-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaws_terraform_iam_grant_s3_dynamodb.sh
120 lines (98 loc) · 3.29 KB
/
aws_terraform_iam_grant_s3_dynamodb.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/usr/bin/env bash
set -euo pipefail
[ -n "${DEBUG:-}" ] && set -x
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck disable=SC1090,SC1091
. "$srcdir/lib/aws.sh"
# shellcheck disable=SC2034,SC2154
usage_description="
Creates IAM policies for S3 buckets and DynamoDB tables containing 'terraform-state' or 'tf-state' in their name
Attaches these policies to the specified user, which must already exist (run aws_terraform_create_credential.sh first)
Necessary for limited privilege CI/CD accounts such as GitHub Actions pull request Terraform Plan only workflows using a Read Only account
Idempotent, skips creation of the policies if they already exist
$usage_aws_cli_required
"
# used by usage() in lib/utils.sh
# shellcheck disable=SC2034
usage_args="<user_name> [<aws_cli_options>]"
help_usage "$@"
min_args 1 "$@"
user="$1"
shift || :
export AWS_DEFAULT_OUTPUT=json
aws_account_id="$(aws_account_id)"
dynamodb_policy="Terraform-DynamoDB-Lock-Tables"
s3_policy="Terraform-S3-Buckets"
timestamp "Generating S3 policy document '$s3_policy'"
s3_policy_document="$(cat <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TerraformS3Bucket",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*tf-state*",
"arn:aws:s3:::*terraform-state*"
]
}
]
}
EOF
)"
timestamp "Generating DynamoDB policy document '$dynamodb_policy'"
dynamodb_policy_document="$(cat <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TerraformLock",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:DeleteItem"
],
"Resource": [
"arn:aws:dynamodb:*:$aws_account_id:table/*terraform-state*",
"arn:aws:dynamodb:*:$aws_account_id:table/*tf-state*"
]
}
]
}
EOF
)"
echo
create_policy(){
local policy="$1"
local policy_document="$2"
timestamp "Checking if policy '$policy' exists"
set +o pipefail # early termination from the pipeline will fail the check otherwise
if aws iam list-policies | jq -r '.Policies[].PolicyName' | grep -Fxq "$policy"; then
timestamp "WARNING: policy '$policy' already exists, not creating..."
else
timestamp "Creating Terraform policy '$policy'"
aws iam create-policy --policy-name "$policy" --policy-document "$policy_document"
timestamp "Policy created"
fi
set -o pipefail
echo
}
attach_policy(){
local policy="$1"
timestamp "Attaching policy '$policy' to user '$user'"
timestamp "Determining ARN for policy '$policy'"
policy_arn="$(aws iam list-policies | jq -r ".Policies[] | select(.PolicyName == \"$policy\") | .Arn")"
timestamp "Determined policy ARN: $policy_arn"
timestamp "Granting policy '$policy' permissions directly to user '$user' in account '$aws_account_id'"
aws iam attach-user-policy --user-name "$user" --policy-arn "$policy_arn"
echo
}
create_policy "$dynamodb_policy" "$dynamodb_policy_document"
create_policy "$s3_policy" "$s3_policy_document"
attach_policy "$dynamodb_policy"
attach_policy "$s3_policy"
timestamp "Done"