## Craft a policy document allowing the ECS task to retrieve the secret from the secrets manager
data "aws_iam_policy_document" "execution_permissions" {
statement {
sid = "AllowSecretsManager"
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
]
resources = [
aws_secretsmanager_secret.configuration.arn,
]
}
}

## Provision the ECS execution IAM role; this is used by the task to execute within
## the ECS cluster
resource "aws_iam_role" "execution" {
assume_role_policy = data.aws_iam_policy_document.ecs_assume.json
name = format("execution-%s", local.name)
tags = var.tags
}

## Allow the ECS task to retrieve the secret from the secrets manager
resource "aws_iam_role_policy" "execution_secrets" {
name = "allow-sm-configuration"
role = aws_iam_role.execution.name
policy = data.aws_iam_policy_document.execution_permissions.json
}

## Assign the IAM permissions to the execution role, allowing the operate within the ECS cluster
resource "aws_iam_role_policy_attachment" "execution" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
role = aws_iam_role.execution.name
depends_on = [
aws_secretsmanager_secret.configuration,
]
}

6 changes: 1 addition & 5 deletions main.tf
Original file line number Diff line number Diff line change
@@ -27,7 +27,7 @@ data "aws_iam_policy_document" "secrets_manager" {
]
principals {
type = "AWS"
identifiers = [aws_iam_role.execution.arn]
identifiers = [format("arn:aws:iam::%s:root", local.account_id)]
}
resources = [
format("arn:aws:secretsmanager:%s:%s:secret:%s", local.region, local.account_id, local.secret_name),
@@ -44,10 +44,6 @@ resource "aws_secretsmanager_secret" "configuration" {
policy = data.aws_iam_policy_document.secrets_manager.json
recovery_window_in_days = 0
tags = var.tags

depends_on = [
aws_iam_role.execution,
]
}

## Provision a secret version for the configuration
2 changes: 1 addition & 1 deletion variables.tf
Original file line number Diff line number Diff line change
@@ -110,7 +110,7 @@ variable "task_role_additional_policies" {
type = map(object({
policy = string
}))
default = null
default = {}
}

variable "schedule_expression" {

0 comments on commit fc2c9a0

Please sign in to comment.