Terraform - IAM user, role, policies 최신화

2024-01-30 17:46:36 +09:00
parent 886e60ab28
commit f3e9a26a95
11 changed files with 115 additions and 49 deletions
--- a/terraform/iam/policies/modules/agent-s3.tf
+++ b/terraform/iam/policies/modules/agent-s3.tf
@@ -0,0 +1,23 @@
+resource "aws_iam_policy" "agent_s3_policy" {
+  name        = "DSK_Agent_S3FullAccess"
+  path        = "/"
+
+  policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:*",
+          "s3-object-lambda:*"
+        ],
+        "Resource": [
+          "arn:aws:s3:::dsk-agent-s3",
+          "arn:aws:s3:::dsk-agent-s3/*",
+          "arn:aws:s3:::dsk-middleware-backup",
+          "arn:aws:s3:::dsk-middleware-backup/*"
+        ]
+      }
+    ]
+  })
+}
--- a/terraform/iam/policies/modules/api-s3.tf
+++ b/terraform/iam/policies/modules/api-s3.tf
@@ -0,0 +1,21 @@
+resource "aws_iam_policy" "api_s3_policy" {
+  name        = "DSK_API_S3FullAccess"
+  path        = "/"
+
+  policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:*",
+          "s3-object-lambda:*"
+        ],
+        "Resource": [
+          "arn:aws:s3:::dsk-metering",
+          "arn:aws:s3:::dsk-metering/*"
+        ]
+      }
+    ]
+  })
+}
--- a/terraform/iam/policies/modules/devops-s3.tf
+++ b/terraform/iam/policies/modules/devops-s3.tf
@@ -0,0 +1,21 @@
+resource "aws_iam_policy" "devops_s3_policy" {
+  name        = "DSK_DEVOPS_S3FullAccess"
+  path        = "/"
+
+  policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:*",
+          "s3-object-lambda:*"
+        ],
+        "Resource": [
+          "arn:aws:s3:::dsk-middleware-backup",
+          "arn:aws:s3:::dsk-middleware-backup/*"
+        ]
+      }
+    ]
+  })
+}
--- a/terraform/iam/policies/modules/dsk-lambda-execute.tf
+++ b/terraform/iam/policies/modules/dsk-lambda-execute.tf
@@ -1,4 +1,4 @@
-resource "aws_iam_policy" "policy" {
+resource "aws_iam_policy" "lambda_execute_policy" {
  name        = "DSK_LambdaExecute"
  path        = "/"

@@ -32,4 +32,4 @@ resource "aws_iam_policy" "policy" {
      }
    ]
  })
-}
+}
--- a/terraform/iam/roles/modules/lambda.tf
+++ b/terraform/iam/roles/modules/lambda.tf
@@ -0,0 +1,24 @@
+data "aws_iam_policy_document" "lambda_assume_role" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "lambda_role" {
+  name               = "DSK_Lambda_Role"
+  assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
+
+  tags = {
+    Name = "dsk-lambda-role"
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_role_policy_attach" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = var.dsk_lambda_execute_policy
+}
--- a/terraform/iam/roles/modules/roles.tf
+++ b/terraform/iam/roles/modules/roles.tf
@@ -1,24 +0,0 @@
-data "aws_iam_policy_document" "assume_role" {
-  statement {
-    effect = "Allow"
-    principals {
-      type        = "Service"
-      identifiers = ["lambda.amazonaws.com"]
-    }
-    actions = ["sts:AssumeRole"]
-  }
-}
-
-resource "aws_iam_role" "role" {
-  name               = "DSK_Lambda_Role"
-  assume_role_policy = data.aws_iam_policy_document.assume_role.json
-
-  tags = {
-    Name = "dsk-lambda-role"
-  }
-}
-
-resource "aws_iam_role_policy_attachment" "role_policy_attach" {
-  role       = aws_iam_role.role.name
-  policy_arn = var.DSK_LambdaExecute
-}
--- a/terraform/iam/roles/modules/variables.tf
+++ b/terraform/iam/roles/modules/variables.tf
@@ -1,4 +1,4 @@
-variable "DSK_LambdaExecute" {
+variable "dsk_lambda_execute_policy" {
  type    = string
  default = "arn:aws:iam::508259851457:policy/DSK_LambdaExecute"
 }
--- a/terraform/iam/users/main.tf
+++ b/terraform/iam/users/main.tf
@@ -1,9 +1,3 @@
 provider "aws" {
  region = var.aws_region
-}
-
-module "users" {
-  source    = "./modules"
-  aws_region = var.aws_region
-  iam_users  = var.iam_users
-}
+}
--- a/terraform/iam/users/outputs.tf
+++ b/terraform/iam/users/outputs.tf
@@ -1,3 +0,0 @@
-# output "users_result" {
-#   value = module.users.users_result
-# }
--- a/terraform/iam/users/modules/users.tf
+++ b/terraform/iam/users/modules/users.tf
@@ -1,10 +1,3 @@
-variable "aws_region" {}
-variable "iam_users" {}
-
-# provider "aws" {
-#   region = var.aws_region
-# }
-
 locals {
  user_policies = flatten([for name, policies in var.iam_users : [for policy in policies.policies : { user = name, policy = policy }]])
  users = toset([for user in local.user_policies : user.user])
@@ -21,8 +14,4 @@ resource "aws_iam_user_policy_attachment" "policy_attachment" {

  user       = aws_iam_user.iam_user[local.user_policies[count.index].user].name
  policy_arn = local.user_policies[count.index].policy
-}
-
-# output "users_result" {
-#   value = local.user_policies
-# }
+}
--- a/terraform/iam/users/variables.tf
+++ b/terraform/iam/users/variables.tf
@@ -7,6 +7,12 @@ variable "iam_users" {
    policies = list(string)
  }))
  default = {
+    dongwoo = {
+      policies = [
+        "arn:aws:iam::aws:policy/AdministratorAccess",
+        "arn:aws:iam::aws:policy/IAMUserChangePassword"
+      ]
+    },
    dsk-devops = {
      policies = [
        "arn:aws:iam::508259851457:policy/DSK_LambdaExecute",
@@ -16,6 +22,21 @@ variable "iam_users" {
        "arn:aws:iam::aws:policy/AWSWAFReadOnlyAccess",
        "arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess"
      ]
+    },
+    dsk-agent-s3-uploader = {
+      policies = [
+        "arn:aws:iam::508259851457:policy/DSK_Agent_S3FullAccess"
+      ]
+    },
+    dsk-api-s3-uploader = {
+      policies = [
+        "arn:aws:iam::508259851457:policy/DSK_API_S3FullAccess"
+      ]
+    },
+    dsk-ses-admin = {
+      policies = [
+        "arn:aws:iam::aws:policy/AmazonSESFullAccess"
+      ]
    }
  }
 }