updating variables and policies (#14)

* updating variables and policies * [pre-commit.ci lite] apply automatic fixes --------- Co-authored-by: pre-commit-ci-lite[bot] <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com>
CMS-Enterprise · Feb 9, 2024 · 6956bc9 · 6956bc9
1 parent 8303945
commit 6956bc9
Show file tree

Hide file tree

Showing 3 changed files with 145 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -22,24 +22,33 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.secrets-manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.sqs_read_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.insights_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.secrets-manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.sqs_read_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.secrets-manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sqs_read_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
@@ -49,11 +58,14 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_app_name"></a> [app\_name](#input\_app\_name) | App name (ie. Flux, Velero, etc.) | `string` | `""` | no |
 | <a name="input_assume_role_condition_test"></a> [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |
+| <a name="input_attach_cloudwatch_policy"></a> [attach\_cloudwatch\_policy](#input\_attach\_cloudwatch\_policy) | Determines whether to attach the cloudwatch permissions to the role | `bool` | `false` | no |
 | <a name="input_attach_dynamodb_policy"></a> [attach\_dynamodb\_policy](#input\_attach\_dynamodb\_policy) | Determines whether to attach the dynamodb policy to the role | `bool` | `false` | no |
+| <a name="input_attach_ec2_policy"></a> [attach\_ec2\_policy](#input\_attach\_ec2\_policy) | Determines whether to attach the ec2 permissions to the role | `bool` | `false` | no |
 | <a name="input_attach_insights_policy"></a> [attach\_insights\_policy](#input\_attach\_insights\_policy) | Determines whether to attach the CloudWatch Insights policy to the role | `bool` | `false` | no |
 | <a name="input_attach_s3_policy"></a> [attach\_s3\_policy](#input\_attach\_s3\_policy) | Determines whether to attach the S3 to the role | `bool` | `false` | no |
 | <a name="input_attach_secretsmanager_policy"></a> [attach\_secretsmanager\_policy](#input\_attach\_secretsmanager\_policy) | Determines whether to attach the secrets manager permissions to the role | `bool` | `false` | no |
 | <a name="input_attach_sops_policy"></a> [attach\_sops\_policy](#input\_attach\_sops\_policy) | Determines whether to attach the SOPS policy to the role | `bool` | `false` | no |
+| <a name="input_attach_tags_policy"></a> [attach\_tags\_policy](#input\_attach\_tags\_policy) | Determines whether to attach the tags permissions to the role | `bool` | `false` | no |
 | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no |
 | <a name="input_dynamodb_arn"></a> [dynamodb\_arn](#input\_dynamodb\_arn) | Dynamodb table to allow access to | `string` | `""` | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no |

diff --git a/policies.tf b/policies.tf
@@ -185,6 +185,118 @@ resource "aws_iam_role_policy_attachment" "insights_policy" {
   policy_arn = "arn:${local.partition}:iam::aws:policy/CloudWatchAgentServerPolicy"
 }
 
+################################################################################
+# CloudWatch Policy for Grafana
+################################################################################
+data "aws_iam_policy_document" "cloudwatch" {
+  count = var.create_role && var.attach_cloudwatch_policy ? 1 : 0
+
+  statement {
+    sid = "AllowReadingMetricsAndLogsFromCloudWatch"
+    actions = [
+      "cloudwatch:DescribeAlarmsForMetric",
+      "cloudwatch:DescribeAlarmHistory",
+      "cloudwatch:DescribeAlarms",
+      "cloudwatch:ListMetrics",
+      "cloudwatch:GetMetricData",
+      "cloudwatch:GetInsightRuleReport",
+      "logs:DescribeLogGroups",
+      "logs:GetLogGroupFields",
+      "logs:StartQuery",
+      "logs:StopQuery",
+      "logs:GetQueryResults",
+      "logs:GetLogEvents"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "cloudwatch" {
+  count = var.create_role && var.attach_cloudwatch_policy ? 1 : 0
+
+  name_prefix = "${var.policy_name_prefix}${var.app_name}-"
+  path        = var.role_path
+  description = "Interact with CloudWatch"
+  policy      = data.aws_iam_policy_document.cloudwatch[0].json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch" {
+  count = var.create_role && var.attach_cloudwatch_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = aws_iam_policy.cloudwatch[0].arn
+}
+
+################################################################################
+# EC2 Policy for Grafana
+################################################################################
+data "aws_iam_policy_document" "ec2" {
+  count = var.create_role && var.attach_ec2_policy ? 1 : 0
+
+  statement {
+    sid = "AllowReadingTagsInstancesRegionsFromEC2"
+    actions = [
+      "ec2:DescribeTags",
+      "ec2:DescribeInstances",
+      "ec2:DescribeRegions"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "ec2" {
+  count = var.create_role && var.attach_ec2_policy ? 1 : 0
+
+  name_prefix = "${var.policy_name_prefix}${var.app_name}-"
+  path        = var.role_path
+  description = "Interact with EC2"
+  policy      = data.aws_iam_policy_document.ec2[0].json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "ec2" {
+  count = var.create_role && var.attach_ec2_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = aws_iam_policy.ec2[0].arn
+}
+
+################################################################################
+# Tags Policy for Grafana
+################################################################################
+data "aws_iam_policy_document" "tags" {
+  count = var.create_role && var.attach_tags_policy ? 1 : 0
+
+  statement {
+    sid = "AllowReadingResourcesForTags"
+    actions = [
+      "tag:GetResources"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "tags" {
+  count = var.create_role && var.attach_tags_policy ? 1 : 0
+
+  name_prefix = "${var.policy_name_prefix}${var.app_name}-"
+  path        = var.role_path
+  description = "Interact with tags"
+  policy      = data.aws_iam_policy_document.tags[0].json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "tags" {
+  count = var.create_role && var.attach_tags_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = aws_iam_policy.tags[0].arn
+}
+
 ################################################################################
 # SQS Policy
 ################################################################################

diff --git a/variables.tf b/variables.tf
@@ -149,3 +149,24 @@ variable "sqs_read_write_arns" {
   type        = list(string)
   default     = []
 }
+
+# Cloudwatch
+variable "attach_cloudwatch_policy" {
+  description = "Determines whether to attach the cloudwatch permissions to the role"
+  type        = bool
+  default     = false
+}
+
+# EC2
+variable "attach_ec2_policy" {
+  description = "Determines whether to attach the ec2 permissions to the role"
+  type        = bool
+  default     = false
+}
+
+# Tags
+variable "attach_tags_policy" {
+  description = "Determines whether to attach the tags permissions to the role"
+  type        = bool
+  default     = false
+}