feat: create iam policy to access state backend

Author: etwillbefine

README.md

@@ -17,3 +17,7 @@ To use this project run `make init`
 To verify it all worked, run `aws s3 ls s3://${TF_BUCKET}/tfstate-backend/terraform.tfstate` it should display the `terraform.tfstate` file and date when it was created.
 
 You can overwrite where this module stores its state file by setting `TF_STATE_KEY` when running `make init`
+
+### IAM
+
+It might be useful to you to generate an IAM policy which grants access to the state backend and dynamodb table. This policy can be attached to users or roles. Additionally this module exposes an output called `tfstate_backend_access_policy_json` which contains the policy document. The `tfstate_backend_access_policy_arn` output contains the created IAM policy ARN.

iam.tf

@@ -0,0 +1,30 @@
+
+data "aws_iam_policy_document" "access" {
+  count = var.create_iam_policy ? 1 : 0
+
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:PutObject", "s3:GetObject"]
+    resources = [format("%s/*", module.tfstate_backend.s3_bucket_arn)]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:ListBucket"]
+    resources = [module.tfstate_backend.s3_bucket_arn]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem"]
+    resources = [module.tfstate_backend.dynamodb_table_arn]
+  }
+}
+
+resource "aws_iam_policy" "state_access" {
+  count       = var.create_iam_policy ? 1 : 0
+  name        = module.label.id
+  policy      = join("", data.aws_iam_policy_document.access.*.json)
+  description = "Grants access to State Bucket and Locking Table for backend ${module.tfstate_backend.s3_bucket_id}"
+}
+

main.tf

@@ -1,20 +1,29 @@
 terraform {
   required_version = ">= 0.11.2"
   backend "s3" {}
+
+  required_providers {
+    aws = "~> 2.50"
+  }
 }
 
-provider "aws" {
-  version = "~> 2.25"
+module "label" {
+  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.16.0"
+  namespace     = var.namespace
+  name          = var.name
+  attributes    = var.attributes
+  tags          = var.tags
+  stage         = var.stage
 }
 
 module "tfstate_backend" {
-  source        = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=tags/0.9.0"
+  source        = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=tags/0.16.0"
   namespace     = var.namespace
   name          = var.name
-  attributes    = var.attributes
   tags          = var.tags
-  region        = var.aws_region
-  force_destroy = var.force_destroy
   stage         = var.stage
+  context       = module.label.context
+  force_destroy = var.force_destroy
+  region        = var.aws_region
   profile       = var.aws_profile
 }

outputs.tf

@@ -22,3 +22,10 @@ output "tfstate_backend_dynamodb_table_arn" {
   value = module.tfstate_backend.dynamodb_table_arn
 }
 
+output "tfstate_backend_access_policy_arn" {
+  value = join("", aws_iam_policy.state_access.*.arn)
+}
+
+output "tfstate_backend_access_policy_json" {
+  value = join("", data.aws_iam_policy_document.access.*.json)
+}

variables.tf

@@ -43,3 +43,8 @@ variable "aws_profile" {
   description = "AWS profile name as set in the shared credentials file"
 }
 
+variable "create_iam_policy" {
+  type        = bool
+  default     = false
+  description = "Creates an IAM policy to attach to users or roles to grant access to dynamodb and s3 bucket"
+}