fix iam roles

Sellix · Jan 6, 2022 · 9be0a85 · 9be0a85
1 parent 09eb2ea
commit 9be0a85
Show file tree

Hide file tree

Showing 13 changed files with 174 additions and 42 deletions.
diff --git a/beanstalk/beanstalk.tf b/beanstalk/beanstalk.tf
@@ -103,4 +103,4 @@ resource "aws_elastic_beanstalk_environment" "sellix-web-app-environment" {
 resource "aws_elastic_beanstalk_application" "sellix-web-app" {
   name        = local.tags["Project"]
   description = "NodeJS Web Application"
-}
+}
diff --git a/beanstalk/chatbot.tf b/beanstalk/chatbot.tf
@@ -25,4 +25,4 @@ resource "aws_codestarnotifications_notification_rule" "sellix-web-app-codestarn
   target {
     address = data.terraform_remote_state.sellix-web-app-chatbot-terraform-state.outputs["${var.aws_region}_chatbot-arn"]
   }
-}
+}
diff --git a/beanstalk/iam.tf b/beanstalk/iam.tf
@@ -1,4 +1,140 @@
 data "aws_iam_policy_document" "sellix-web-app-default-policy-document" {
+  statement {
+    sid = "EBRequirements"
+    actions = [
+      "autoscaling:DescribeAutoScalingGroups",
+      "autoscaling:DescribeAutoScalingInstances",
+      "autoscaling:DescribeScalingActivities",
+      "autoscaling:DescribeNotificationConfigurations",
+      "autoscaling:AttachInstances",
+      "autoscaling:CreateAutoScalingGroup",
+      "autoscaling:CreateLaunchConfiguration",
+      "autoscaling:DeleteLaunchConfiguration",
+      "autoscaling:DeleteAutoScalingGroup",
+      "autoscaling:DeleteScheduledAction",
+      "autoscaling:DescribeAccountLimits",
+      "autoscaling:DescribeAutoScalingGroups",
+      "autoscaling:DescribeAutoScalingInstances",
+      "autoscaling:DescribeLaunchConfigurations",
+      "autoscaling:DescribeLoadBalancers",
+      "autoscaling:DescribeNotificationConfigurations",
+      "autoscaling:DescribeScalingActivities",
+      "autoscaling:DescribeScheduledActions",
+      "autoscaling:DetachInstances",
+      "autoscaling:PutScheduledUpdateGroupAction",
+      "autoscaling:ResumeProcesses",
+      "autoscaling:SetDesiredCapacity",
+      "autoscaling:SetInstanceProtection",
+      "autoscaling:SuspendProcesses",
+      "autoscaling:TerminateInstanceInAutoScalingGroup",
+      "autoscaling:UpdateAutoScalingGroup",
+      "ec2:DescribeInstances",
+      "ec2:DescribeInstanceStatus",
+      "ec2:GetConsoleOutput",
+      "ec2:AssociateAddress",
+      "ec2:DescribeAddresses",
+      "ec2:DescribeSecurityGroups",
+      "ec2:AssociateAddress",
+      "ec2:AllocateAddress",
+      "ec2:AuthorizeSecurityGroupEgress",
+      "ec2:AuthorizeSecurityGroupIngress",
+      "ec2:CreateSecurityGroup",
+      "ec2:DeleteSecurityGroup",
+      "ec2:DescribeAccountAttributes",
+      "ec2:DescribeAddresses",
+      "ec2:DescribeImages",
+      "ec2:DescribeInstances",
+      "ec2:DescribeKeyPairs",
+      "ec2:DescribeSecurityGroups",
+      "ec2:DescribeSnapshots",
+      "ec2:DescribeSubnets",
+      "ec2:DescribeVpcs",
+      "ec2:DisassociateAddress",
+      "ec2:ReleaseAddress",
+      "ec2:RevokeSecurityGroupEgress",
+      "ec2:RevokeSecurityGroupIngress",
+      "ec2:TerminateInstances",
+      "elasticloadbalancing:DescribeInstanceHealth",
+      "elasticloadbalancing:DescribeLoadBalancers",
+      "elasticloadbalancing:DescribeTargetHealth",
+      "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+      "elasticloadbalancing:ConfigureHealthCheck",
+      "elasticloadbalancing:CreateLoadBalancer",
+      "elasticloadbalancing:DeleteLoadBalancer",
+      "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+      "elasticloadbalancing:DescribeInstanceHealth",
+      "elasticloadbalancing:DescribeLoadBalancers",
+      "elasticloadbalancing:DescribeTargetHealth",
+      "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+      "elasticloadbalancing:DescribeTargetGroups",
+      "elasticloadbalancing:RegisterTargets",
+      "elasticloadbalancing:DeregisterTargets",
+      "iam:ListRoles",
+      "iam:PassRole",
+      "codebuild:CreateProject",
+      "codebuild:DeleteProject",
+      "codebuild:BatchGetBuilds",
+      "codebuild:StartBuild",
+      "cloudwatch:PutMetricAlarm",
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+  statement {
+    sid = "BucketAccess"
+    actions = [
+      "s3:Get*",
+      "s3:List*",
+      "s3:PutObject",
+      "s3:DeleteObject"
+    ]
+    effect = "Allow"
+    resources = [
+      "arn:aws:s3:::elasticbeanstalk-*",
+      "arn:aws:s3:::elasticbeanstalk-*/*"
+    ]
+  }
+  /* statement {
+    sid = "XRayAccess"
+    actions = [
+      "xray:PutTraceSegments",
+      "xray:PutTelemetryRecords",
+      "xray:GetSamplingRules",
+      "xray:GetSamplingTargets",
+      "xray:GetSamplingStatisticSummaries"
+    ]
+    effect   = "Allow"
+    resources = ["*"]
+  }*/
+  statement {
+    sid = "CloudWatchLogsAccess"
+    actions = [
+      "logs:PutRetentionPolicy",
+      "logs:PutLogEvents",
+      "logs:CreateLogStream",
+      "logs:CreateLogGroup",
+      "logs:DescribeLogStreams",
+      "logs:DescribeLogGroups"
+    ]
+    effect = "Allow"
+    resources = [
+      "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
+    ]
+  }
+  statement {
+    sid = "ElasticBeanstalkHealthAccess"
+    actions = [
+      "elasticbeanstalk:*"
+    ]
+    effect = "Allow"
+    resources = [
+      "arn:aws:elasticbeanstalk:*:*:application/*",
+      "arn:aws:elasticbeanstalk:*:*:environment/*"
+    ]
+  }
+}
+
+/* data "aws_iam_policy_document" "sellix-web-app-default-policy-document" {
   statement {
     sid = ""
     actions = [
@@ -19,7 +155,7 @@ data "aws_iam_policy_document" "sellix-web-app-default-policy-document" {
     resources = ["*"]
     effect    = "Allow"
   }
-}
+} */
 
