Add some policy statements

rabiloo · Oct 22, 2024 · b788be5 · b788be5
1 parent 51c763d
commit b788be5
Show file tree

Hide file tree

Showing 7 changed files with 174 additions and 21 deletions.
diff --git a/modules/ecs-task-role/README.md b/modules/ecs-task-role/README.md
@@ -73,11 +73,11 @@ module "task_role" {
 | <a name="input_enable_ssm_core_policy"></a> [enable\_ssm\_core\_policy](#input\_enable\_ssm\_core\_policy) | Enable to attach AmazonSSMManagedInstanceCore to task role | `bool` | `true` | no |
 | <a name="input_path"></a> [path](#input\_path) | The path to the IAM role | `string` | `"/"` | no |
 | <a name="input_permissions_boundary_arn"></a> [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The permissions boundary of the IAM role | `string` | `""` | no |
-| <a name="input_readable_s3_arns"></a> [readable\_s3\_arns](#input\_readable\_s3\_arns) | The list of S3 ARN that can be read from | `list(string)` | <pre>[<br>  "arn:aws:s3:::*"<br>]</pre> | no |
-| <a name="input_sendable_ses_arns"></a> [sendable\_ses\_arns](#input\_sendable\_ses\_arns) | The list of SES domain identity ARN that can be sent from | `list(string)` | <pre>[<br>  "arn:aws:ses:*:*:*"<br>]</pre> | no |
+| <a name="input_readable_s3_arns"></a> [readable\_s3\_arns](#input\_readable\_s3\_arns) | The list of S3 ARN that can be read from | `list(string)` | <pre>[<br/>  "arn:aws:s3:::*"<br/>]</pre> | no |
+| <a name="input_sendable_ses_arns"></a> [sendable\_ses\_arns](#input\_sendable\_ses\_arns) | The list of SES domain identity ARN that can be sent from | `list(string)` | <pre>[<br/>  "arn:aws:ses:*:*:*"<br/>]</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | The list of tags to apply to the IAM role | `map(string)` | `{}` | no |
-| <a name="input_writable_log_group_arns"></a> [writable\_log\_group\_arns](#input\_writable\_log\_group\_arns) | The list of Log group ARN that can be written to | `list(string)` | <pre>[<br>  "arn:aws:logs:::*"<br>]</pre> | no |
-| <a name="input_writable_s3_arns"></a> [writable\_s3\_arns](#input\_writable\_s3\_arns) | The list of S3 ARN that can be written to | `list(string)` | <pre>[<br>  "arn:aws:s3:::*"<br>]</pre> | no |
+| <a name="input_writable_log_group_arns"></a> [writable\_log\_group\_arns](#input\_writable\_log\_group\_arns) | The list of Log group ARN that can be written to | `list(string)` | <pre>[<br/>  "arn:aws:logs:::*"<br/>]</pre> | no |
+| <a name="input_writable_s3_arns"></a> [writable\_s3\_arns](#input\_writable\_s3\_arns) | The list of S3 ARN that can be written to | `list(string)` | <pre>[<br/>  "arn:aws:s3:::*"<br/>]</pre> | no |
 
 ## Outputs
 

diff --git a/modules/execution-role/README.md b/modules/execution-role/README.md
@@ -7,7 +7,7 @@ This submodule help create an IAM assumable role for ECS Task Execution Role
 ```hcl
 module "task_execution_role" {
   source  = "rabiloo/ecs/aws//modules/ecs-execution-role"
-  version = "~>0.3.0"
+  version = "~>0.3.1"
 
   name = "custom-ecs-execution-role"
   path = "/service-roles/"
@@ -17,12 +17,8 @@ module "task_execution_role" {
     Managed = "Terraform"
   }
 
-  statements = {
-    Logs = {
-      actions   = ["logs:CreateLogStream", "logs:PutLogEvents"]
-      resources = ["*"]
-    }
-  }
+  enable_write_log_streams = true
+  enable_pull_ecr_images   = true
 }
 ```
 
