Merge pull request #7 from nozaq/iam-baseline

nozaq · web-flow · commit 1db79b2adbf9 · 2018-02-17T20:47:19.000+09:00
feat: add IAM baseline module
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -12,7 +12,7 @@ jobs:
           command: terraform init
       - run:
           name: Make sure the syntax is correct.
-          command: terraform validate -var access_key=DUMMY -var secret_key=DUMMY
+          command: terraform validate -var access_key=DUMMY -var secret_key=DUMMY -var iam_support_role_principal_arn=DUMMY
       - run:
           name: Make sure format wouldn't produce any diffs.
-          command: terraform fmt -check=true
+          command: terraform fmt -check=true
diff --git a/examples/root-example/main.tf b/examples/root-example/main.tf
@@ -9,9 +9,10 @@ data "aws_caller_identity" "current" {}
 module "root_example" {
   source = "../../"
 
-  audit_log_bucket_name = "${var.audit_s3_bucket_name}"
-  aws_account_id        = "${data.aws_caller_identity.current.account_id}"
-  region                = "${var.region}"
+  audit_log_bucket_name          = "${var.audit_s3_bucket_name}"
+  aws_account_id                 = "${data.aws_caller_identity.current.account_id}"
+  region                         = "${var.region}"
+  iam_support_role_principal_arn = "${var.iam_support_role_principal_arn}"
 
   providers = {
     "aws"                = "aws"
diff --git a/examples/root-example/variables.tf b/examples/root-example/variables.tf
@@ -1,10 +1,16 @@
 variable "access_key" {}
 variable "secret_key" {}
 
-variable "region" {
-  default = "us-east-1"
+variable "audit_s3_bucket_name" {
+  description = "The name of the S3 bucket to store various audit logs."
+  default     = "YOUR_BUCKET_NAME_HERE"
 }
 
-variable "audit_s3_bucket_name" {
-  default = "YOUR_BUCKET_NAME_HERE"
+variable "iam_support_role_principal_arn" {
+  description = "The ARN of the IAM principal element by which the support role could be assumed."
+}
+
+variable "region" {
+  description = "The AWS region in which global resources are set up."
+  default     = "us-east-1"
 }
diff --git a/main.tf b/main.tf
@@ -64,18 +64,28 @@ END_OF_POLICY
 }
 
 # --------------------------------------------------------------------------------------------------
-# IAM Password Policy
+# IAM Baseline
 # --------------------------------------------------------------------------------------------------
 
-resource "aws_iam_account_password_policy" "default" {
-  minimum_password_length        = 14
-  password_reuse_prevention      = 24
-  require_lowercase_characters   = true
-  require_numbers                = true
-  require_uppercase_characters   = true
-  require_symbols                = true
-  allow_users_to_change_password = true
-  max_password_age               = 90
+module "iam_baseline" {
+  source = "./modules/iam-baseline"
+
+  aws_account_id                 = "${var.aws_account_id}"
+  iam_master_role_name           = "${var.iam_master_role_name}"
+  iam_master_role_policy_name    = "${var.iam_master_role_policy_name}"
+  iam_manager_role_name          = "${var.iam_manager_role_name}"
+  iam_manager_role_policy_name   = "${var.iam_manager_role_policy_name}"
+  iam_support_role_name          = "${var.iam_support_role_name}"
+  iam_support_role_policy_name   = "${var.iam_support_role_policy_name}"
+  iam_support_role_principal_arn = "${var.iam_support_role_principal_arn}"
+  minimum_password_length        = "${var.minimum_password_length}"
+  password_reuse_prevention      = "${var.password_reuse_prevention}"
+  require_lowercase_characters   = "${var.require_lowercase_characters}"
+  require_numbers                = "${var.require_numbers}"
+  require_uppercase_characters   = "${var.require_uppercase_characters}"
+  require_symbols                = "${var.require_symbols}"
+  allow_users_to_change_password = "${var.allow_users_to_change_password}"
+  max_password_age               = "${var.max_password_age}"
 }
 
