From 526afbb3c930ca1315119ebed6f1756f7d4b061e Mon Sep 17 00:00:00 2001 From: Ramesh Maddegoda <94033485+ramesh-maddegoda@users.noreply.github.com> Date: Mon, 25 Nov 2024 23:18:31 -0800 Subject: [PATCH] UPDATE terraform to avoid locally generated IAM policy files --- terraform/terraform-modules/common/common.tf | 3 +- .../terraform-modules/ecs-ecr/ecs_ecr.tf | 168 +++++++++++--- .../ecs_task_execution_role_iam_policy.json | 46 ---- .../ecs-ecr/ecs_task_role_iam_policy.json | 55 ----- ...te_ecs_task_execution_role_iam_policy.json | 46 ---- .../template_ecs_task_role_iam_policy.json | 58 ----- .../terraform-modules/mwaa-env/mwaa_env.tf | 212 ++++++++++++++++-- .../mwaa_execution_role_iam_policy.json | 144 ------------ ...mplate_mwaa_execution_role_iam_policy.json | 144 ------------ .../lambda_inline_policy.json | 53 ----- .../product-copy-completion-checker.tf | 85 +++++-- .../template_lambda_inline_policy.json | 53 ----- 12 files changed, 394 insertions(+), 673 deletions(-) delete mode 100644 terraform/terraform-modules/ecs-ecr/ecs_task_execution_role_iam_policy.json delete mode 100644 terraform/terraform-modules/ecs-ecr/ecs_task_role_iam_policy.json delete mode 100644 terraform/terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json delete mode 100644 terraform/terraform-modules/ecs-ecr/template_ecs_task_role_iam_policy.json delete mode 100644 terraform/terraform-modules/mwaa-env/mwaa_execution_role_iam_policy.json delete mode 100644 terraform/terraform-modules/mwaa-env/template_mwaa_execution_role_iam_policy.json delete mode 100644 terraform/terraform-modules/product-copy-completion-checker/lambda_inline_policy.json delete mode 100644 terraform/terraform-modules/product-copy-completion-checker/template_lambda_inline_policy.json diff --git a/terraform/terraform-modules/common/common.tf b/terraform/terraform-modules/common/common.tf index 3a019fc..a1e8797 100644 --- a/terraform/terraform-modules/common/common.tf +++ b/terraform/terraform-modules/common/common.tf @@ -36,7 +36,8 @@ resource "aws_security_group" "nucleus_security_group" { } resource "aws_s3_bucket" "pds_nucleus_airflow_dags_bucket" { - bucket = var.mwaa_dag_s3_bucket_name + bucket = var.mwaa_dag_s3_bucket_name + force_destroy = true } resource "aws_s3_object" "dags" { diff --git a/terraform/terraform-modules/ecs-ecr/ecs_ecr.tf b/terraform/terraform-modules/ecs-ecr/ecs_ecr.tf index 474dc00..1810e9b 100644 --- a/terraform/terraform-modules/ecs-ecr/ecs_ecr.tf +++ b/terraform/terraform-modules/ecs-ecr/ecs_ecr.tf @@ -13,38 +13,6 @@ data "aws_iam_policy" "mcp_operator_policy" { # Add account ID to templates data "aws_caller_identity" "current" {} -data "template_file" "ecs_task_role_iam_policy_template" { - template = file("terraform-modules/ecs-ecr/template_ecs_task_role_iam_policy.json") - vars = { - pds_nucleus_aws_account_id = data.aws_caller_identity.current.account_id - } - depends_on = [data.aws_caller_identity.current] -} - -resource "local_file" "ecs_task_role_iam_policy_file" { - content = data.template_file.ecs_task_role_iam_policy_template.rendered - filename = "terraform-modules/ecs-ecr/ecs_task_role_iam_policy.json" - - depends_on = [data.template_file.ecs_task_role_iam_policy_template] -} - -data "template_file" "ecs_task_execution_role_iam_policy_template" { - template = file("terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json") - vars = { - pds_nucleus_aws_account_id = data.aws_caller_identity.current.account_id - pds_nucleus_region = var.region - aws_secretmanager_key_arn = var.aws_secretmanager_key_arn - } - depends_on = [data.aws_caller_identity.current] -} - -resource "local_file" "ecs_task_execution_role_iam_policy_file" { - content = data.template_file.ecs_task_execution_role_iam_policy_template.rendered - filename = "terraform-modules/ecs-ecr/ecs_task_execution_role_iam_policy.json" - - depends_on = [data.template_file.ecs_task_execution_role_iam_policy_template] -} - data "template_file" "deploy_ecr_images_script_template" { template = file("terraform-modules/ecs-ecr/docker/template-deploy-ecr-images.sh") vars = { @@ -57,7 +25,7 @@ resource "local_file" "deploy_ecr_images_script_file" { content = data.template_file.deploy_ecr_images_script_template.rendered filename = "terraform-modules/ecs-ecr/docker/deploy-ecr-images.sh" - depends_on = [data.template_file.ecs_task_execution_role_iam_policy_template] + depends_on = [data.template_file.deploy_ecr_images_script_template] } #------------------------------------- @@ -66,7 +34,71 @@ resource "local_file" "deploy_ecr_images_script_file" { # IAM Policy Document for Inline Policy data "aws_iam_policy_document" "ecs_task_role_inline_policy" { - source_policy_documents = [file("${path.module}/ecs_task_role_iam_policy.json")] + statement { + effect = "Allow" + actions = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability" + ] + resources = [ + "arn:aws:ecr:*:${data.aws_caller_identity.current.account_id}:repository/pds*" + ] + } + + statement { + effect = "Allow" + actions = [ + "elasticfilesystem:DescribeMountTargets", + "elasticfilesystem:ClientMount", + "elasticfilesystem:ClientWrite", + "elasticfilesystem:ClientRootAccess" + ] + resources = [ + "arn:aws:elasticfilesystem:*:${data.aws_caller_identity.current.account_id}:access-point/*", + "arn:aws:elasticfilesystem:*:${data.aws_caller_identity.current.account_id}:file-system/pds-nucleus*" + ] + } + + statement { + effect = "Allow" + actions = [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents" + ] + resources = [ + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*:log-stream:*" + ] + } + + statement { + effect = "Allow" + actions = [ + "ecr:GetAuthorizationToken" + ] + resources = [ + "arn:aws:ecr:*:${data.aws_caller_identity.current.account_id}:repository/pds*" + ] + } + + statement { + effect = "Allow" + actions = [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject" + ] + resources = [ + "arn:aws:s3:::pds-nucleus*", + "arn:aws:s3:::pds-nucleus*/*", + "arn:aws:s3:::pds-*-staging*", + "arn:aws:s3:::pds-*-staging*/*", + "arn:aws:s3:::pds-*-archive*", + "arn:aws:s3:::pds-*-archive*/*" + ] + } } @@ -101,9 +133,73 @@ resource "aws_iam_role" "pds_nucleus_ecs_task_role" { # IAM Policy Document for Inline Policy data "aws_iam_policy_document" "ecs_task_execution_role_inline_policy" { - source_policy_documents = [file("${path.module}/ecs_task_execution_role_iam_policy.json")] + statement { + effect = "Allow" + actions = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability" + ] + resources = [ + "arn:aws:ecr:*:${data.aws_caller_identity.current.account_id}:repository/pds*" + ] + } - depends_on = [local_file.ecs_task_execution_role_iam_policy_file] + statement { + effect = "Allow" + actions = [ + "ecr:GetAuthorizationToken" + ] + resources = [ + "arn:aws:ecr:region:${data.aws_caller_identity.current.account_id}:pds-*" + ] + } + + statement { + effect = "Allow" + actions = [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:CreateLogGroup" + ] + resources = [ + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*:log-stream:*" + ] + } + + statement { + effect = "Allow" + actions = [ + "ecs:stopTask" + ] + resources = [ + "arn:aws:ecs:*:${data.aws_caller_identity.current.account_id}:task/pds-nucleus-ecs/*" + ] + } + + statement { + effect = "Allow" + actions = [ + "secretsmanager:GetSecretValue", + "kms:Decrypt" + ] + resources = [ + "arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.account_id}:secret:pds/nucleus/opensearch/creds/*", + var.aws_secretmanager_key_arn + ] + } + + statement { + effect = "Allow" + actions = [ + "secretsmanager:GetSecretValue", + "kms:Decrypt" + ] + resources = [ + "arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.account_id}:secret:pds/nucleus/opensearch/creds/*", + var.aws_secretmanager_key_arn + ] + } } resource "aws_iam_role" "pds_nucleus_ecs_task_execution_role" { diff --git a/terraform/terraform-modules/ecs-ecr/ecs_task_execution_role_iam_policy.json b/terraform/terraform-modules/ecs-ecr/ecs_task_execution_role_iam_policy.json deleted file mode 100644 index 95be253..0000000 --- a/terraform/terraform-modules/ecs-ecr/ecs_task_execution_role_iam_policy.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability" - ], - "Resource": "arn:aws:ecr:*:${pds_nucleus_aws_account_id}:repository/pds*" - }, - { - "Effect": "Allow", - "Action": "ecr:GetAuthorizationToken", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:CreateLogGroup" - ], - "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*" - }, - { - "Effect": "Allow", - "Action": [ - "ecs:stopTask" - ], - "Resource": "arn:aws:ecs:*:${pds_nucleus_aws_account_id}:task/pds-nucleus-ecs/*" - }, - { - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue", - "kms:Decrypt" - ], - "Resource": [ - "arn:aws:secretsmanager:${pds_nucleus_region}:${pds_nucleus_aws_account_id}:secret:pds/nucleus/opensearch/creds/*", - "${aws_secretmanager_key_arn}" - ] - } - ] -} diff --git a/terraform/terraform-modules/ecs-ecr/ecs_task_role_iam_policy.json b/terraform/terraform-modules/ecs-ecr/ecs_task_role_iam_policy.json deleted file mode 100644 index e8e085d..0000000 --- a/terraform/terraform-modules/ecs-ecr/ecs_task_role_iam_policy.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability" - ], - "Resource": "arn:aws:ecr:*:${pds_nucleus_aws_account_id}:repository/pds*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticfilesystem:DescribeMountTargets", - "elasticfilesystem:ClientMount", - "elasticfilesystem:ClientWrite", - "elasticfilesystem:ClientRootAccess" - ], - "Resource": [ - "arn:aws:elasticfilesystem:*:${pds_nucleus_aws_account_id}:access-point/*", - "arn:aws:elasticfilesystem:*:${pds_nucleus_aws_account_id}:file-system/pds-nucleus*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:CreateLogGroup", - "logs:PutLogEvents" - ], - "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*" - }, - { - "Effect": "Allow", - "Action": "ecr:GetAuthorizationToken", - "Resource": "arn:aws:ecr:*:${pds_nucleus_aws_account_id}:repository/pds*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::pds-nucleus*", - "arn:aws:s3:::pds-nucleus*/*", - "arn:aws:s3:::pds-*-staging*", - "arn:aws:s3:::pds-*-staging*/*" - ] - } - ] -} diff --git a/terraform/terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json b/terraform/terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json deleted file mode 100644 index 95be253..0000000 --- a/terraform/terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability" - ], - "Resource": "arn:aws:ecr:*:${pds_nucleus_aws_account_id}:repository/pds*" - }, - { - "Effect": "Allow", - "Action": "ecr:GetAuthorizationToken", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:CreateLogGroup" - ], - "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*" - }, - { - "Effect": "Allow", - "Action": [ - "ecs:stopTask" - ], - "Resource": "arn:aws:ecs:*:${pds_nucleus_aws_account_id}:task/pds-nucleus-ecs/*" - }, - { - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue", - "kms:Decrypt" - ], - "Resource": [ - "arn:aws:secretsmanager:${pds_nucleus_region}:${pds_nucleus_aws_account_id}:secret:pds/nucleus/opensearch/creds/*", - "${aws_secretmanager_key_arn}" - ] - } - ] -} diff --git a/terraform/terraform-modules/ecs-ecr/template_ecs_task_role_iam_policy.json b/terraform/terraform-modules/ecs-ecr/template_ecs_task_role_iam_policy.json deleted file mode 100644 index 6c96a70..0000000 --- a/terraform/terraform-modules/ecs-ecr/template_ecs_task_role_iam_policy.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability" - ], - "Resource": "arn:aws:ecr:*:${pds_nucleus_aws_account_id}:repository/pds*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticfilesystem:DescribeMountTargets", - "elasticfilesystem:ClientMount", - "elasticfilesystem:ClientWrite", - "elasticfilesystem:ClientRootAccess" - ], - "Resource": [ - "arn:aws:elasticfilesystem:*:${pds_nucleus_aws_account_id}:access-point/*", - "arn:aws:elasticfilesystem:*:${pds_nucleus_aws_account_id}:file-system/pds-nucleus*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:CreateLogGroup", - "logs:PutLogEvents" - ], - "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*" - }, - { - "Effect": "Allow", - "Action": "ecr:GetAuthorizationToken", - "Resource": "arn:aws:ecr:*:${pds_nucleus_aws_account_id}:repository/pds*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::pds-nucleus*", - "arn:aws:s3:::pds-nucleus*/*", - "arn:aws:s3:::pds-*-staging*", - "arn:aws:s3:::pds-*-staging*/*", - "arn:aws:s3:::pds-*-archive*", - "arn:aws:s3:::pds-*-archive*/*" - ] - } - ] -} diff --git a/terraform/terraform-modules/mwaa-env/mwaa_env.tf b/terraform/terraform-modules/mwaa-env/mwaa_env.tf index 804835d..0c92d15 100644 --- a/terraform/terraform-modules/mwaa-env/mwaa_env.tf +++ b/terraform/terraform-modules/mwaa-env/mwaa_env.tf @@ -14,31 +14,209 @@ data "aws_iam_policy_document" "assume_role" { data "aws_caller_identity" "current" {} -data "template_file" "mwaa_inline_policy_template" { - template = file("terraform-modules/mwaa-env/template_mwaa_execution_role_iam_policy.json") - vars = { - pds_nucleus_aws_account_id = data.aws_caller_identity.current.account_id - pds_nucleus_region = var.region - airflow_env_name = var.airflow_env_name +# IAM Policy Document for Inline Policy +data "aws_iam_policy_document" "mwaa_inline_policy" { + statement { + effect = "Allow" + actions = [ + "airflow:PublishMetrics" + ] + resources = [ + "arn:aws:airflow:*:${data.aws_caller_identity.current.account_id}:role/*/*", + "arn:aws:airflow:*:${data.aws_caller_identity.current.account_id}:environment/*" + ] } - depends_on = [data.aws_caller_identity.current] -} + statement { + effect = "Allow" + actions = [ + "cloudwatch:PutMetricData" + ] + resources = [ + "*" + ] + } -resource "local_file" "mwaa_inline_policy_file" { - content = data.template_file.mwaa_inline_policy_template.rendered - filename = "terraform-modules/mwaa-env/mwaa_execution_role_iam_policy.json" + statement { + effect = "Allow" + actions = [ + "ecs:RunTask", + "ecs:DescribeTasks" + ] + resources = [ + "arn:aws:ecs:*:${data.aws_caller_identity.current.account_id}:task-definition/pds*:*", + "arn:aws:ecs:*:${data.aws_caller_identity.current.account_id}:task/pds*/*" + ] + } - depends_on = [data.template_file.mwaa_inline_policy_template] -} + statement { + effect = "Allow" + actions = [ + "iam:PassRole" + ] + resources = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/pds-*" + ] + } -# IAM Policy Document for Inline Policy -data "aws_iam_policy_document" "mwaa_inline_policy" { - source_policy_documents = [file("${path.module}/mwaa_execution_role_iam_policy.json")] + statement { + effect = "Allow" + actions = [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:GenerateDataKey*", + "kms:Encrypt" + ] + not_resources = ["arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*"] + condition { + test = "StringLike" + variable = "kms:ViaService" + values = ["sqs.