From ff98dfafca2bf072bcbc5d078c9af5ab19a3d564 Mon Sep 17 00:00:00 2001 From: tylerthome Date: Tue, 15 Oct 2024 17:12:08 -0700 Subject: [PATCH] huu svc acct with cognito access --- terraform-incubator/home-unite-us/dev/ecs.tf | 1 + terraform-incubator/home-unite-us/dev/iam.tf | 367 ++++++++++--------- 2 files changed, 192 insertions(+), 176 deletions(-) diff --git a/terraform-incubator/home-unite-us/dev/ecs.tf b/terraform-incubator/home-unite-us/dev/ecs.tf index 84984dc..04d78c7 100644 --- a/terraform-incubator/home-unite-us/dev/ecs.tf +++ b/terraform-incubator/home-unite-us/dev/ecs.tf @@ -22,6 +22,7 @@ resource "aws_iam_policy" "ecs_shell_dev" { }) } + # enables: # aws ecs execute-command --cluster incubator-prod --container homeuniteus --task bea9b5813b5f42db8191b723ab9e6d9c --command /bin/bash --interactive resource "aws_iam_role_policy_attachment" "ecs_shell_dev" { diff --git a/terraform-incubator/home-unite-us/dev/iam.tf b/terraform-incubator/home-unite-us/dev/iam.tf index d959e00..2f2a8ac 100644 --- a/terraform-incubator/home-unite-us/dev/iam.tf +++ b/terraform-incubator/home-unite-us/dev/iam.tf @@ -1,176 +1,191 @@ - -data "aws_iam_user" "appadmin" { - user_name = "tyler.thome" -} - -resource "aws_iam_policy" "homeuniteus_manage_ecr" { - name = "ManageHomeUniteUsECR" - description = "Manage the homeuniteus ECR" - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "ListImagesInRepository", - Effect = "Allow", - Action = [ - "ecr:ListImages" - ], - Resource = aws_ecr_repository.this.arn - }, - { - "Sid" : "ViewAndUpdateAccessKeys", - "Effect" : "Allow", - "Action" : [ - "iam:UpdateAccessKey", - "iam:CreateAccessKey", - "iam:ListAccessKeys" - ], - "Resource" : data.aws_iam_user.appadmin.arn - }, - { - Sid = "GetAuthorizationToken", - Effect = "Allow", - Action = [ - "ecr:GetAuthorizationToken" - ], - Resource = "*" - }, - { - Sid = "ManageRepositoryContents", - Effect = "Allow", - Action = [ - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:DescribeImages", - "ecr:BatchGetImage", - "ecr:InitiateLayerUpload", - "ecr:UploadLayerPart", - "ecr:CompleteLayerUpload", - "ecr:PutImage" - ], - Resource = aws_ecr_repository.this.arn - }, - { - Sid = "ManageHomeUniteUsCognito", - Effect = "Allow", - Action = [ - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:DescribeImages", - "ecr:BatchGetImage", - "ecr:InitiateLayerUpload", - "ecr:UploadLayerPart", - "ecr:CompleteLayerUpload", - "ecr:PutImage" - ], - Resource = aws_ecr_repository.this.arn - }, - { - Effect = "Allow", - Action = [ - "cognito-identity:*", - "cognito-idp:*", - "cognito-sync:*", - "iam:ListRoles", - "iam:ListOpenIdConnectProviders", - "iam:GetRole", - "iam:ListSAMLProviders", - "iam:GetSAMLProvider", - "kinesis:ListStreams", - "lambda:GetPolicy", - "lambda:ListFunctions", - "sns:GetSMSSandboxAccountStatus", - "sns:ListPlatformApplications", - "ses:ListIdentities", - "ses:GetIdentityVerificationAttributes", - "mobiletargeting:GetApps", - "acm:ListCertificates" - ], - Resource = aws_cognito_user_pool.homeuniteus.arn - }, - { - Effect = "Allow", - Action = "iam:CreateServiceLinkedRole", - Resource = aws_cognito_user_pool.homeuniteus.arn, - Condition = { - StringEquals = { - "iam:AWSServiceName" = [ - "cognito-idp.amazonaws.com", - "email.cognito-idp.amazonaws.com" - ] - } - } - }, - { - Effect = "Allow", - Action = [ - "iam:DeleteServiceLinkedRole", - "iam:GetServiceLinkedRoleDeletionStatus" - ], - Resource = [ - "arn:aws:iam::*:role/aws-service-role/cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdp*", - "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*" - ] - }, - { - Effect = "Allow", - Action = [ - "cloudshell:CreateEnvironment", - "cloudshell:GetEnvironmentStatus", - "cloudshell:CreateSession" - ], - Resource = [ - "*", - ] - }, - { - Effect = "Allow", - Action = [ - "ecs:ExecuteCommand" - ], - Resource = [ - "arn:aws:ecs:us-west-2:035866691871:cluster/incubator-prod", - "arn:aws:ecs:us-west-2:035866691871:task/incubator-prod/*" - ] - } - //arn:aws:cloudshell:us-west-2:035866691871:environment/642f2b30-d2dd-4fc6-95ad-3e32b4163d23 - # , - # { - # Sid = "ShellEcsContainerTask", - # Effect = "Allow", - # Action = [ - # "ecs:ExecuteCommand", - # ], - # Resource = "arn:aws:ecs:us-west-2:035866691871:cluster/incubator-prod" - # }, - # { - # Sid = "ShellEcsContainer", - # Effect = "Allow", - # Action = [ - # "ecs:ExecuteCommand", - # ], - # Resource = "arn:aws:ecs:us-west-2:035866691871:task/incubator-prod/48f95a3b35de4198a637827d6b020c37" - # } - ] - }) -} - -# Attaching a policy to the role -resource "aws_iam_user_policy_attachment" "homeuniteus_manage_ecr_tyler" { - user = data.aws_iam_user.appadmin.user_name - policy_arn = aws_iam_policy.homeuniteus_manage_ecr.arn -} - -# Attaching a policy to the role -resource "aws_iam_user_policy_attachment" "homeuniteus_cloudshell_admin" { - user = data.aws_iam_user.appadmin.user_name - policy_arn = "arn:aws:iam::aws:policy/AWSCloudShellFullAccess" -} - -//arn:aws:iam::aws:policy/AWSCloudShellFullAccess \ No newline at end of file + +data "aws_iam_user" "appadmin" { + user_name = "tyler.thome" +} + +resource "aws_iam_policy" "homeuniteus_manage_ecr" { + name = "ManageHomeUniteUsECR" + description = "Manage the homeuniteus ECR" + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "ListImagesInRepository", + Effect = "Allow", + Action = [ + "ecr:ListImages" + ], + Resource = aws_ecr_repository.this.arn + }, + { + "Sid" : "ViewAndUpdateAccessKeys", + "Effect" : "Allow", + "Action" : [ + "iam:UpdateAccessKey", + "iam:CreateAccessKey", + "iam:ListAccessKeys" + ], + "Resource" : data.aws_iam_user.appadmin.arn + }, + { + Sid = "GetAuthorizationToken", + Effect = "Allow", + Action = [ + "ecr:GetAuthorizationToken" + ], + Resource = "*" + }, + { + Sid = "ManageRepositoryContents", + Effect = "Allow", + Action = [ + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:BatchGetImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload", + "ecr:PutImage" + ], + Resource = aws_ecr_repository.this.arn + }, + { + Sid = "ManageHomeUniteUsCognito", + Effect = "Allow", + Action = [ + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:BatchGetImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload", + "ecr:PutImage" + ], + Resource = aws_ecr_repository.this.arn + }, + { + Effect = "Allow", + Action = [ + "cognito-identity:*", + "cognito-idp:*", + "cognito-sync:*", + "iam:ListRoles", + "iam:ListOpenIdConnectProviders", + "iam:GetRole", + "iam:ListSAMLProviders", + "iam:GetSAMLProvider", + "kinesis:ListStreams", + "lambda:GetPolicy", + "lambda:ListFunctions", + "sns:GetSMSSandboxAccountStatus", + "sns:ListPlatformApplications", + "ses:ListIdentities", + "ses:GetIdentityVerificationAttributes", + "mobiletargeting:GetApps", + "acm:ListCertificates" + ], + Resource = aws_cognito_user_pool.homeuniteus.arn + }, + { + Effect = "Allow", + Action = "iam:CreateServiceLinkedRole", + Resource = aws_cognito_user_pool.homeuniteus.arn, + Condition = { + StringEquals = { + "iam:AWSServiceName" = [ + "cognito-idp.amazonaws.com", + "email.cognito-idp.amazonaws.com" + ] + } + } + }, + { + Effect = "Allow", + Action = [ + "iam:DeleteServiceLinkedRole", + "iam:GetServiceLinkedRoleDeletionStatus" + ], + Resource = [ + "arn:aws:iam::*:role/aws-service-role/cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdp*", + "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*" + ] + }, + { + Effect = "Allow", + Action = [ + "cloudshell:CreateEnvironment", + "cloudshell:GetEnvironmentStatus", + "cloudshell:CreateSession" + ], + Resource = [ + "*", + ] + }, + { + Effect = "Allow", + Action = [ + "ecs:ExecuteCommand" + ], + Resource = [ + "arn:aws:ecs:us-west-2:035866691871:cluster/incubator-prod", + "arn:aws:ecs:us-west-2:035866691871:task/incubator-prod/*" + ] + } + //arn:aws:cloudshell:us-west-2:035866691871:environment/642f2b30-d2dd-4fc6-95ad-3e32b4163d23 + # , + # { + # Sid = "ShellEcsContainerTask", + # Effect = "Allow", + # Action = [ + # "ecs:ExecuteCommand", + # ], + # Resource = "arn:aws:ecs:us-west-2:035866691871:cluster/incubator-prod" + # }, + # { + # Sid = "ShellEcsContainer", + # Effect = "Allow", + # Action = [ + # "ecs:ExecuteCommand", + # ], + # Resource = "arn:aws:ecs:us-west-2:035866691871:task/incubator-prod/48f95a3b35de4198a637827d6b020c37" + # } + ] + }) +} + +# Attaching a policy to the role +resource "aws_iam_user_policy_attachment" "homeuniteus_manage_ecr_tyler" { + user = data.aws_iam_user.appadmin.user_name + policy_arn = aws_iam_policy.homeuniteus_manage_ecr.arn +} + +# Attaching a policy to the role +resource "aws_iam_user_policy_attachment" "homeuniteus_cloudshell_admin" { + user = data.aws_iam_user.appadmin.user_name + policy_arn = "arn:aws:iam::aws:policy/AWSCloudShellFullAccess" +} + +//arn:aws:iam::aws:policy/AWSCloudShellFullAccess + + +resource "aws_iam_user" "homeuniteus_app" { + name = "homeuniteus-app" +} + +resource "aws_iam_access_key" "homeuniteus_app" { + user = aws_iam_user.homeuniteus_app.name +} + +# Attaching a policy to the role +resource "aws_iam_user_policy_attachment" "homeuniteus_cloudshell_admin" { + user = aws_iam_user.homeuniteus_app.user_name + policy_arn = "arn:aws:iam::aws:policy/AmazonCognitoPowerUser" +}