 # --------------------------------------------------------------------------------------------------
diff --git a/modules/iam-baseline/main.tf b/modules/iam-baseline/main.tf
@@ -0,0 +1,166 @@
+# --------------------------------------------------------------------------------------------------
+# Password Policy
+# --------------------------------------------------------------------------------------------------
+
+resource "aws_iam_account_password_policy" "default" {
+  minimum_password_length        = "${var.minimum_password_length}"
+  password_reuse_prevention      = "${var.password_reuse_prevention}"
+  require_lowercase_characters   = "${var.require_lowercase_characters}"
+  require_numbers                = "${var.require_numbers}"
+  require_uppercase_characters   = "${var.require_uppercase_characters}"
+  require_symbols                = "${var.require_symbols}"
+  allow_users_to_change_password = "${var.allow_users_to_change_password}"
+  max_password_age               = "${var.max_password_age}"
+}
+
+# --------------------------------------------------------------------------------------------------
+# Manager & Master Role Separation
+# --------------------------------------------------------------------------------------------------
+
+resource "aws_iam_role" "master" {
+  name = "${var.iam_master_role_name}"
+
+  assume_role_policy = <<END_OF_POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "AWS": "arn:aws:iam::${var.aws_account_id}:root"
+      }
+    }
+  ]
+}
+END_OF_POLICY
+}
+
+resource "aws_iam_role_policy" "master_policy" {
+  name = "${var.iam_master_role_policy_name}"
+
+  role = "${aws_iam_role.master.id}"
+
+  policy = <<END_OF_POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateGroup", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateUser",
+        "iam:DeleteGroup", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DeleteUser",
+        "iam:PutRolePolicy",
+        "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy",
+        "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListGroupsForUser",
+        "iam:ListPolicies", "iam:ListPoliciesGrantingServiceAccess", "iam:ListPolicyVersions",
+        "iam:ListRolePolicies", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies",
+        "iam:ListAttachedUserPolicies", "iam:ListRoles", "iam:ListUsers"
+      ],
+      "Resource": "*",
+      "Condition":  {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
+    }, {
+      "Effect": "Deny",
+      "Action": [
+        "iam:AddUserToGroup",
+        "iam:AttachGroupPolicy",
+        "iam:DeleteGroupPolicy", "iam:DeleteUserPolicy",
+        "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy",
+        "iam:PutGroupPolicy", "iam:PutUserPolicy",
+        "iam:RemoveUserFromGroup",
+        "iam:UpdateGroup", "iam:UpdateAssumeRolePolicy", "iam:UpdateUser"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+END_OF_POLICY
+}
+
+resource "aws_iam_role" "manager" {
+  name = "${var.iam_manager_role_name}"
+
+  assume_role_policy = <<END_OF_POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "AWS": "arn:aws:iam::${var.aws_account_id}:root"
+      }
+    }
+  ]
+}
+END_OF_POLICY
+}
+
+resource "aws_iam_role_policy" "manager_policy" {
+  name = "${var.iam_manager_role_policy_name}"
+
+  role = "${aws_iam_role.manager.id}"
+
+  policy = <<END_OF_POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:AddUserToGroup",
+        "iam:AttachGroupPolicy",
+        "iam:DeleteGroupPolicy", "iam:DeleteUserPolicy",
+        "iam:DetachGroupPolicy", "iam:DetachRolePolicy","iam:DetachUserPolicy",
+        "iam:PutGroupPolicy", "iam:PutUserPolicy",
+        "iam:RemoveUserFromGroup",
+        "iam:UpdateGroup", "iam:UpdateAssumeRolePolicy", "iam:UpdateUser",
+        "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy",
+        "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListGroupsForUser",
+        "iam:ListPolicies", "iam:ListPoliciesGrantingServiceAccess", "iam:ListPolicyVersions",
+        "iam:ListRolePolicies", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies",
+        "iam:ListAttachedUserPolicies", "iam:ListRoles", "iam:ListUsers"
