|
|
|
#!/usr/bin/env bash
|
|
|
|
# vim:ts=4:sts=4:sw=4:et
|
|
|
|
# args: haritest-terraform-state-lock-table
|
|
|
|
#
|
|
|
|
# Author: Hari Sekhon
|
|
|
|
# Date: 2022-06-15 17:57:17 +0100 (Wed, 15 Jun 2022)
|
|
|
|
#
|
|
|
|
# https://github.com/HariSekhon/DevOps-Bash-tools
|
|
|
|
#
|
|
|
|
# License: see accompanying Hari Sekhon LICENSE file
|
|
|
|
#
|
|
|
|
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
|
|
|
|
#
|
|
|
|
# https://www.linkedin.com/in/HariSekhon
|
|
|
|
#
|
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
[ -n "${DEBUG:-}" ] && set -x
|
|
|
|
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
|
|
|
|
# shellcheck disable=SC1090
|
|
|
|
. "$srcdir/lib/aws.sh"
|
|
|
|
|
|
|
|
# shellcheck disable=SC2034,SC2154
|
|
|
|
usage_description="
|
|
|
|
Creates IAM policies for S3 buckets and DynamoDB tables containing 'terraform-state' or 'tf-state' in their name
|
|
|
|
|
|
|
|
Attaches these policies to the specified user, which must already exist (run aws_terraform_create_credential.sh first)
|
|
|
|
|
|
|
|
Necessary for limited privilege CI/CD accounts such as GitHub Actions pull request Terraform Plan only workflows using a Read Only account
|
|
|
|
|
|
|
|
Idempotent, skips creation of the policies if they already exist
|
|
|
|
|
|
|
|
|
|
|
|
$usage_aws_cli_required
|
|
|
|
"
|
|
|
|
|
|
|
|
# used by usage() in lib/utils.sh
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
usage_args="<user_name> [<aws_cli_options>]"
|
|
|
|
|
|
|
|
help_usage "$@"
|
|
|
|
|
|
|
|
min_args 1 "$@"
|
|
|
|
|
|
|
|
user="$1"
|
|
|
|
shift || :
|
|
|
|
|
|
|
|
export AWS_DEFAULT_OUTPUT=json
|
|
|
|
|
|
|
|
aws_account_id="$(aws_account_id)"
|
|
|
|
|
|
|
|
dynamodb_policy="Terraform-DynamoDB-Lock-Tables"
|
|
|
|
s3_policy="Terraform-S3-Buckets"
|
|
|
|
|
|
|
|
timestamp "Generating S3 policy '$s3_policy' policy document"
|
|
|
|
s3_policy_document="$(cat <<EOF
|
|
|
|
{
|
|
|
|
"Version": "2012-10-17",
|
|
|
|
"Statement": [
|
|
|
|
{
|
|
|
|
"Sid": "TerraformS3Buckets",
|
|
|
|
"Effect": "Allow",
|
|
|
|
"Action": [
|
|
|
|
"s3:CreateAccessPoint",
|
|
|
|
"s3:PutAnalyticsConfiguration",
|
|
|
|
"s3:PutAccelerateConfiguration",
|
|
|
|
"s3:PutAccessPointConfigurationForObjectLambda",
|
|
|
|
"s3:DeleteObjectVersion",
|
|
|
|
"s3:RestoreObject",
|
|
|
|
"s3:DeleteAccessPoint",
|
|
|
|
"s3:CreateBucket",
|
|
|
|
"s3:DeleteAccessPointForObjectLambda",
|
|
|
|
"s3:ReplicateObject",
|
|
|
|
"s3:PutEncryptionConfiguration",
|
|
|
|
"s3:DeleteBucketWebsite",
|
|
|
|
"s3:AbortMultipartUpload",
|
|
|
|
"s3:PutLifecycleConfiguration",
|
|
|
|
"s3:UpdateJobPriority",
|
|
|
|
"s3:DeleteObject",
|
|
|
|
"s3:CreateMultiRegionAccessPoint",
|
|
|
|
"s3:DeleteBucket",
|
|
|
|
"s3:PutBucketVersioning",
|
|
|
|
"s3:PutIntelligentTieringConfiguration",
|
|
|
|
"s3:PutMetricsConfiguration",
|
|
|
|
