Make permissions finer across all resources

nimh-dsst · Nov 4, 2024 · f748619 · f748619
1 parent 2fad211
commit f748619
Show file tree

Hide file tree

Showing 5 changed files with 95 additions and 42 deletions.
diff --git a/web/deploy/terraform/modules/iam/main.tf b/web/deploy/terraform/modules/iam/main.tf
@@ -42,13 +42,8 @@ resource "aws_iam_instance_profile" "profile" {
 }
 
 resource "aws_iam_policy" "cd" {
-  name = "${var.cd_iam_policy_name}-${var.environment}"
-  policy = templatefile(
-    "${path.module}/policies/gha-policy.json.tftpl",
-    {
-      resources = jsonencode(var.cd_iam_policy_resources)
-    },
-  )
+  name   = "${var.cd_iam_policy_name}-${var.environment}"
+  policy = file("${path.module}/policies/gha-policy.json")
 }
 
 resource "aws_iam_role" "cd" {

diff --git a/web/deploy/terraform/modules/iam/policies/gha-policy.json b/web/deploy/terraform/modules/iam/policies/gha-policy.json
@@ -0,0 +1,90 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "dynamodb:CreateTable",
+        "dynamodb:DeleteTable",
+        "dynamodb:ListExports",
+        "dynamodb:TagResource",
+        "ec2-instance-connect:SendSSHPublicKey",
+        "ec2:AllocateAddress",
+        "ec2:AssociateAddress",
+        "ec2:AssociateDhcpOptions",
+        "ec2:AssociateRouteTable",
+        "ec2:AttachInternetGateway",
+        "ec2:AuthorizeSecurityGroupEgress",
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:CreateDhcpOptions",
+        "ec2:CreateInternetGateway",
+        "ec2:CreateNetworkAcl",
+        "ec2:CreateNetworkAclEntry",
+        "ec2:CreateRoute",
+        "ec2:CreateRouteTable",
+        "ec2:CreateSecurityGroup",
+        "ec2:CreateSubnet",
+        "ec2:CreateTags",
+        "ec2:CreateVpc",
+        "ec2:DeleteDhcpOptions",
+        "ec2:DeleteInternetGateway",
+        "ec2:DeleteNetworkAcl",
+        "ec2:DeleteNetworkAclEntry",
+        "ec2:DeleteRouteTable",
+        "ec2:DeleteSecurityGroup",
+        "ec2:DeleteSubnet",
+        "ec2:DeleteVpc",
+        "ec2:DetachInternetGateway",
+        "ec2:DisassociateAddress",
+        "ec2:DisassociateRouteTable",
+        "ec2:ImportKeyPair",
+        "ec2:ModifyInstanceAttribute",
+        "ec2:ModifySubnetAttribute",
+        "ec2:ModifyVpcAttribute",
+        "ec2:RebootInstances",
+        "ec2:ReleaseAddress",
+        "ec2:ReplaceNetworkAclAssociation",
+        "ec2:RevokeSecurityGroupEgress",
+        "ec2:RunInstances",
+        "ec2:StartInstances",
+        "ec2:StopInstances",
+        "ec2:TerminateInstances",
+        "ecr:BatchDeleteImage",
+        "ecr:CompleteLayerUpload",
+        "ecr:CreateRepository",
+        "ecr:DeleteRepository",
+        "ecr:GetAuthorizationToken",
+        "ecr:InitiateLayerUpload",
+        "ecr:PutImage",
+        "ecr:UploadLayerPart",
+        "iam:AddRoleToInstanceProfile",
+        "iam:AttachRolePolicy",
+        "iam:AttachUserPolicy",
+        "iam:CreateInstanceProfile",
+        "iam:CreateOpenIDConnectProvider",
+        "iam:CreatePolicy",
+        "iam:CreatePolicyVersion",
+        "iam:CreateRole",
+        "iam:DeleteInstanceProfile",
+        "iam:DeleteOpenIDConnectProvider",
+        "iam:DeletePolicy",
+        "iam:DeletePolicyVersion",
+        "iam:DeleteRole",
+        "iam:DetachRolePolicy",
+        "iam:RemoveRoleFromInstanceProfile",
+        "iam:UpdateAssumeRolePolicy",
+        "s3:CreateBucket",
+        "s3:DeleteBucket",
+        "s3:DeleteBucketEncryption",
+        "s3:DeleteBucketLifecycle",
+        "s3:DeleteBucketPublicAccessBlock",
+        "s3:PutBucketEncryption",
+        "s3:PutBucketLifecycle",
+        "s3:PutBucketPublicAccessBlock",
+        "s3:PutBucketTagging",
+        "s3:PutBucketVersioning"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
diff --git a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl
diff --git a/web/deploy/terraform/modules/iam/variables.tf b/web/deploy/terraform/modules/iam/variables.tf
@@ -27,11 +27,6 @@ variable "cd_iam_policy_name" {
   type        = string
 }
 
-variable "cd_iam_policy_resources" {
-  description = "The arn of the resource to which the IAM policy is applied"
-  type        = list(string)
-}
-
 variable "cd_iam_role_policy_name" {
   description = "The name of the IAM role policy for continuous deployment to ECR"
   default     = "github-actions-role"

diff --git a/web/deploy/terraform/shared/main.tf b/web/deploy/terraform/shared/main.tf
@@ -35,8 +35,7 @@ module "ecr_dashboard" {
 }
 
 module "iam_role_and_policy" {
-  source                  = "../modules/iam/"
-  environment             = var.environment
-  cd_iam_policy_resources = [module.ecr_api.arn, module.ecr_dashboard.arn]
-  AWS_ACCOUNT_ID          = var.AWS_ACCOUNT_ID
+  source         = "../modules/iam/"
+  environment    = var.environment
+  AWS_ACCOUNT_ID = var.AWS_ACCOUNT_ID
 }