Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds an IAM policy example to the README #15

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Adds an IAM policy example to the README #15

wants to merge 1 commit into from

Conversation

dickc-sg
Copy link
Contributor

Change description

Adds and example IAM policy to the README that defines the minimum IAM actions required to apply this module for the first time.

This is intended to accelerate the use of this module in environments with strict IAM policy and role requirements.

Type of change

  • Bug fix (fixes an issue)
  • New feature (adds functionality)

Checklists

Development

  • Lint rules pass locally
  • Application changes have been tested thoroughly
  • Automated tests covering modified code pass

Security

  • Security impact of change has been considered
  • Code follows company security practices and guidelines

Code review

  • Pull request has a descriptive title and context useful to a reviewer. Screenshots or screencasts are attached as necessary
  • "Ready for review" label attached and reviewers assigned
  • Changes have been reviewed by at least one other contributor
  • Pull request linked to task tracker where applicable

@dickc-sg
Added an IAM policy example to the README that demonstrates the minim…
f485971 
…um permissions required to apply the module.
@dickc-sg dickc-sg added the Ready for review PR needs peer review to merge label Feb 14, 2024
jheison-rodriguez
jheison-rodriguez requested changes Mar 13, 2024
View reviewed changes
Copy link
Contributor

@jheison-rodriguez jheison-rodriguez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some changes needed for the process of moving the state to AWS and for work with that state in remote

examples/minimum_iam_policy.json
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration"
],
"Resource": ["arn:aws:s3:::example-remote-state-backend"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add in resource the logging bucket
example-logging

Add the state object that will be move from local to s3
"arn:aws:s3:::example-remote-state-backend/eample-account.tfstate"

examples/minimum_iam_policy.json
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add "s3:PutLifecycleConfiguration"
needed for logging bucket

and "s3:PutObject"
Needed for moving the state form local to s3

examples/minimum_iam_policy.json
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:ListTagsOfResource",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add "dynamodb:PutItem",

Needed for re-init terraform using remote values

examples/minimum_iam_policy.json
"dynamodb:CreateTable",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add "dynamodb:GetItem",
Needed for re-init terraform using the remote values

examples/minimum_iam_policy.json
{
"Sid": "CreateKMSKeyStatement2",
"Effect": "Allow",
"Action": [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add "kms:Decrypt",
Needed for re-init terraform using the remote values

examples/minimum_iam_policy.json
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:EnableKeyRotation",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add "kms:GenerateDataKey",
Needed for moving the state form local to s3

examples/minimum_iam_policy.json
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add
"s3:GetObject",
"s3:GetObjectVersion",
Needed for moving the state form local to s3

examples/minimum_iam_policy.json
"Sid": "CreateTfStateLockTableStatement1",
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add "dynamodb:DeleteItem",
to work with the remote state

@dickc-sg
Copy link
Contributor Author

dickc-sg commented Apr 15, 2024
edited

I appreciate all of your feedback. When I created this example policy, I specifically targeted only the actions required to apply the module. Some of actions you've suggested are required to perform the actual migration to remote state, which are in the official documention here: https://developer.hashicorp.com/terraform/language/settings/backends/s3.

I believe it would be good to provide a separate policy example in this README that also demonstrated the actions required to perform the migration but I do not think they should be included in the original policy example.

As for the actions that allow you to manipulate/mutate the remote state, I agree that they should be added to the original example policy.

What do you think?

@jheison-rodriguez
Copy link
Contributor

I agree with that, seems good to have it separate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jheison-rodriguez jheison-rodriguez jheison-rodriguez requested changes

@chrischildresssg chrischildresssg Awaiting requested review from chrischildresssg

@wesleykirklandsg wesleykirklandsg Awaiting requested review from wesleykirklandsg

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
Ready for review PR needs peer review to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dickc-sg @jheison-rodriguez