-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial AWS Vendor Access Module Configuration (#2)
* Initial commit * Updated bootstrap policy with proper resource tag conditions * Reworked conditionals in remaining policies to be more accurate * Changed passrole permissions; updated readme * Added example policy files * Sanitized account id * Policy adjustments from testing * AWS readme update * Policy update * Added root README, restructred folders * Example update * Removed CF template to allow for release of current module; will add back at a future date
- Loading branch information
Showing
19 changed files
with
4,194 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
|
|
||
| # Local .terraform directories | ||
| **/.terraform/* | ||
|
|
||
| # .tfstate files | ||
| *.tfstate | ||
| *.tfstate.* | ||
|
|
||
| # tf lock files | ||
| .terraform.lock.hcl | ||
|
|
||
| # Crash log files | ||
| crash.log | ||
|
|
||
| # Ignore any .tfvars files that are generated automatically for each Terraform run. Most | ||
| # .tfvars files are managed as part of configuration and so should be included in | ||
| # version control. | ||
| # | ||
| # example.tfvars | ||
|
|
||
| # Ignore override files as they are usually used to override resources locally and so | ||
| # are not checked in | ||
| override.tf | ||
| override.tf.json | ||
| *_override.tf | ||
| *_override.tf.json | ||
|
|
||
| # Include override files you do wish to add to version control using negated pattern | ||
| # | ||
| # !example_override.tf | ||
|
|
||
| # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan | ||
| # example: *tfplan* | ||
|
|
||
| # Ignore CLI configuration files | ||
| .terraformrc | ||
| terraform.rc | ||
|
|
||
| .DS_Store | ||
| .vscode/ | ||
| .idea/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| # StreamNative Managed Cloud | ||
| This repository contains Terraform modules for the management of StreamNative's vendor access into a Cloud Provider. | ||
|
|
||
| Previous verions of these modules can be found in the following locations: | ||
| - [terraform-aws-cloud//modules/managed-cloud?ref=v2.5.0](https://github.com/streamnative/terraform-aws-cloud/tree/v2.5.0-alpha/modules/managed-cloud): This was the original location of the AWS vendor access module, which has been moved to this repository. The last version released to the Terraform Registry was `v2.5.0-alpha`. | ||
| - [https://github.com/streamnative/terraform-aws-managed-cloud](https://github.com/streamnative/terraform-aws-managed-cloud): This repository contains an older AWS vendor access module, which has been deprecated and is no longer in use. | ||
|
|
||
| ## Modules | ||
| The modules are organized by Cloud Provider. For example, the AWS modules are in the `modules/aws` directory and the GCP modules (WIP) modules are in the `modules/gcp`, and so on. | ||
|
|
||
| ## Examples | ||
| Examples of the modules can be found in the `examples` directory. | ||
|
|
||
| Details on the modules themselves and their requirements can be found in their respective README files, contained in the `modules` directory. | ||
|
|
||
| ## Upgrading an existing AWS module | ||
| If you have used the previous version of the AWS vendor access module, your configuration should have looked something like this: | ||
|
|
||
| ```hcl | ||
| module "sn_managed_cloud" { | ||
| source = "github.com/streamnative/terraform-aws-cloud//modules/managed-cloud?ref=v2.5.0-alpha" | ||
| external_id = "o-kxb4r" | ||
| runtime_hosted_zone_allowed_ids = ["arn:aws:route53:::hostedzone/Z00048871IAX8IX9HGD0"] | ||
| region = "us-west-2" | ||
| use_runtime_policy = true | ||
| } | ||
| ``` | ||
|
|
||
| Upgrading to this version of the module is quite simple, but does involve a few minor changes. | ||
|
|
||
| - The `source` URL has changed to `github.com/streamnative/terraform--managed-cloud//modules/aws?ref=v3.0.0` (note the tag reference, which as of this writing is `v3.0.0`). | ||