@@ -48,8 +44,9 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -61,12 +58,20 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | The name of the IAM role | `string` | n/a | yes |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | The description of the IAM role | `string` | `null` | no |
+| <a name="input_enable_pull_ecr_images"></a> [enable\_pull\_ecr\_images](#input\_enable\_pull\_ecr\_images) | Controls if the task execution role will be permitted to pull ECR private repositories | `bool` | `false` | no |
+| <a name="input_enable_read_secrets"></a> [enable\_read\_secrets](#input\_enable\_read\_secrets) | Controls if the task execution role will be permitted to get/read SecretsManager secrets | `bool` | `false` | no |
+| <a name="input_enable_read_ssm_params"></a> [enable\_read\_ssm\_params](#input\_enable\_read\_ssm\_params) | Controls if the task execution role will be permitted to get/read SSM parameters | `bool` | `false` | no |
+| <a name="input_enable_write_log_streams"></a> [enable\_write\_log\_streams](#input\_enable\_write\_log\_streams) | Controls if the task execution role will be permitted to put/write CloudWatch log streams | `bool` | `false` | no |
 | <a name="input_path"></a> [path](#input\_path) | The path to the IAM role | `string` | `"/"` | no |
 | <a name="input_permissions_boundary_arn"></a> [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The permissions boundary of the IAM role | `string` | `null` | no |
 | <a name="input_policy_arns"></a> [policy\_arns](#input\_policy\_arns) | The list of IAM policy ARN be attached to IAM role | `map(string)` | `{}` | no |
+| <a name="input_pullable_ecr_images"></a> [pullable\_ecr\_images](#input\_pullable\_ecr\_images) | List of ECR private repositories the task execution role will be permitted to pull | `list(string)` | <pre>[<br/>  "*"<br/>]</pre> | no |
+| <a name="input_readable_secrets"></a> [readable\_secrets](#input\_readable\_secrets) | List of SecretsManager secret ARNs the task execution role will be permitted to get/read | `list(string)` | <pre>[<br/>  "arn:aws:secretsmanager:*:*:secret:*"<br/>]</pre> | no |
+| <a name="input_readable_ssm_params"></a> [readable\_ssm\_params](#input\_readable\_ssm\_params) | List of SSM parameter ARNs the task execution role will be permitted to get/read | `list(string)` | <pre>[<br/>  "arn:aws:ssm:*:*:parameter/*"<br/>]</pre> | no |
 | <a name="input_statements"></a> [statements](#input\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | TheA map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_use_name_prefix"></a> [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether the IAM role name is used as a prefix | `bool` | `true` | no |
+| <a name="input_writable_log_streams"></a> [writable\_log\_streams](#input\_writable\_log\_streams) | List of CloudWatch log streams the task execution role will be permitted to put/write | `list(string)` | <pre>[<br/>  "*"<br/>]</pre> | no |
 
 ## Outputs
 

diff --git a/modules/execution-role/main.tf b/modules/execution-role/main.tf
@@ -6,7 +6,7 @@
 locals {
   name_prefix = "${trimsuffix(var.name)}-"
 
-  create_custom_policy = var.create && length(var.statements) > 0
+  create_custom_policy = var.create && (length(var.statements) > 0 || var.enable_read_ssm_params || var.enable_read_secrets || var.enable_write_log_streams || var.enable_pull_ecr_images)
 }
 
 data "aws_iam_policy_document" "assume_role" {
@@ -48,6 +48,65 @@ resource "aws_iam_role_policy_attachment" "this" {
 data "aws_iam_policy_document" "custom" {
   count = local.create_custom_policy ? 1 : 0
 
+  dynamic "statement" {
+    for_each = var.enable_write_log_streams ? [1] : []
+
+    content {
+      sid = "WriteLogs"
+      actions = [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+      ]
+      resources = var.writable_log_streams
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.enable_pull_ecr_images ? [1] : []
+
+    content {
+      sid = "GetECRToken"
+      actions = [
+        "ecr:GetAuthorizationToken",
+      ]
+      resources = ["*"]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.enable_pull_ecr_images ? [1] : []
+
+    content {
+      sid = "PullECRImages"
+      actions = [
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage",
+      ]
+      resources = var.pullable_ecr_images
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.enable_read_ssm_params ? [1] : []
+
+    content {
+      sid       = "GetSSMParams"
+      actions   = ["ssm:GetParameters"]
+      resources = var.readable_ssm_params
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.enable_read_secrets ? [1] : []
+
+    content {
+      sid       = "GetSecrets"
+      actions   = ["secretsmanager:GetSecretValue"]
+      resources = var.readable_secrets
+    }
+  }
+
   dynamic "statement" {
     for_each = var.statements
 
@@ -90,11 +149,19 @@ data "aws_iam_policy_document" "custom" {
   }
 }
 
-resource "aws_iam_role_policy" "custom" {
+resource "aws_iam_policy" "custom" {
   count = local.create_custom_policy ? 1 : 0
 
