Fewer IAM resources with inline policies

They're each only used by a single role
jonhoo · Jan 3, 2024 · b5d581a · b5d581a
1 parent c5819fd
commit b5d581a
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 60 deletions.
diff --git a/infra/lambda.tf b/infra/lambda.tf
@@ -8,13 +8,6 @@ data "aws_iam_policy_document" "xray" {
   }
 }
 
-resource "aws_iam_policy" "xray" {
-  # TODO: https://github.com/hashicorp/terraform-provider-aws/issues/32906
-  name   = "AWSLambdaTracerAccessExecutionRole-14a6d1b5-3a03-4b02-94ca-fec2eced24ab"
-  path   = "/service-role/"
-  policy = data.aws_iam_policy_document.xray.json
-}
-
 data "aws_iam_policy_document" "cloudwatch" {
   statement {
     actions = [
@@ -32,11 +25,22 @@ data "aws_iam_policy_document" "cloudwatch" {
   }
 }
 
-resource "aws_iam_policy" "cloudwatch" {
-  # TODO: https://github.com/hashicorp/terraform-provider-aws/issues/32906
-  name   = "AWSLambdaBasicExecutionRole-b586114a-ba08-47b0-afe0-82c4d81857a0"
-  path   = "/service-role/"
-  policy = data.aws_iam_policy_document.cloudwatch.json
+data "aws_iam_policy_document" "dynamodb" {
+  statement {
+    actions = [
+      "dynamodb:UpdateItem",
+      "dynamodb:Scan",
+      "dynamodb:Query",
+      "dynamodb:PutItem",
+      "dynamodb:GetItem",
+      "dynamodb:BatchGetItem",
+    ]
+    resources = [
+      aws_dynamodb_table.events.arn,
+      aws_dynamodb_table.questions.arn,
+      "${aws_dynamodb_table.questions.arn}/index/top"
+    ]
+  }
 }
 
 data "aws_iam_policy_document" "assume_role" {
@@ -53,35 +57,22 @@ resource "aws_iam_role" "www" {
   name               = "wewerewondering-api"
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
   path               = "/service-role/"
+
   managed_policy_arns = [
-    aws_iam_policy.cloudwatch.arn,
-    aws_iam_policy.xray.arn,
     "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
   ]
-}
-
-data "aws_iam_policy_document" "dynamodb" {
-  statement {
-    actions = [
-      "dynamodb:UpdateItem",
-      "dynamodb:Scan",
-      "dynamodb:Query",
-      "dynamodb:PutItem",
-      "dynamodb:GetItem",
-      "dynamodb:BatchGetItem",
-    ]
-    resources = [
-      aws_dynamodb_table.events.arn,
-      aws_dynamodb_table.questions.arn,
-      "${aws_dynamodb_table.questions.arn}/index/top"
-    ]
+  inline_policy {
+    name   = "xray"
+    policy = data.aws_iam_policy_document.xray.json
+  }
+  inline_policy {
+    name   = "cloudwatch"
+    policy = data.aws_iam_policy_document.cloudwatch.json
+  }
+  inline_policy {
+    name   = "api-db-access"
+    policy = data.aws_iam_policy_document.dynamodb.json
   }
-}
-
-resource "aws_iam_role_policy" "dynamodb" {
-  name   = "api-db-access"
-  role   = aws_iam_role.www.id
-  policy = data.aws_iam_policy_document.dynamodb.json
 }
 
 check "lambda-built" {

diff --git a/infra/terraform.tf b/infra/terraform.tf
@@ -74,6 +74,11 @@ data "aws_iam_policy_document" "tfc_plan_assume" {
 resource "aws_iam_role" "tfc_plan" {
   name               = "tfc-plan-role"
   assume_role_policy = data.aws_iam_policy_document.tfc_plan_assume.json
+
+  inline_policy {
+    name   = "planning-permits"
+    policy = data.aws_iam_policy_document.tfc_plan_policy.json
+  }
 }
 data "aws_iam_policy_document" "tfc_apply_assume" {
   statement {
@@ -100,6 +105,11 @@ data "aws_iam_policy_document" "tfc_apply_assume" {
 resource "aws_iam_role" "tfc_apply" {
   name               = "tfc-apply-role"
   assume_role_policy = data.aws_iam_policy_document.tfc_apply_assume.json
+
+  inline_policy {
+    name   = "apply-permits"
+    policy = data.aws_iam_policy_document.tfc_apply_policy.json
+  }
 }
 
 # Creates a policy that will be used to define the permissions that
@@ -224,35 +234,12 @@ data "aws_iam_policy_document" "tfc_plan_policy" {
     ]
   }
 }
-resource "aws_iam_policy" "tfc_plan_policy" {
-  name        = "tfc-plan-policy"
-  description = "TFC plan run policy"
-  policy      = data.aws_iam_policy_document.tfc_plan_policy.json
-}
 data "aws_iam_policy_document" "tfc_apply_policy" {
   statement {
     actions   = ["*"]
     resources = ["*"]
   }
 }
-resource "aws_iam_policy" "tfc_apply_policy" {
-  name        = "tfc-apply-policy"
-  description = "TFC applyrun policy"
-  policy      = data.aws_iam_policy_document.tfc_apply_policy.json
-}
-
-# Creates an attachment to associate the above policy with the
-# previously created role.
-#
-# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
-resource "aws_iam_role_policy_attachment" "tfc_plan" {
-  role       = aws_iam_role.tfc_plan.name
-  policy_arn = aws_iam_policy.tfc_plan_policy.arn
-}
-resource "aws_iam_role_policy_attachment" "tfc_apply" {
-  role       = aws_iam_role.tfc_apply.name
-  policy_arn = aws_iam_policy.tfc_apply_policy.arn
-}
 
 # Data source used to grab the project under which a workspace will be created.
 #