From 9cd7a8d3dd3bca4b0545ff582f54a9a6daa3fa49 Mon Sep 17 00:00:00 2001
From: UncleGedd <42304551+UncleGedd@users.noreply.github.com>
Date: Mon, 27 Feb 2023 17:33:22 -0600
Subject: [PATCH] adds irsa policy for DynamoDb and Encrypt permission to SOPS
 policy (#7)

---
 policies.tf  | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 variables.tf | 13 +++++++++++++
 2 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/policies.tf b/policies.tf
index cb2f1a0..2e945b4 100644
--- a/policies.tf
+++ b/policies.tf
@@ -23,9 +23,10 @@ data "aws_iam_policy_document" "sops" {
   }
 
   statement {
-    sid = "kmsdecrypt"
+    sid = "kmsops"
     actions = [
       "kms:Decrypt",
+      "kms:Encrypt",
     ]
     resources = [var.sops_arn]
   }
@@ -93,3 +94,53 @@ resource "aws_iam_role_policy_attachment" "s3_policy" {
   role       = aws_iam_role.this[0].name
   policy_arn = aws_iam_policy.s3[0].arn
 }
+
+################################################################################
+# DynamoDB Policy
+################################################################################
+data "aws_iam_policy_document" "dynamodb" {
+  count = var.create_role && var.attach_dynamodb_policy ? 1 : 0
+
+  # permissions taken from: https://developer.hashicorp.com/vault/docs/configuration/storage/dynamodb
+  statement {
+    sid = "DynamoDBReadWrite"
+    actions = [
+      "dynamodb:DescribeLimits",
+      "dynamodb:DescribeTimeToLive",
+      "dynamodb:ListTagsOfResource",
+      "dynamodb:DescribeReservedCapacityOfferings",
+      "dynamodb:DescribeReservedCapacity",
+      "dynamodb:ListTables",
+      "dynamodb:BatchGetItem",
+      "dynamodb:BatchWriteItem",
+      "dynamodb:CreateTable",
+      "dynamodb:DeleteItem",
+      "dynamodb:GetItem",
+      "dynamodb:GetRecords",
+      "dynamodb:PutItem",
+      "dynamodb:Query",
+      "dynamodb:UpdateItem",
+      "dynamodb:Scan",
+      "dynamodb:DescribeTable"
+    ]
+    resources = [var.dynamodb_arn]
+  }
+}
+
+resource "aws_iam_policy" "dynamodb" {
+  count = var.create_role && var.attach_dynamodb_policy ? 1 : 0
+
+  name_prefix = "${var.policy_name_prefix}${var.app_name}-"
+  path        = var.role_path
+  description = "Interact with DynamoDB"
+  policy      = data.aws_iam_policy_document.dynamodb[0].json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "dynamodb" {
+  count = var.create_role && var.attach_dynamodb_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = aws_iam_policy.dynamodb[0].arn
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index a6745d4..234ef39 100644
--- a/variables.tf
+++ b/variables.tf
@@ -127,4 +127,17 @@ variable "s3_bucket_arns" {
   description = "List of S3 Bucket ARNs to allow access to"
   type        = list(string)
   default     = [""]
+}
+
+# DynamoDB
+variable "attach_dynamodb_policy" {
+  description = "Determines whether to attach the dynamodb policy to the role"
+  type        = bool
+  default     = false
+}
+
+variable "dynamodb_arn" {
+  description = "Dynamodb table to allow access to"
+  type        = string
+  default     = ""
 }
\ No newline at end of file