Merge pull request #12 from kabisa/task/refactor_ci_cd_role

Change role creation for CI CD. Current role has always admin, poweru…
kabisa · Dec 13, 2023 · 5f4fd1c · 5f4fd1c
2 parents 4d90c02 + e870870
commit 5f4fd1c
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 26 deletions.
diff --git a/README.md b/README.md
@@ -4,6 +4,53 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assume
 
 Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - typically, AWS accounts and users.
 
+```
+module "iam-roles" {
+  source = "[email protected]:kabisa/terraform-iam-assumable-roles.git?ref=[version]"
+
+  trusted_role_arns = [
+    "arn:aws:iam::${local.dovetail-iam}:root",
+    "arn:aws:iam::${local.kabisa-iam}:root",
+  ]
+
+  create_ci_cd_role = true
+
+  trusted_roles_ci_cd = [
+    "arn:aws:iam::{[account-id]}:role/github_actions_role",
+  ]
+
+  ci_cd_role_managed_policies = [
+    "arn:aws:iam::aws:policy/AmazonSSMFullAccess",
+    "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
+  ]
+
+  ci_cd_role_inline_policies = {
+    "example_inline_policy" : data.aws_iam_policy_document.example.json,
+    "example2" : data.aws_iam_policy_document.example2.json
+  }
+
+  create_admin_role     = true
+  create_poweruser_role = true
+  create_readonly_role  = true
+}
+
+data "aws_iam_policy_document" "example" {
+  statement {
+    actions   = ["ssm:*", "ec2:*"]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "example2" {
+  statement {
+    actions   = ["s3:*"]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+```
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Inputs

diff --git a/ci_cd_role.tf b/ci_cd_role.tf
@@ -0,0 +1,30 @@
+resource "aws_iam_role" "ci_cd_iam_role" {
+  count = var.create_ci_cd_role ? 1 : 0
+
+  name                = "ci_cd_access_role"
+  assume_role_policy  = data.aws_iam_policy_document.ci_cd_policy_document[0].json
+  managed_policy_arns = var.ci_cd_role_managed_policies
+
+  dynamic "inline_policy" {
+    for_each = var.ci_cd_role_inline_policies
+
+    content {
+      name   = inline_policy.key
+      policy = inline_policy.value
+    }
+  }
+}
+
+data "aws_iam_policy_document" "ci_cd_policy_document" {
+  count = var.create_ci_cd_role ? 1 : 0
+
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = var.trusted_roles_ci_cd
+    }
+  }
+}
+
+
diff --git a/main.tf b/main.tf
@@ -9,16 +9,6 @@ data "aws_iam_policy_document" "assume_role" {
       identifiers = var.trusted_role_arns
     }
   }
-  statement {
-    effect = "Allow"
-
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "AWS"
-      identifiers = var.trusted_roles_ci_cd
-    }
-  }
 }
 
 data "aws_iam_policy_document" "assume_role_with_mfa" {
@@ -44,16 +34,6 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
       values   = [var.mfa_age]
     }
   }
-  statement {
-    effect = "Allow"
-
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "AWS"
-      identifiers = var.trusted_roles_ci_cd
-    }
-  }
 }
 
 # Admin

diff --git a/variables.tf b/variables.tf
@@ -3,11 +3,6 @@ variable "trusted_role_arns" {
   default     = []
 }
 
-variable "trusted_roles_ci_cd" {
-  description = "ARNs of AWS entities who can assume these roles for CI/CD"
-  default     = []
-}
-
 
 variable "mfa_age" {
   description = "Max age of valid MFA (in seconds) for roles which require MFA"
@@ -125,7 +120,7 @@ variable "create_cloudwatch_share_role" {
 
 variable "nagios_role_arn" {
   description = "arn of principal which assumes nagios role"
-  default     = ""
+  default     = []
 }
 
 variable "create_nagios_role" {
@@ -151,3 +146,28 @@ variable "create_sla_reporter_role" {
   description = "Create role used by SLA report generator"
   default     = false
 }
+
+# CI_CD
+
+variable "create_ci_cd_role" {
+  description = "Wheter ci_cd_role has to be created"
+  default     = false
+  type        = bool
+}
+
+variable "trusted_roles_ci_cd" {
+  description = "ARNs of AWS entities who can assume these roles for CI/CD"
+  default     = []
+}
+
+variable "ci_cd_role_inline_policies" {
+  default     = {}
+  description = "Inline policies map with policy name as key and json as value."
+  type        = map(string)
+}
+
+variable "ci_cd_role_managed_policies" {
+  default     = []
+  description = "Managed policies list."
+  type        = list(string)
+}