Terraform - IAM user, role, policies 최신화

2024-01-30 17:46:36 +09:00
parent 886e60ab28
commit f3e9a26a95
11 changed files with 115 additions and 49 deletions
--- a/terraform/iam/policies/modules/agent-s3.tf
+++ b/terraform/iam/policies/modules/agent-s3.tf
@@ -0,0 +1,23 @@
 resource "aws_iam_policy" "agent_s3_policy" {
  name        = "DSK_Agent_S3FullAccess"
  path        = "/"
  policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "s3:*",
          "s3-object-lambda:*"
        ],
        "Resource": [
          "arn:aws:s3:::dsk-agent-s3",
          "arn:aws:s3:::dsk-agent-s3/*",
          "arn:aws:s3:::dsk-middleware-backup",
          "arn:aws:s3:::dsk-middleware-backup/*"
        ]
      }
    ]
  })
 }
--- a/terraform/iam/policies/modules/api-s3.tf
+++ b/terraform/iam/policies/modules/api-s3.tf
@@ -0,0 +1,21 @@
 resource "aws_iam_policy" "api_s3_policy" {
  name        = "DSK_API_S3FullAccess"
  path        = "/"
  policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "s3:*",
          "s3-object-lambda:*"
        ],
        "Resource": [
          "arn:aws:s3:::dsk-metering",
          "arn:aws:s3:::dsk-metering/*"
        ]
      }
    ]
  })
 }
--- a/terraform/iam/policies/modules/devops-s3.tf
+++ b/terraform/iam/policies/modules/devops-s3.tf
@@ -0,0 +1,21 @@
 resource "aws_iam_policy" "devops_s3_policy" {
  name        = "DSK_DEVOPS_S3FullAccess"
  path        = "/"
  policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "s3:*",
          "s3-object-lambda:*"
        ],
        "Resource": [
          "arn:aws:s3:::dsk-middleware-backup",
          "arn:aws:s3:::dsk-middleware-backup/*"
        ]
      }
    ]
  })
 }
--- a/terraform/iam/policies/modules/dsk-lambda-execute.tf
+++ b/terraform/iam/policies/modules/dsk-lambda-execute.tf
@@ -1,4 +1,4 @@
-resource "aws_iam_policy" "policy" {
+resource "aws_iam_policy" "lambda_execute_policy" {
  name        = "DSK_LambdaExecute"
  path        = "/"
--- a/terraform/iam/roles/modules/lambda.tf
+++ b/terraform/iam/roles/modules/lambda.tf
@@ -0,0 +1,24 @@
 data "aws_iam_policy_document" "lambda_assume_role" {
  statement {
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
    actions = ["sts:AssumeRole"]
  }
 }
 resource "aws_iam_role" "lambda_role" {
  name               = "DSK_Lambda_Role"
  assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
  tags = {
    Name = "dsk-lambda-role"
  }
 }
 resource "aws_iam_role_policy_attachment" "lambda_role_policy_attach" {
  role       = aws_iam_role.lambda_role.name
  policy_arn = var.dsk_lambda_execute_policy
 }
--- a/terraform/iam/roles/modules/roles.tf
+++ b/terraform/iam/roles/modules/roles.tf
@@ -1,24 +0,0 @@
 data "aws_iam_policy_document" "assume_role" {
  statement {
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
    actions = ["sts:AssumeRole"]
  }
 }
 resource "aws_iam_role" "role" {
  name               = "DSK_Lambda_Role"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
  tags = {
    Name = "dsk-lambda-role"
  }
 }
 resource "aws_iam_role_policy_attachment" "role_policy_attach" {
  role       = aws_iam_role.role.name
  policy_arn = var.DSK_LambdaExecute
 }
--- a/terraform/iam/roles/modules/variables.tf
+++ b/terraform/iam/roles/modules/variables.tf
@@ -1,4 +1,4 @@
-variable "DSK_LambdaExecute" {
+variable "dsk_lambda_execute_policy" {
  type    = string
  default = "arn:aws:iam::508259851457:policy/DSK_LambdaExecute"
 }
--- a/terraform/iam/users/main.tf
+++ b/terraform/iam/users/main.tf
@@ -1,9 +1,3 @@
 provider "aws" {
  region = var.aws_region
 }
 module "users" {
  source    = "./modules"
  aws_region = var.aws_region
  iam_users  = var.iam_users
 }
--- a/terraform/iam/users/outputs.tf
+++ b/terraform/iam/users/outputs.tf
@@ -1,3 +0,0 @@
 # output "users_result" {
 #   value = module.users.users_result
 # }
--- a/terraform/iam/users/modules/users.tf
+++ b/terraform/iam/users/modules/users.tf
@@ -1,10 +1,3 @@
 variable "aws_region" {}
 variable "iam_users" {}
 # provider "aws" {
 #   region = var.aws_region
 # }
 locals {
  user_policies = flatten([for name, policies in var.iam_users : [for policy in policies.policies : { user = name, policy = policy }]])
  users = toset([for user in local.user_policies : user.user])
@@ -22,7 +15,3 @@ resource "aws_iam_user_policy_attachment" "policy_attachment" {
  user       = aws_iam_user.iam_user[local.user_policies[count.index].user].name
  policy_arn = local.user_policies[count.index].policy
 }
 # output "users_result" {
 #   value = local.user_policies
 # }
--- a/terraform/iam/users/variables.tf
+++ b/terraform/iam/users/variables.tf
@@ -7,6 +7,12 @@ variable "iam_users" {
    policies = list(string)
  }))
  default = {
    dongwoo = {
      policies = [
        "arn:aws:iam::aws:policy/AdministratorAccess",
        "arn:aws:iam::aws:policy/IAMUserChangePassword"
      ]
    },
    dsk-devops = {
      policies = [
        "arn:aws:iam::508259851457:policy/DSK_LambdaExecute",
@@ -16,6 +22,21 @@ variable "iam_users" {
        "arn:aws:iam::aws:policy/AWSWAFReadOnlyAccess",
        "arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess"
      ]
    },
    dsk-agent-s3-uploader = {
      policies = [
        "arn:aws:iam::508259851457:policy/DSK_Agent_S3FullAccess"
      ]
    },
    dsk-api-s3-uploader = {
      policies = [
        "arn:aws:iam::508259851457:policy/DSK_API_S3FullAccess"
      ]
    },
    dsk-ses-admin = {
      policies = [
        "arn:aws:iam::aws:policy/AmazonSESFullAccess"
      ]
    }
  }
 }