${var.region}.amazonaws.com"] + } + } - depends_on = [local_file.mwaa_inline_policy_file] + statement { + effect = "Allow" + actions = [ + "logs:CreateLogStream", + "logs:GetLogEvents", + "logs:PutLogEvents" + ] + resources = [ + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*:log-stream:*" + ] + } + + statement { + effect = "Allow" + actions = [ + "logs:DescribeLogGroups" + ] + resources = [ + "*" + ] + } + + statement { + effect = "Allow" + actions = [ + "logs:GetLogRecord", + "logs:GetQueryResults", + "logs:GetLogGroupFields", + "logs:CreateLogGroup" + ] + resources = [ + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*" + ] + } + + statement { + effect = "Allow" + actions = [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ] + resources = [ + "arn:aws:sqs:${var.region}:*:airflow-celery-*" + ] + } + + statement { + effect = "Allow" + actions = [ + "s3:ListAllMyBuckets" + ] + resources = [ + "*" + ] + } + + statement { + effect = "Allow" + actions = [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:GetAccountPublicAccessBlock", + "s3:List*" + ] + resources = [ + "arn:aws:s3:::pds-nucleus*", + "arn:aws:s3:::pds-nucleus*/*" + ] + } + + statement { + effect = "Allow" + actions = [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ] + resources = [ + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-${var.airflow_env_name}-*" + ] + } + + statement { + effect = "Allow" + actions = [ + "logs:DescribeLogGroups" + ] + resources = [ + "*" + ] + } + + statement { + effect = "Allow" + actions = [ + "cloudwatch:PutMetricData" + ] + resources = [ + "*" + ] + } + + statement { + effect = "Allow" + actions = [ + "iam:PassRole" + ] + resources = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/pds_nucleus_*" + ] + } + + statement { + effect = "Allow" + actions = [ + "lambda:InvokeFunction" + ] + resources = [ + "arn:aws:lambda:${var.region}:${data.aws_caller_identity.current.account_id}:function:pds_nucleus_*" + ] + } + + statement { + effect = "Allow" + actions = [ + "lambda:InvokeFunction" + ] + resources = [ + "arn:aws:lambda:${var.region}:${data.aws_caller_identity.current.account_id}:function:pds_nucleus_*" + ] + } } + # The Policy for Permission Boundary data "aws_iam_policy" "mcp_operator_policy" { name = var.permission_boundary_for_iam_roles diff --git a/terraform/terraform-modules/mwaa-env/mwaa_execution_role_iam_policy.json b/terraform/terraform-modules/mwaa-env/mwaa_execution_role_iam_policy.json deleted file mode 100644 index e96fa4e..0000000 --- a/terraform/terraform-modules/mwaa-env/mwaa_execution_role_iam_policy.json +++ /dev/null @@ -1,144 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "airflow:PublishMetrics", - "Resource": [ - "arn:aws:airflow:*:${pds_nucleus_aws_account_id}:role/*/*", - "arn:aws:airflow:*:${pds_nucleus_aws_account_id}:environment/*" - ] - }, - { - "Effect": "Allow", - "Action": "cloudwatch:PutMetricData", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ecs:RunTask", - "ecs:DescribeTasks" - ], - "Resource": [ - "arn:aws:ecs:*:${pds_nucleus_aws_account_id}:task-definition/pds*:*", - "arn:aws:ecs:*:${pds_nucleus_aws_account_id}:task/pds*/*" - ] - }, - { - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::${pds_nucleus_aws_account_id}:role/pds-nucleus*" - }, - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:GenerateDataKey*", - "kms:Encrypt" - ], - "NotResource": "arn:aws:kms:*:${pds_nucleus_aws_account_id}:key/*", - "Condition": { - "StringLike": { - "kms:ViaService": [ - "sqs.