 data "aws_iam_policy_document" "sellix-web-app-elb-policy-document" {
   statement {
@@ -189,7 +325,7 @@ data "aws_iam_policy_document" "sellix-web-app-codepipeline-codebuild-permission
     ]
     effect = "Allow"
     resources = [
-      "*"
+      aws_codebuild_project.sellix-web-app.arn
     ]
   }
 }
@@ -296,11 +432,6 @@ resource "aws_iam_role_policy_attachment" "sellix-web-app-service-policy-attachm
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService"
 }
 
-resource "aws_iam_role_policy_attachment" "sellix-web-app-docker-policy-attachment" {
-  role       = aws_iam_role.sellix-web-app-ec2-role.name
-  policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
-}
-
 resource "aws_iam_role_policy_attachment" "sellix-web-app-web-tier-policy-attachment" {
   role       = aws_iam_role.sellix-web-app-ec2-role.name
   policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
@@ -313,15 +444,7 @@ resource "aws_iam_role_policy_attachment" "sellix-web-app-worker-tier-policy-att
 
 resource "aws_iam_role_policy_attachment" "sellix-web-app-ssm-ec2-policy-attachment" {
   role       = aws_iam_role.sellix-web-app-ec2-role.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_iam_role_policy_attachment" "sellix-web-app-ssm-automation-policy-attachment" {
-  role       = aws_iam_role.sellix-web-app-ec2-role.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
   lifecycle {
     create_before_destroy = true
   }
@@ -355,4 +478,4 @@ resource "aws_iam_role_policy_attachment" "sellix-web-app-codepipeline-codebuild
 resource "aws_iam_role_policy_attachment" "sellix-web-app-codepipeline-codestar-permissions-policy-attachment" {
   role       = aws_iam_role.sellix-web-app-codepipeline-role.name
   policy_arn = aws_iam_policy.sellix-web-app-codepipeline-codestar-permissions-policy.arn
-}
+}
diff --git a/beanstalk/locals.tf b/beanstalk/locals.tf
@@ -81,7 +81,7 @@ locals {
     {
       namespace = "aws:elasticbeanstalk:environment:process:default"
       name      = "StickinessEnabled"
-      value     = "${var.canary_deployments}"
+      value     = "true"
     },
     {
       namespace = "aws:elasticbeanstalk:environment:process:default"
@@ -185,7 +185,7 @@ locals {
     {
       namespace = "aws:elasticbeanstalk:command"
       name      = "DeploymentPolicy"
-      value     = "Immutable"
+      value     = var.is_production ? "Immutable" : "AllAtOnce"
     }
   ]
   generic_elb = [
@@ -238,6 +238,11 @@ locals {
       name      = "SecurityGroups"
       value     = aws_security_group.sellix-web-app-security-group.id
     },
+    {
+      namespace = "aws:autoscaling:launchconfiguration"
+      name      = "SSHSourceRestriction"
+      value     = "tcp, 22, 22, 127.0.0.1/32"
+    },
     {
       namespace = "aws:autoscaling:launchconfiguration"
       name      = "InstanceType"
@@ -288,7 +293,7 @@ locals {
     {
       namespace = "aws:autoscaling:updatepolicy:rollingupdate"
       name      = "RollingUpdateType"
-      value     = var.is_production ? "Health" : "Immutable"