| - `use_runtime_poliy` has been removed, as it is now the default behavior. | ||
| - `runtime_hosted_zone_allowed_ids` has been renamed to `hosted_zone_allowed_ids`, and it now properly accepts a list of IDs for your hosted zones, rather than the full ARNs. | ||
|
|
||
| With these changes in mind, your configuration should now look like this: | ||
|
|
||
| ```hcl | ||
| module "sn_managed_cloud" { | ||
| source = "github.com/streamnative/terraform-managed-cloud//modules/managed-cloud?ref=v2.5.0-alpha" | ||
| external_id = "o-kxb4r" | ||
| hosted_zone_allowed_ids = ["Z00048871IAX8IX9HGD0"] | ||
| region = "us-west-2" | ||
| } | ||
| ``` | ||
|
|
||
| After making changes to your configuration, you can run `terraform init` to download the new module, and then `terraform apply` to apply the changes. | ||
|
|
||
| In most cases, you will see the module wanting to change 7 resources (the total number of resources created by this module, if `use_runtime_policy` was set to `true`). | ||
|
|
||
| Most of the changes are in the IAM policies, which allow for compatability with the [v3.0.0 release](https://github.com/streamnative/terraform-aws-cloud/pull/91) of the `terraform-aws-cloud` module (this Terraform module is used for creating a StreamNative Cloud EKS environment). | ||
|
|
||
| If you have questions or concerns with these changes, please reach out to your StreamNative account representative. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| provider "aws" { | ||
| region = "us-west-2" | ||
| } | ||
|
|
||
| module "aws-managed-cloud" { | ||
| source = "../../modules/aws" | ||
|
|
||
| external_id = "o-kxb4r" | ||
| hosted_zone_allowed_ids = ["Z00048871IAX8IX9HGD0"] | ||
| region = "us-west-2" | ||
| write_policy_files = true # Writes the rendered policy files to the `policy_files` directory, found in this example | ||
|
|
||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,227 @@ | ||
| { | ||
| "Version": "2012-10-17", | ||
| "Statement": [ | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "iam:CreateServiceLinkedRole" | ||
| ], | ||
| "Resource": "*", | ||
| "Condition": { | ||
| "StringEquals": { | ||
| "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "ec2:DescribeAccountAttributes", | ||
| "ec2:DescribeAddresses", | ||
| "ec2:DescribeAvailabilityZones", | ||
| "ec2:DescribeInternetGateways", | ||
| "ec2:DescribeVpcs", | ||
| "ec2:DescribeVpcPeeringConnections", | ||
| "ec2:DescribeSubnets", | ||
| "ec2:DescribeSecurityGroups", | ||
| "ec2:DescribeInstances", | ||
| "ec2:DescribeNetworkInterfaces", | ||
| "ec2:DescribeTags", | ||
| "ec2:GetCoipPoolUsage", | ||
| "ec2:DescribeCoipPools", | ||
| "elasticloadbalancing:DescribeLoadBalancers", | ||
| "elasticloadbalancing:DescribeLoadBalancerAttributes", | ||
| "elasticloadbalancing:DescribeListeners", | ||
| "elasticloadbalancing:DescribeListenerCertificates", | ||
| "elasticloadbalancing:DescribeSSLPolicies", | ||
| "elasticloadbalancing:DescribeRules", | ||
| "elasticloadbalancing:DescribeTargetGroups", | ||
| "elasticloadbalancing:DescribeTargetGroupAttributes", | ||
| "elasticloadbalancing:DescribeTargetHealth", | ||
| "elasticloadbalancing:DescribeTags" | ||
| ], | ||
| "Resource": "*" | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "cognito-idp:DescribeUserPoolClient", | ||
| "acm:ListCertificates", | ||
| "acm:DescribeCertificate", | ||
| "iam:ListServerCertificates", | ||
| "iam:GetServerCertificate", | ||
| "waf-regional:GetWebACL", | ||
| "waf-regional:GetWebACLForResource", | ||
| "waf-regional:AssociateWebACL", | ||
| "waf-regional:DisassociateWebACL", | ||
| "wafv2:GetWebACL", | ||
| "wafv2:GetWebACLForResource", | ||
| "wafv2:AssociateWebACL", | ||
| "wafv2:DisassociateWebACL", | ||
| "shield:GetSubscriptionState", | ||
| "shield:DescribeProtection", | ||
| "shield:CreateProtection", | ||
| "shield:DeleteProtection" | ||