${pds_nucleus_region}.amazonaws.com" - ] - } - } - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:GetLogEvents", - "logs:PutLogEvents" - ], - "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*" - }, - { - "Effect": "Allow", - "Action": "logs:DescribeLogGroups", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "logs:GetLogRecord", - "logs:GetQueryResults", - "logs:GetLogGroupFields", - "logs:CreateLogGroup" - ], - "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*" - }, - { - "Effect": "Allow", - "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ReceiveMessage", - "sqs:SendMessage" - ], - "Resource": "arn:aws:sqs:${pds_nucleus_region}:*:airflow-celery-*" - }, - { - "Effect": "Deny", - "Action": "s3:ListAllMyBuckets", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:GetAccountPublicAccessBlock", - "s3:List*" - ], - "Resource": [ - "arn:aws:s3:::pds-nucleus*", - "arn:aws:s3:::pds-nucleus*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:CreateLogGroup", - "logs:PutLogEvents", - "logs:GetLogEvents", - "logs:GetLogRecord", - "logs:GetLogGroupFields", - "logs:GetQueryResults" - ], - "Resource": [ - "arn:aws:logs:${pds_nucleus_region}:${pds_nucleus_aws_account_id}:log-group:airflow-${airflow_env_name}-*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": "cloudwatch:PutMetricData", - "Resource": "*" - }, - { - "Action": "iam:PassRole", - "Effect": "Allow", - "Resource": "arn:aws:iam::${pds_nucleus_aws_account_id}:role/pds_nucleus_*" - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": "arn:aws:lambda:${pds_nucleus_region}:${pds_nucleus_aws_account_id}:function:pds_nucleus_*" - } - ] -} diff --git a/terraform/terraform-modules/mwaa-env/template_mwaa_execution_role_iam_policy.json b/terraform/terraform-modules/mwaa-env/template_mwaa_execution_role_iam_policy.json deleted file mode 100644 index 9605af9..0000000 --- a/terraform/terraform-modules/mwaa-env/template_mwaa_execution_role_iam_policy.json +++ /dev/null @@ -1,144 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "airflow:PublishMetrics", - "Resource": [ - "arn:aws:airflow:*:${pds_nucleus_aws_account_id}:role/*/*", - "arn:aws:airflow:*:${pds_nucleus_aws_account_id}:environment/*" - ] - }, - { - "Effect": "Allow", - "Action": "cloudwatch:PutMetricData", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ecs:RunTask", - "ecs:DescribeTasks" - ], - "Resource": [ - "arn:aws:ecs:*:${pds_nucleus_aws_account_id}:task-definition/pds*:*", - "arn:aws:ecs:*:${pds_nucleus_aws_account_id}:task/pds*/*" - ] - }, - { - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::${pds_nucleus_aws_account_id}:role/pds-*" - }, - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:GenerateDataKey*", - "kms:Encrypt" - ], - "NotResource": "arn:aws:kms:*:${pds_nucleus_aws_account_id}:key/*", - "Condition": { - "StringLike": { - "kms:ViaService": [ - "sqs.