"s3:PutBucketOwnershipControls",
|
|
|
|
"s3:PutReplicationConfiguration",
|
|
|
|
"s3:DeleteMultiRegionAccessPoint",
|
|
|
|
"s3:PutObjectLegalHold",
|
|
|
|
"s3:InitiateReplication",
|
|
|
|
"s3:UpdateJobStatus",
|
|
|
|
"s3:PutBucketCORS",
|
|
|
|
"s3:PutInventoryConfiguration",
|
|
|
|
"s3:PutObject",
|
|
|
|
"s3:PutBucketNotification",
|
|
|
|
"s3:DeleteStorageLensConfiguration",
|
|
|
|
"s3:PutBucketWebsite",
|
|
|
|
"s3:PutBucketRequestPayment",
|
|
|
|
"s3:PutObjectRetention",
|
|
|
|
"s3:PutBucketLogging",
|
|
|
|
"s3:CreateAccessPointForObjectLambda",
|
|
|
|
"s3:PutBucketObjectLockConfiguration",
|
|
|
|
"s3:ReplicateDelete"
|
|
|
|
],
|
|
|
|
"Resource": [
|
|
|
|
"arn:aws:s3:::*tf-state*",
|
|
|
|
"arn:aws:s3:::*terraform-state*"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
EOF
|
|
|
|
)"
|
|
|
|
|
|
|
|
timestamp "Generating DynamoDB policy '$dynamodb_policy' policy document"
|
|
|
|
dynamodb_policy_document="$(cat <<EOF
|
|
|
|
{
|
|
|
|
"Version": "2012-10-17",
|
|
|
|
"Statement": [
|
|
|
|
{
|
|
|
|
"Sid": "TerraformLock",
|
|
|
|
"Effect": "Allow",
|
|
|
|
"Action": [
|
|
|
|
"dynamodb:PutItem",
|
|
|
|
"dynamodb:DeleteItem"
|
|
|
|
],
|
|
|
|
"Resource": [
|
|
|
|
"arn:aws:dynamodb:*:$aws_account_id:table/*terraform-state*",
|
|
|
|
"arn:aws:dynamodb:*:$aws_account_id:table/*tf-state*"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
EOF
|
|
|
|
)"
|
|
|
|
|
|
|
|
echo
|
|
|
|
|
|
|
|
create_policy(){
|
|
|
|
local policy="$1"
|
|
|
|
local policy_document="$2"
|
|
|
|
timestamp "Checking if policy '$policy' exists"
|
|
|
|
set +o pipefail # early termination from the pipeline will fail the check otherwise
|
|
|
|
if aws iam list-policies | jq -r '.Policies[].PolicyName' | grep -Fxq "$policy"; then
|
|
|
|
timestamp "WARNING: policy '$policy' already exists, not creating..."
|
|
|
|
else
|
|
|
|
timestamp "Creating Terraform DynamoDB Policy '$policy'"
|
|
|
|
aws iam create-policy --policy-name "$policy" --policy-document "$policy_document"
|
|
|
|
timestamp "DynamoDB policy created"
|
|
|
|
fi
|
|
|
|
set -o pipefail
|
|
|
|
echo
|
|
|
|
}
|
|
|
|
|
|
|
|
attach_policy(){
|
|
|
|
local policy="$1"
|
|
|
|
timestamp "Attaching policy '$policy' to user '$user'"
|
|
|
|
timestamp "Determining ARN for policy '$policy'"
|
|
|
|
policy_arn="$(aws iam list-policies | jq -r ".Policies[] | select(.PolicyName == \"$policy\") | .Arn")"
|
|
|
|
timestamp "Determined policy ARN: $policy_arn"
|
|
|
|
timestamp "Granting policy '$policy' permissions directly to user '$user' in account '$aws_account_id'"
|
|
|
|
aws iam attach-user-policy --user-name "$user" --policy-arn "$policy_arn"
|
|
|
|
echo
|
|
|
|
}
|
|
|
|
|
|
|
|
create_policy "$dynamodb_policy" "$dynamodb_policy_document"
|
|
|
|
create_policy "$s3_policy" "$s3_policy_document"
|
|
|
|
attach_policy "$dynamodb_policy"
|
|
|
|
attach_policy "$s3_policy"
|