| ], | ||
| "Resource": "*" | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "ec2:AuthorizeSecurityGroupIngress", | ||
| "ec2:RevokeSecurityGroupIngress" | ||
| ], | ||
| "Resource": "*", | ||
| "Condition": { | ||
| "StringEquals": { | ||
| "aws:ResourceTag/Vendor": "StreamNative" | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "ec2:CreateSecurityGroup" | ||
| ], | ||
| "Resource": "*" | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "ec2:CreateTags" | ||
| ], | ||
| "Resource": "arn:aws:ec2:*:*:security-group/*", | ||
| "Condition": { | ||
| "StringEquals": { | ||
| "ec2:CreateAction": "CreateSecurityGroup" | ||
| }, | ||
| "Null": { | ||
| "aws:RequestTag/elbv2.k8s.aws/cluster": "false" | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "ec2:CreateTags", | ||
| "ec2:DeleteTags" | ||
| ], | ||
| "Resource": "arn:aws:ec2:*:*:security-group/*", | ||
| "Condition": { | ||
| "Null": { | ||
| "aws:RequestTag/elbv2.k8s.aws/cluster": "true", | ||
| "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "ec2:AuthorizeSecurityGroupIngress", | ||
| "ec2:RevokeSecurityGroupIngress", | ||
| "ec2:DeleteSecurityGroup" | ||
| ], | ||
| "Resource": "*", | ||
| "Condition": { | ||
| "Null": { | ||
| "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" | ||
| }, | ||
| "StringEquals": { | ||
| "aws:ResourceTag/Vendor": "StreamNative" | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "elasticloadbalancing:CreateLoadBalancer", | ||
| "elasticloadbalancing:CreateTargetGroup" | ||
| ], | ||
| "Resource": "*", | ||
| "Condition": { | ||
| "Null": { | ||
| "aws:RequestTag/elbv2.k8s.aws/cluster": "false" | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "elasticloadbalancing:CreateListener", | ||
| "elasticloadbalancing:DeleteListener", | ||
| "elasticloadbalancing:CreateRule", | ||
| "elasticloadbalancing:DeleteRule" | ||
| ], | ||
| "Resource": "*" | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "elasticloadbalancing:AddTags", | ||
| "elasticloadbalancing:RemoveTags" | ||
| ], | ||
| "Resource": [ | ||
| "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", | ||
| "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", | ||
| "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" | ||
| ], | ||
| "Condition": { | ||
| "Null": { | ||
| "aws:RequestTag/elbv2.k8s.aws/cluster": "true", | ||
| "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "elasticloadbalancing:AddTags", | ||
| "elasticloadbalancing:RemoveTags" | ||
| ], | ||
| "Resource": [ | ||
| "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", | ||
| "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", | ||
| "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", | ||
| "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" | ||
| ] | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "elasticloadbalancing:ModifyLoadBalancerAttributes", | ||
| "elasticloadbalancing:SetIpAddressType", | ||
| "elasticloadbalancing:SetSecurityGroups", | ||
| "elasticloadbalancing:SetSubnets", | ||
| "elasticloadbalancing:DeleteLoadBalancer", | ||
| "elasticloadbalancing:ModifyTargetGroup", | ||
| "elasticloadbalancing:ModifyTargetGroupAttributes", | ||
| "elasticloadbalancing:DeleteTargetGroup" | ||
| ], | ||
| "Resource": "*", | ||
| "Condition": { | ||
| "Null": { | ||
| "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "elasticloadbalancing:RegisterTargets", | ||
| "elasticloadbalancing:DeregisterTargets" | ||
| ], | ||
| "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" | ||
| }, | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "elasticloadbalancing:SetWebAcl", | ||
| "elasticloadbalancing:ModifyListener", | ||
| "elasticloadbalancing:AddListenerCertificates", | ||
| "elasticloadbalancing:RemoveListenerCertificates", | ||
| "elasticloadbalancing:ModifyRule" | ||
| ], | ||
| "Resource": "*" | ||
| } | ||
| ] | ||
| } |
Oops, something went wrong.