+      value     = "Immutable" # var.is_production ? "Health" : "Immutable"
     },
     {
       namespace = "aws:autoscaling:updatepolicy:rollingupdate"
@@ -346,4 +351,4 @@ locals {
       value     = "1"
     }
   ]
-}
+}
diff --git a/beanstalk/outputs.tf b/beanstalk/outputs.tf
@@ -1,3 +1,3 @@
 output "eb_cname" {
   value = aws_elastic_beanstalk_environment.sellix-web-app-environment.cname
-}
+}
diff --git a/beanstalk/pipeline.tf b/beanstalk/pipeline.tf
@@ -86,4 +86,4 @@ resource "aws_codebuild_project" "sellix-web-app" {
     },
     local.tags
   )
-}
+}
diff --git a/beanstalk/s3.tf b/beanstalk/s3.tf
@@ -33,4 +33,4 @@ resource "aws_s3_bucket_public_access_block" "sellix-web-app-elb-logs-public-acc
   block_public_policy     = true
   restrict_public_buckets = true
   ignore_public_acls      = true
-} 
+} 
diff --git a/beanstalk/security.tf b/beanstalk/security.tf
@@ -71,4 +71,4 @@ resource "aws_security_group" "sellix-web-app-elb-security-group" {
     },
     local.tags
   )
-}
+}
diff --git a/beanstalk/variables.tf b/beanstalk/variables.tf
@@ -66,4 +66,4 @@ variable "canary_deployments" {
 variable "is_production" {
   description = "Environment Boolean"
   default     = true
-}
+}
diff --git a/beanstalk/vpc.tf b/beanstalk/vpc.tf
@@ -134,4 +134,4 @@ resource "aws_route_table_association" "sellix-web-app-private-route-table-assoc
   count          = length(local.availability_zones)
   subnet_id      = element(aws_subnet.sellix-web-app-private-subnet.*.id, count.index)
   route_table_id = var.is_production ? element(aws_route_table.sellix-web-app-private-route-table.*.id, count.index) : aws_route_table.sellix-web-app-private-route-table[0].id
-}
+}
diff --git a/main.tf b/main.tf
@@ -4,6 +4,10 @@ terraform {
     aws = {
       "source" = "hashicorp/aws"
     }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 3.0"
+    }
   }
   backend "s3" {
     profile        = "sellix-terraform"
@@ -80,4 +84,4 @@ output "eu-west-1_eb-cname" {
 
 output "us-east-1_eb-cname" {
   value = module.us-east-1.*.eb_cname
-}
+}
diff --git a/terraform.tfvars.example.json b/terraform.tfvars.example.json
@@ -8,26 +8,26 @@
   "github_opts": {
     "repo": "",
     "branch": "",
-    "org":  ""
+    "org": ""
   },
-  "ssl_arn":  {
+  "ssl_arn": {
     "eu-west-1": {
-      "staging":     "",
-      "production":  ""
+      "staging": "",
+      "production": ""
     },
     "us-east-1": {
-      "staging":     "",
-      "production":  ""
+      "staging": "",
+      "production": ""
     }
   },
   "vpc_peerings": {
     "eu-west-1": {
-      "staging":     "",
-      "production":  ""
+      "staging": "",
+      "production": ""
     },
     "us-east-1": {
-      "staging":     "",
-      "production":  ""
+      "staging": "",
+      "production": ""
     }
   }
-}
+}
diff --git a/variables.tf b/variables.tf
@@ -44,4 +44,4 @@ variable "codestar_connection_arn" {
 variable "canary_deployments" {
   description = "Enables canary deployments through TG, ALB stickiness and EB traffic splitting"
   default     = null
-}
+}