+      ],
+      "Resource": "*",
+      "Condition":  {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
+    }, {
+      "Effect": "Deny",
+      "Action": [
+        "iam:CreateGroup", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateUser",
+        "iam:DeleteGroup", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DeleteUser",
+        "iam:PutRolePolicy"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+END_OF_POLICY
+}
+
+# --------------------------------------------------------------------------------------------------
+# Support Role
+# --------------------------------------------------------------------------------------------------
+
+resource "aws_iam_role" "support" {
+  name = "${var.iam_support_role_name}"
+
+  assume_role_policy = <<END_OF_POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "AWS": "${var.iam_support_role_principal_arn}"
+      }
+    }
+  ]
+}
+END_OF_POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "support_policy" {
+  role       = "${aws_iam_role.support.id}"
+  policy_arn = "arn:aws:iam::aws:policy/AWSSupportAccess"
+}
diff --git a/modules/iam-baseline/outputs.tf b/modules/iam-baseline/outputs.tf
@@ -0,0 +1,11 @@
+output "iam_master_role_arn" {
+  value = "${aws_iam_role.master.arn}"
+}
+
+output "iam_manager_role_arn" {
+  value = "${aws_iam_role.manager.arn}"
+}
+
+output "iam_support_role_arn" {
+  value = "${aws_iam_role.support.arn}"
+}
diff --git a/modules/iam-baseline/variables.tf b/modules/iam-baseline/variables.tf
@@ -0,0 +1,77 @@
+variable "aws_account_id" {
+  description = "The AWS Account ID number of the account."
+}
+
+variable "iam_master_role_name" {
+  description = "The name of the IAM Master role."
+  default     = "IAM-Master"
+}
+
+variable "iam_master_role_policy_name" {
+  description = "The name of the IAM Master role policy."
+  default     = "IAM-Master-Policy"
+}
+
+variable "iam_manager_role_name" {
+  description = "The name of the IAM Manager role."
+  default     = "IAM-Manager"
+}
+
+variable "iam_manager_role_policy_name" {
+  description = "The name of the IAM Manager role policy."
+  default     = "IAM-Manager-Policy"
+}
+
+variable "iam_support_role_name" {
+  description = "The name of the the support role."
+  default     = "IAM-Support"
+}
+
+variable "iam_support_role_policy_name" {
+  description = "The name of the support role policy."
+  default     = "IAM-Support-Role"
+}
+
+variable "iam_support_role_principal_arn" {
+  description = "The ARN of the IAM principal element by which the support role could be assumed."
+}
+
+variable "max_password_age" {
+  description = "The number of days that an user password is valid."
+  default     = 90
+}
+
+variable "minimum_password_length" {
+  description = "Minimum length to require for user passwords."
+  default     = 14
+}
+
+variable "password_reuse_prevention" {
+  description = "The number of previous passwords that users are prevented from reusing."
+  default     = 24
+}
+
+variable "require_lowercase_characters" {
+  description = "Whether to require lowercase characters for user passwords."
+  default     = true
+}
+
+variable "require_numbers" {
+  description = "Whether to require numbers for user passwords."
+  default     = true
+}
+
+variable "require_uppercase_characters" {
+  description = "Whether to require uppercase characters for user passwords."
+  default     = true
+}
+
+variable "require_symbols" {
+  description = "Whether to require symbols for user passwords."
+  default     = true
+}
+
+variable "allow_users_to_change_password" {
+  description = "Whether to allow users to change their own password."
+  default     = true
+}
diff --git a/outputs.tf b/outputs.tf
@@ -1,3 +1,15 @@
 output "audit_bucket_id" {
   value = "${module.audit_log_bucket.bucket_id}"
 }
+
+output "iam_master_role_arn" {
+  value = "${module.iam_baseline.iam_master_role_arn}"
+}
+
+output "iam_manager_role_arn" {
+  value = "${module.iam_baseline.iam_manager_role_arn}"
+}
+
+output "iam_support_role_arn" {
+  value = "${module.iam_baseline.iam_support_role_arn}"
+}
diff --git a/variables.tf b/variables.tf
