Merge pull request #11 from cloudposse/feature-expose-policies

Feature expose policies

Author: goruha

.gitignore

@@ -1,8 +1,15 @@
-# Compiled files
+#  Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
 *.tfstate
-*.tfstate.backup
+*.tfstate.*
+
+# .tfvars files
+*.tfvars
+
+**/.idea
+**/*.iml
 
-# Module directory
-.terraform
-.idea
-*.iml
+**/.build-harness
+**/build-harness

README.md

@@ -31,6 +31,35 @@ module "ecr" {
 }
 ```
 
+Example of attaching policies to a user for CI/CD
+
+```hcl
+module "cicd_user" {
+  source    = "git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/0.3.0"
+  namespace = "${var.namespace}"
+  stage     = "${var.stage}"
+  name      = "codefresh"
+}
+
+resource "aws_iam_policy_attachment" "login" {
+  name       = "${module.cicd_user.user_name}-login"
+  users      = ["${module.cicd_user.user_name}"]
+  policy_arn = "${module.kops_ecr.policy_login_arn}"
+}
+
+resource "aws_iam_policy_attachment" "read" {
+  name       = "${module.cicd_user.user_name}-read"
+  users      = ["${module.cicd_user.user_name}"]
+  policy_arn = "${module.kops_ecr.policy_read_arn}"
+}
+
+resource "aws_iam_policy_attachment" "write" {
+  name       = "${module.cicd_user.user_name}-write"
+  users      = ["${module.cicd_user.user_name}"]
+  policy_arn = "${module.kops_ecr.policy_write_arn}"
+}
+```
+
 
 ## Variables
 

main.tf

@@ -16,7 +16,7 @@ data "aws_iam_policy_document" "assume_role" {
   }
 }
 
-data "aws_iam_policy_document" "token" {
+data "aws_iam_policy_document" "login" {
   statement {
     sid     = "ECRGetAuthorizationToken"
     effect  = "Allow"
@@ -26,6 +26,41 @@ data "aws_iam_policy_document" "token" {
   }
 }
 
+data "aws_iam_policy_document" "write" {
+  statement {
+    sid    = "ECRGetAuthorizationToken"
+    effect = "Allow"
+
+    actions = [
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "ecr:PutImage",
+    ]
+
+    resources = ["${aws_ecr_repository.default.arn}"]
+  }
+}
+
+data "aws_iam_policy_document" "read" {
+  statement {
+    sid    = "ECRGetAuthorizationToken"
+    effect = "Allow"
+
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetRepositoryPolicy",
+      "ecr:DescribeRepositories",
+      "ecr:ListImages",
+      "ecr:DescribeImages",
+      "ecr:BatchGetImage",
+    ]
+
+    resources = ["${aws_ecr_repository.default.arn}"]
+  }
+}
+
 data "aws_iam_policy_document" "default_ecr" {
   count = "${signum(length(var.roles)) == 1 ? 0 : 1}"
 
@@ -114,10 +149,22 @@ resource "aws_ecr_repository_policy" "default_ecr" {
   policy     = "${data.aws_iam_policy_document.default_ecr.json}"
 }
 
-resource "aws_iam_policy" "default" {
-  name        = "${module.label.id}"
+resource "aws_iam_policy" "login" {
+  name        = "${module.label.id}${var.delimiter}login"
   description = "Allow IAM Users to call ecr:GetAuthorizationToken"
-  policy      = "${data.aws_iam_policy_document.token.json}"
+  policy      = "${data.aws_iam_policy_document.login.json}"
+}
+
+resource "aws_iam_policy" "read" {
+  name        = "${module.label.id}${var.delimiter}read"
+  description = "Allow IAM Users to push into ECR"
+  policy      = "${data.aws_iam_policy_document.read.json}"
+}
+
+resource "aws_iam_policy" "write" {
+  name        = "${module.label.id}${var.delimiter}write"
+  description = "Allow IAM Users to pull from ECR"
+  policy      = "${data.aws_iam_policy_document.write.json}"
 }
 
 resource "aws_iam_role" "default" {
@@ -129,13 +176,13 @@ resource "aws_iam_role" "default" {
