New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds an IAM policy example to the README #15
base: main
Are you sure you want to change the base?
Conversation
…um permissions required to apply the module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added some changes needed for the process of moving the state to AWS and for work with that state in remote
"s3:PutBucketVersioning", | ||
"s3:PutEncryptionConfiguration" | ||
], | ||
"Resource": ["arn:aws:s3:::example-remote-state-backend"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add in resource the logging bucket
example-logging
Add the state object that will be move from local to s3
"arn:aws:s3:::example-remote-state-backend/eample-account.tfstate"
"s3:PutBucketPublicAccessBlock", | ||
"s3:PutBucketTagging", | ||
"s3:PutBucketVersioning", | ||
"s3:PutEncryptionConfiguration" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add "s3:PutLifecycleConfiguration"
needed for logging bucket
and "s3:PutObject"
Needed for moving the state form local to s3
"dynamodb:DescribeContinuousBackups", | ||
"dynamodb:DescribeTable", | ||
"dynamodb:DescribeTimeToLive", | ||
"dynamodb:ListTagsOfResource", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add "dynamodb:PutItem",
Needed for re-init terraform using remote values
"dynamodb:CreateTable", | ||
"dynamodb:DescribeContinuousBackups", | ||
"dynamodb:DescribeTable", | ||
"dynamodb:DescribeTimeToLive", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add "dynamodb:GetItem",
Needed for re-init terraform using the remote values
{ | ||
"Sid": "CreateKMSKeyStatement2", | ||
"Effect": "Allow", | ||
"Action": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add "kms:Decrypt",
Needed for re-init terraform using the remote values
"Effect": "Allow", | ||
"Action": [ | ||
"kms:DescribeKey", | ||
"kms:EnableKeyRotation", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add "kms:GenerateDataKey",
Needed for moving the state form local to s3
"s3:GetBucketVersioning", | ||
"s3:GetBucketWebsite", | ||
"s3:GetEncryptionConfiguration", | ||
"s3:GetLifecycleConfiguration", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add
"s3:GetObject",
"s3:GetObjectVersion",
Needed for moving the state form local to s3
"Sid": "CreateTfStateLockTableStatement1", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"dynamodb:CreateTable", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add "dynamodb:DeleteItem",
to work with the remote state
I appreciate all of your feedback. When I created this example policy, I specifically targeted only the actions required to apply the module. Some of actions you've suggested are required to perform the actual migration to remote state, which are in the official documention here: https://developer.hashicorp.com/terraform/language/settings/backends/s3. I believe it would be good to provide a separate policy example in this README that also demonstrated the actions required to perform the migration but I do not think they should be included in the original policy example. As for the actions that allow you to manipulate/mutate the remote state, I agree that they should be added to the original example policy. What do you think? |
I agree with that, seems good to have it separate |
Change description
Type of change
Checklists
Development
Security
Code review