${pds_nucleus_region}.amazonaws.com" - ] - } - } - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:GetLogEvents", - "logs:PutLogEvents" - ], - "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*" - }, - { - "Effect": "Allow", - "Action": "logs:DescribeLogGroups", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "logs:GetLogRecord", - "logs:GetQueryResults", - "logs:GetLogGroupFields", - "logs:CreateLogGroup" - ], - "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*" - }, - { - "Effect": "Allow", - "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ReceiveMessage", - "sqs:SendMessage" - ], - "Resource": "arn:aws:sqs:${pds_nucleus_region}:*:airflow-celery-*" - }, - { - "Effect": "Deny", - "Action": "s3:ListAllMyBuckets", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:GetAccountPublicAccessBlock", - "s3:List*" - ], - "Resource": [ - "arn:aws:s3:::pds-nucleus*", - "arn:aws:s3:::pds-nucleus*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:CreateLogGroup", - "logs:PutLogEvents", - "logs:GetLogEvents", - "logs:GetLogRecord", - "logs:GetLogGroupFields", - "logs:GetQueryResults" - ], - "Resource": [ - "arn:aws:logs:${pds_nucleus_region}:${pds_nucleus_aws_account_id}:log-group:airflow-${airflow_env_name}-*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": "cloudwatch:PutMetricData", - "Resource": "*" - }, - { - "Action": "iam:PassRole", - "Effect": "Allow", - "Resource": "arn:aws:iam::${pds_nucleus_aws_account_id}:role/pds_nucleus_*" - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": "arn:aws:lambda:${pds_nucleus_region}:${pds_nucleus_aws_account_id}:function:pds_nucleus_*" - } - ] -} diff --git a/terraform/terraform-modules/product-copy-completion-checker/lambda_inline_policy.json b/terraform/terraform-modules/product-copy-completion-checker/lambda_inline_policy.json deleted file mode 100644 index 169f2ab..0000000 --- a/terraform/terraform-modules/product-copy-completion-checker/lambda_inline_policy.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:CreateLogGroup", - "logs:PutLogEvents" - ], - "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*" - }, - { - "Effect": "Allow", - "Action": "rds-data:ExecuteStatement", - "Resource": "arn:aws:rds:*:${pds_nucleus_aws_account_id}:cluster:${rds_cluster_id}" - }, - { - "Effect": "Allow", - "Action": "secretsmanager:GetSecretValue", - "Resource": "arn:aws:secretsmanager:*:${pds_nucleus_aws_account_id}:secret:pds/nucleus/rds/*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:PutObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::pds-nucleus*", - "arn:aws:s3:::pds-nucleus*/*", - "arn:aws:s3:::pds-*-staging*", - "arn:aws:s3:::pds-*-staging*/*" - ] - }, - { - "Effect": "Allow", - "Action": "airflow:CreateCliToken", - "Resource": "arn:aws:airflow:*:${pds_nucleus_aws_account_id}:environment/pds*" - }, - { - "Effect": "Allow", - "Action": [ - "sqs:ReceiveMessage", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes" - ], - "Resource": "arn:aws:sqs:*:${pds_nucleus_aws_account_id}:pds-*" - } - ] -} diff --git a/terraform/terraform-modules/product-copy-completion-checker/product-copy-completion-checker.tf b/terraform/terraform-modules/product-copy-completion-checker/product-copy-completion-checker.tf index b35ecee..02c0d29 100644 --- a/terraform/terraform-modules/product-copy-completion-checker/product-copy-completion-checker.tf +++ b/terraform/terraform-modules/product-copy-completion-checker/product-copy-completion-checker.tf @@ -102,32 +102,76 @@ data "aws_iam_policy_document" "assume_role_lambda" { data "aws_caller_identity" "current" {} -data "template_file" "lambda_inline_policy_template" { - template = file("terraform-modules/product-copy-completion-checker/template_lambda_inline_policy.json") - vars = { - pds_nucleus_aws_account_id = data.aws_caller_identity.current.account_id - rds_cluster_id = var.rds_cluster_id - region = var.region +data "aws_iam_policy_document" "lambda_inline_policy" { + statement { + effect = "Allow" + actions = [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents" + ] + resources = [ + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*:log-stream:*" + ] } - depends_on = [data.aws_caller_identity.current] -} - -resource "local_file" "lambda_inline_policy_file" { - content = data.template_file.lambda_inline_policy_template.rendered - filename = "terraform-modules/product-copy-completion-checker/lambda_inline_policy.json" + statement { + effect = "Allow" + actions = [ + "rds-data:ExecuteStatement" + ] + resources = [ + "arn:aws:rds:*:${data.aws_caller_identity.current.account_id}:cluster:${var.rds_cluster_id}" + ] + } - depends_on = [data.template_file.lambda_inline_policy_template] + statement { + effect = "Allow" + actions = [ + "secretsmanager:GetSecretValue" + ] + resources = [ + "arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:pds/nucleus/rds/*" + ] + } - lifecycle { - prevent_destroy = true + statement { + effect = "Allow" + actions = [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:PutObject*", + "s3:List*" + ] + resources = [ + "arn:aws:s3:::pds-nucleus*", + "arn:aws:s3:::pds-nucleus*/*", + "arn:aws:s3:::pds-*-staging*", + "arn:aws:s3:::pds-*-staging*/*" + ] } -} -data "aws_iam_policy_document" "lambda_inline_policy" { - source_policy_documents = [file("${path.module}/lambda_inline_policy.json")] + statement { + effect = "Allow" + actions = [ + "airflow:CreateCliToken" + ] + resources = [ + "arn:aws:airflow:*:${data.aws_caller_identity.current.account_id}:environment/pds*" + ] + } - depends_on = [local_file.lambda_inline_policy_file] + statement { + effect = "Allow" + actions = [ + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes" + ] + resources = [ + "arn:aws:sqs:*:${data.aws_caller_identity.current.account_id}:pds-*" + ] + } } resource "aws_iam_role" "pds_nucleus_lambda_execution_role" { @@ -178,7 +222,8 @@ resource "aws_lambda_function" "pds_nucleus_init_function" { } resource "aws_s3_bucket" "pds_nucleus_s3_config_bucket" { - bucket = var.pds_nucleus_config_bucket_name + bucket = var.pds_nucleus_config_bucket_name + force_destroy = true } # Create a staging S3 Bucket for each PDS Node diff --git a/terraform/terraform-modules/product-copy-completion-checker/template_lambda_inline_policy.json b/terraform/terraform-modules/product-copy-completion-checker/template_lambda_inline_policy.json deleted file mode 100644 index 169f2ab..0000000 --- a/terraform/terraform-modules/product-copy-completion-checker/template_lambda_inline_policy.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:CreateLogGroup", - "logs:PutLogEvents" - ], - "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*" - }, - { - "Effect": "Allow", - "Action": "rds-data:ExecuteStatement", - "Resource": "arn:aws:rds:*:${pds_nucleus_aws_account_id}:cluster:${rds_cluster_id}" - }, - { - "Effect": "Allow", - "Action": "secretsmanager:GetSecretValue", - "Resource": "arn:aws:secretsmanager:*:${pds_nucleus_aws_account_id}:secret:pds/nucleus/rds/*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:PutObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::pds-nucleus*", - "arn:aws:s3:::pds-nucleus*/*", - "arn:aws:s3:::pds-*-staging*", - "arn:aws:s3:::pds-*-staging*/*" - ] - }, - { - "Effect": "Allow", - "Action": "airflow:CreateCliToken", - "Resource": "arn:aws:airflow:*:${pds_nucleus_aws_account_id}:environment/pds*" - }, - { - "Effect": "Allow", - "Action": [ - "sqs:ReceiveMessage", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes" - ], - "Resource": "arn:aws:sqs:*:${pds_nucleus_aws_account_id}:pds-*" - } - ] -}