 resource "aws_iam_role_policy_attachment" "default_ecr" {
   count      = "${signum(length(var.roles)) == 1 ? 0 : 1}"
   role       = "${aws_iam_role.default.name}"
-  policy_arn = "${aws_iam_policy.default.arn}"
+  policy_arn = "${aws_iam_policy.login.arn}"
 }
 
 resource "aws_iam_role_policy_attachment" "default" {
   count      = "${signum(length(var.roles)) == 1 ? length(var.roles) : 0}"
   role       = "${element(var.roles, count.index)}"
-  policy_arn = "${aws_iam_policy.default.arn}"
+  policy_arn = "${aws_iam_policy.login.arn}"
 }
 
 resource "aws_iam_instance_profile" "default" {

output.tf

@@ -1,15 +1,54 @@
 output "registry_id" {
-  value = "${aws_ecr_repository.default.registry_id}"
+  value       = "${aws_ecr_repository.default.registry_id}"
+  description = "Registry ID"
 }
 
 output "registry_url" {
-  value = "${aws_ecr_repository.default.repository_url}"
+  value       = "${aws_ecr_repository.default.repository_url}"
+  description = "Registry URL"
 }
 
 output "repository_name" {
-  value = "${aws_ecr_repository.default.name}"
+  value       = "${aws_ecr_repository.default.name}"
+  description = "Registry name"
 }
 
 output "role_name" {
-  value = "${join("", aws_iam_role.default.*.name)}"
+  value       = "${join("", aws_iam_role.default.*.name)}"
+  description = "Assume Role name to get registry access"
+}
+
+output "role_arn" {
+  value       = "${join("", aws_iam_role.default.*.arn)}"
+  description = "Assume Role ARN to get registry access"
+}
+
+output "policy_login_name" {
+  value       = "${aws_iam_policy.login.name}"
+  description = "The IAM Policy name to be given access to login in ECR"
+}
+
+output "policy_login_arn" {
+  value       = "${aws_iam_policy.login.arn}"
+  description = "The IAM Policy ARN to be given access to login in ECR"
+}
+
+output "policy_read_name" {
+  value       = "${aws_iam_policy.read.name}"
+  description = "The IAM Policy name to be given access to pull images from ECR"
+}
+
+output "policy_read_arn" {
+  value       = "${aws_iam_policy.read.arn}"
+  description = "The IAM Policy ARN to be given access to pull images from ECR"
+}
+
+output "policy_write_name" {
+  value       = "${aws_iam_policy.write.name}"
+  description = "The IAM Policy name to be given access to push images to ECR"
+}
+
+output "policy_write_arn" {
+  value       = "${aws_iam_policy.write.arn}"
+  description = "The IAM Policy ARN to be given access to push images to ECR"
 }

variables.tf

@@ -1,8 +1,14 @@
-variable "name" {}
+variable "name" {
+  description = "The Name of the application or solution  (e.g. `bastion` or `portal`)"
+}
 
-variable "namespace" {}
+variable "namespace" {
+  description = "Namespace (e.g. `cp` or `cloudposse`)"
+}
 
-variable "stage" {}
+variable "stage" {
+  description = "Stage (e.g. `prod`, `dev`, `staging`)"
+}
 
 variable "roles" {
   type        = "list"
@@ -11,18 +17,21 @@ variable "roles" {
 }
 
 variable "delimiter" {
-  type    = "string"
-  default = "-"
+  type        = "string"
+  default     = "-"
+  description = "Delimiter to be used between `name`, `namespace`, `stage`, etc."
 }
 
 variable "attributes" {
-  type    = "list"
-  default = []
+  type        = "list"
+  default     = []
+  description = "Additional attributes (e.g. `policy` or `role`)"
 }
 
 variable "tags" {
-  type    = "map"
-  default = {}
+  type        = "map"
+  default     = {}
+  description = "Additional tags (e.g. `map('BusinessUnit','XYZ')`)"
 }
 
 variable "max_image_count" {