   name        = var.use_name_prefix ? null : var.name
   name_prefix = var.use_name_prefix ? local.name_prefix : null
   policy      = data.aws_iam_policy_document.custom[0].json
-  role        = aws_iam_role.this[0].id
+  description = "Task execution role IAM policy"
+  tags        = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "custom" {
+  count = local.create_custom_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].id
+  policy_arn = aws_iam_policy.custom[0].arn
 }
diff --git a/modules/execution-role/variables.tf b/modules/execution-role/variables.tf
@@ -65,3 +65,51 @@ variable "statements" {
   type        = any
   default     = {}
 }
+
+variable "enable_read_ssm_params" {
+  description = "Controls if the task execution role will be permitted to get/read SSM parameters"
+  type        = bool
+  default     = false
+}
+
+variable "readable_ssm_params" {
+  description = "List of SSM parameter ARNs the task execution role will be permitted to get/read"
+  type        = list(string)
+  default     = ["arn:aws:ssm:*:*:parameter/*"]
+}
+
+variable "enable_read_secrets" {
+  description = "Controls if the task execution role will be permitted to get/read SecretsManager secrets"
+  type        = bool
+  default     = false
+}
+
+variable "readable_secrets" {
+  description = "List of SecretsManager secret ARNs the task execution role will be permitted to get/read"
+  type        = list(string)
+  default     = ["arn:aws:secretsmanager:*:*:secret:*"]
+}
+
+variable "enable_write_log_streams" {
+  description = "Controls if the task execution role will be permitted to put/write CloudWatch log streams"
+  type        = bool
+  default     = false
+}
+
+variable "writable_log_streams" {
+  description = "List of CloudWatch log streams the task execution role will be permitted to put/write"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "enable_pull_ecr_images" {
+  description = "Controls if the task execution role will be permitted to pull ECR private repositories"
+  type        = bool
+  default     = false
+}
+
+variable "pullable_ecr_images" {
+  description = "List of ECR private repositories the task execution role will be permitted to pull"
+  type        = list(string)
+  default     = ["*"]
+}
diff --git a/modules/task-role/README.md b/modules/task-role/README.md
@@ -7,7 +7,7 @@ This submodule help create an IAM assumable role for ECS Task
 ```hcl
 module "task_role" {
   source  = "rabiloo/ecs/aws//modules/task-role"
-  version = "~>0.3.0"
+  version = "~>0.3.1"
 
   name = "custom-ecs-task-role"
   path = "/service-roles/"
@@ -17,6 +17,8 @@ module "task_role" {
     Managed = "Terraform"
   }
 
+  enable_execute_command = true
+
   statements = {
     Logs = {
       actions   = ["logs:CreateLogStream", "logs:PutLogEvents"]
@@ -49,8 +51,9 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -65,6 +68,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | The name of the IAM role | `string` | n/a | yes |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | The description of the IAM role | `string` | `null` | no |
+| <a name="input_enable_execute_command"></a> [enable\_execute\_command](#input\_enable\_execute\_command) | Specifies whether to enable Amazon ECS Exec for the tasks within the service | `bool` | `false` | no |
 | <a name="input_path"></a> [path](#input\_path) | The path to the IAM role | `string` | `"/"` | no |
 | <a name="input_permissions_boundary_arn"></a> [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The permissions boundary of the IAM role | `string` | `null` | no |
 | <a name="input_policy_arns"></a> [policy\_arns](#input\_policy\_arns) | The list of IAM policy ARN be attached to IAM role | `map(string)` | `{}` | no |

diff --git a/modules/task-role/main.tf b/modules/task-role/main.tf
@@ -13,7 +13,7 @@ locals {
   region      = data.aws_region.current.name
   name_prefix = "${trimsuffix(var.name)}-"
 
-  create_custom_policy = var.create && length(var.statements) > 0
+  create_custom_policy = var.create && (length(var.statements) > 0 || var.enable_execute_command)
 }
 
 data "aws_iam_policy_document" "assume_role" {
@@ -66,7 +66,22 @@ resource "aws_iam_role_policy_attachment" "this" {
 }
 
 data "aws_iam_policy_document" "custom" {
-  count = var.create && length(var.statements) > 0 ? 1 : 0
+  count = local.create_custom_policy ? 1 : 0
+
+  dynamic "statement" {
+    for_each = var.enable_execute_command ? [1] : []
+
+    content {
+      sid = "ECSExec"
+      actions = [
+        "ssmmessages:CreateControlChannel",
+        "ssmmessages:CreateDataChannel",
+        "ssmmessages:OpenControlChannel",
+        "ssmmessages:OpenDataChannel",
+      ]
+      resources = ["*"]
+    }
+  }
 
   dynamic "statement" {
     for_each = var.statements
@@ -110,11 +125,19 @@ data "aws_iam_policy_document" "custom" {
   }
 }
 
-resource "aws_iam_role_policy" "custom" {
+resource "aws_iam_policy" "custom" {
   count = local.create_custom_policy ? 1 : 0
 
   name        = var.use_name_prefix ? null : var.name
   name_prefix = var.use_name_prefix ? local.name_prefix : null
   policy      = data.aws_iam_policy_document.custom[0].json
-  role        = aws_iam_role.this[0].id
+  description = "Task role IAM policy"
+  tags        = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "custom" {
+  count = local.create_custom_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].id
+  policy_arn = aws_iam_policy.custom[0].arn
 }
diff --git a/modules/task-role/variables.tf b/modules/task-role/variables.tf
@@ -65,3 +65,9 @@ variable "statements" {
   type        = any
   default     = {}
 }
+
+variable "enable_execute_command" {
+  description = "Specifies whether to enable Amazon ECS Exec for the tasks within the service"
+  type        = bool
+  default     = false
+}