diff --git a/terraform/iam/policies/modules/agent-s3.tf b/terraform/iam/policies/modules/agent-s3.tf new file mode 100644 index 0000000..22dc3e6 --- /dev/null +++ b/terraform/iam/policies/modules/agent-s3.tf @@ -0,0 +1,23 @@ +resource "aws_iam_policy" "agent_s3_policy" { + name = "DSK_Agent_S3FullAccess" + path = "/" + + policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*", + "s3-object-lambda:*" + ], + "Resource": [ + "arn:aws:s3:::dsk-agent-s3", + "arn:aws:s3:::dsk-agent-s3/*", + "arn:aws:s3:::dsk-middleware-backup", + "arn:aws:s3:::dsk-middleware-backup/*" + ] + } + ] + }) +} \ No newline at end of file diff --git a/terraform/iam/policies/modules/api-s3.tf b/terraform/iam/policies/modules/api-s3.tf new file mode 100644 index 0000000..f8c1ae1 --- /dev/null +++ b/terraform/iam/policies/modules/api-s3.tf @@ -0,0 +1,21 @@ +resource "aws_iam_policy" "api_s3_policy" { + name = "DSK_API_S3FullAccess" + path = "/" + + policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*", + "s3-object-lambda:*" + ], + "Resource": [ + "arn:aws:s3:::dsk-metering", + "arn:aws:s3:::dsk-metering/*" + ] + } + ] + }) +} \ No newline at end of file diff --git a/terraform/iam/policies/modules/devops-s3.tf b/terraform/iam/policies/modules/devops-s3.tf new file mode 100644 index 0000000..43b8228 --- /dev/null +++ b/terraform/iam/policies/modules/devops-s3.tf @@ -0,0 +1,21 @@ +resource "aws_iam_policy" "devops_s3_policy" { + name = "DSK_DEVOPS_S3FullAccess" + path = "/" + + policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*", + "s3-object-lambda:*" + ], + "Resource": [ + "arn:aws:s3:::dsk-middleware-backup", + "arn:aws:s3:::dsk-middleware-backup/*" + ] + } + ] + }) +} \ No newline at end of file diff --git a/terraform/iam/policies/modules/dsk-lambda-execute.tf b/terraform/iam/policies/modules/lambda-execute.tf similarity index 92% rename from terraform/iam/policies/modules/dsk-lambda-execute.tf rename to terraform/iam/policies/modules/lambda-execute.tf index e3620b6..55f6cb9 100644 --- a/terraform/iam/policies/modules/dsk-lambda-execute.tf +++ b/terraform/iam/policies/modules/lambda-execute.tf @@ -1,4 +1,4 @@ -resource "aws_iam_policy" "policy" { +resource "aws_iam_policy" "lambda_execute_policy" { name = "DSK_LambdaExecute" path = "/" @@ -32,4 +32,4 @@ resource "aws_iam_policy" "policy" { } ] }) -} \ No newline at end of file +} diff --git a/terraform/iam/roles/modules/lambda.tf b/terraform/iam/roles/modules/lambda.tf new file mode 100644 index 0000000..6e8096a --- /dev/null +++ b/terraform/iam/roles/modules/lambda.tf @@ -0,0 +1,24 @@ +data "aws_iam_policy_document" "lambda_assume_role" { + statement { + effect = "Allow" + principals { + type = "Service" + identifiers = ["lambda.amazonaws.com"] + } + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role" "lambda_role" { + name = "DSK_Lambda_Role" + assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json + + tags = { + Name = "dsk-lambda-role" + } +} + +resource "aws_iam_role_policy_attachment" "lambda_role_policy_attach" { + role = aws_iam_role.lambda_role.name + policy_arn = var.dsk_lambda_execute_policy +} \ No newline at end of file diff --git a/terraform/iam/roles/modules/roles.tf b/terraform/iam/roles/modules/roles.tf deleted file mode 100644 index 8dd3987..0000000 --- a/terraform/iam/roles/modules/roles.tf +++ /dev/null @@ -1,24 +0,0 @@ -data "aws_iam_policy_document" "assume_role" { - statement { - effect = "Allow" - principals { - type = "Service" - identifiers = ["lambda.amazonaws.com"] - } - actions = ["sts:AssumeRole"] - } -} - -resource "aws_iam_role" "role" { - name = "DSK_Lambda_Role" - assume_role_policy = data.aws_iam_policy_document.assume_role.json - - tags = { - Name = "dsk-lambda-role" - } -} - -resource "aws_iam_role_policy_attachment" "role_policy_attach" { - role = aws_iam_role.role.name - policy_arn = var.DSK_LambdaExecute -} \ No newline at end of file diff --git a/terraform/iam/roles/modules/variables.tf b/terraform/iam/roles/modules/variables.tf index 3945202..6941aca 100644 --- a/terraform/iam/roles/modules/variables.tf +++ b/terraform/iam/roles/modules/variables.tf @@ -1,4 +1,4 @@ -variable "DSK_LambdaExecute" { +variable "dsk_lambda_execute_policy" { type = string default = "arn:aws:iam::508259851457:policy/DSK_LambdaExecute" } \ No newline at end of file diff --git a/terraform/iam/users/main.tf b/terraform/iam/users/main.tf index 26f0296..2a5ccf3 100644 --- a/terraform/iam/users/main.tf +++ b/terraform/iam/users/main.tf @@ -1,9 +1,3 @@ provider "aws" { region = var.aws_region -} - -module "users" { - source = "./modules" - aws_region = var.aws_region - iam_users = var.iam_users -} +} \ No newline at end of file diff --git a/terraform/iam/users/outputs.tf b/terraform/iam/users/outputs.tf deleted file mode 100644 index dbcd718..0000000 --- a/terraform/iam/users/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -# output "users_result" { -# value = module.users.users_result -# } diff --git a/terraform/iam/users/modules/users.tf b/terraform/iam/users/users.tf similarity index 76% rename from terraform/iam/users/modules/users.tf rename to terraform/iam/users/users.tf index 1b79f44..2fa8cfd 100644 --- a/terraform/iam/users/modules/users.tf +++ b/terraform/iam/users/users.tf @@ -1,10 +1,3 @@ -variable "aws_region" {} -variable "iam_users" {} - -# provider "aws" { -# region = var.aws_region -# } - locals { user_policies = flatten([for name, policies in var.iam_users : [for policy in policies.policies : { user = name, policy = policy }]]) users = toset([for user in local.user_policies : user.user]) @@ -21,8 +14,4 @@ resource "aws_iam_user_policy_attachment" "policy_attachment" { user = aws_iam_user.iam_user[local.user_policies[count.index].user].name policy_arn = local.user_policies[count.index].policy -} - -# output "users_result" { -# value = local.user_policies -# } \ No newline at end of file +} \ No newline at end of file diff --git a/terraform/iam/users/variables.tf b/terraform/iam/users/variables.tf index 6eacf3e..ada19f3 100644 --- a/terraform/iam/users/variables.tf +++ b/terraform/iam/users/variables.tf @@ -7,6 +7,12 @@ variable "iam_users" { policies = list(string) })) default = { + dongwoo = { + policies = [ + "arn:aws:iam::aws:policy/AdministratorAccess", + "arn:aws:iam::aws:policy/IAMUserChangePassword" + ] + }, dsk-devops = { policies = [ "arn:aws:iam::508259851457:policy/DSK_LambdaExecute", @@ -16,6 +22,21 @@ variable "iam_users" { "arn:aws:iam::aws:policy/AWSWAFReadOnlyAccess", "arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess" ] + }, + dsk-agent-s3-uploader = { + policies = [ + "arn:aws:iam::508259851457:policy/DSK_Agent_S3FullAccess" + ] + }, + dsk-api-s3-uploader = { + policies = [ + "arn:aws:iam::508259851457:policy/DSK_API_S3FullAccess" + ] + }, + dsk-ses-admin = { + policies = [ + "arn:aws:iam::aws:policy/AmazonSESFullAccess" + ] } } }