style: Convert rift-compute-manager and rift-compute policies from HCL to json template. (#202)

Moving policy definitions for the `tecton-rift-compute` and `tecton-rift-compute-manager` roles out of HCL and into json templates in the `templates/` directory. Tested by using git source reference to this (`templates-iam`) branch and running `terraform plan` on an internal cluster state that uses the `rift_compute` module. Result = "No changes. Your infrastructure matches the configuration."

Author: eshiferax

rift_compute/iam.tf

@@ -0,0 +1,126 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:StopInstances",
+        "ec2:TerminateInstances",
+        "ec2:CreateTags"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*:${ACCOUNT_ID}:instance/*"
+      ],
+      "Condition": {
+        "Null": {
+          "ec2:ResourceTag/tecton_rift_workflow_id": "false"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:StartInstances",
+        "ec2:RunInstances"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*:${ACCOUNT_ID}:instance/*"
+      ],
+      "Condition": {
+        "Null": {
+          "aws:RequestTag/tecton_rift_workflow_id": "false"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DescribeInstances",
+        "ec2:DescribeInstanceStatus",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:CreateTags",
+        "ec2:DeleteTags"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:RunInstances"
+      ],
+      "Resource": ${ALLOW_RUN_INSTANCES_RESOURCES}
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:RunInstances",
+        "ec2:DeleteNetworkInterface"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*:${ACCOUNT_ID}:network-interface/*"
+      ],
+      "Condition": {
+        "Null": {
+          "ec2:ResourceTag/tecton_rift_workflow_id": "false"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateNetworkInterface"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*:${ACCOUNT_ID}:network-interface/*"
+      ],
+      "Condition": {
+        "Null": {
+          "aws:RequestTag/tecton_rift_workflow_id": "false"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateNetworkInterface"
+      ],
+      "Resource": ${ALLOW_NETWORK_INTERFACE_RESOURCES}
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:RunInstances"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*::image/*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "ec2:Owner": ["amazon", "472542229217"]
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": ["iam:PassRole"],
+      "Resource": ["${RIFT_COMPUTE_ROLE_ARN}"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameters"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "servicequotas:GetServiceQuota"
+      ],
+      "Resource": [
+        "arn:aws:servicequotas:*:${ACCOUNT_ID}:ec2/L-1216C47A"
+      ]
+    }
+  ]
+} 

templates/manage_rift_compute_policy.json

@@ -0,0 +1,63 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": ["s3:ListBucket", "s3:HeadBucket"],
+      "Resource": ["${OFFLINE_STORE_BUCKET_ARN}"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": ["s3:*"],
+      "Resource": [
+        "${OFFLINE_STORE_BUCKET_ARN}/${OFFLINE_STORE_KEY_PREFIX}",
+        "${OFFLINE_STORE_BUCKET_ARN}/${OFFLINE_STORE_KEY_PREFIX}*",
+        "${OFFLINE_STORE_BUCKET_ARN}/tecton-model-artifacts",
+        "${OFFLINE_STORE_BUCKET_ARN}/tecton-model-artifacts*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": ["s3:*"],
+      "Resource": ["${OFFLINE_STORE_BUCKET_ARN}"],
+      "Condition": {
+        "StringLike": {
+          "s3:prefix": "${OFFLINE_STORE_KEY_PREFIX}*"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:Get*",
+        "s3:List*",
+        "s3:Describe*"
+      ],
+      "Resource": ["${OFFLINE_STORE_BUCKET_ARN}/internal/*"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:ListBucket",
+        "s3:GetObject"
+      ],
+      "Resource": ["*"],
+      "Condition": {
+        "StringNotEquals": {
+          "s3:ResourceAccount": "${ACCOUNT_ID}"
+        }
+      }
+    }
+    %{ if USE_KMS_KEY ~}
+    ,
+    {
+      "Effect": "Allow",
+      "Action": [
+        "kms:Decrypt",
+        "kms:GenerateDataKey"
+      ],
+      "Resource": ["${KMS_KEY_ARN}"]
+    }
+    %{ endif ~}
+  ]
+} 

templates/offline_store_access_policy.json

@@ -0,0 +1,16 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:ListObject",
+        "s3:HeadObject"
+      ],
+      "Resource": [
+        "${OFFLINE_STORE_BUCKET_ARN}/rift-bootstrap-scripts/*"
+      ]
+    }
+  ]
+} 

templates/rift_bootstrap_scripts_policy.json

@@ -0,0 +1,29 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:*"
+      ],
+      "Resource": ["*"],
+      "Condition": {
+        "StringEquals": {
+          "secretsmanager:ResourceAccount": "${ACCOUNT_ID}"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "kms:*"
+      ],
+      "Resource": ["*"],
+      "Condition": {
+        "StringEquals": {
+          "kms:ResourceAccount": "${ACCOUNT_ID}"
+        }
+      }
+    }
+  ]
+} 

templates/rift_compute_internal_policy.json

@@ -0,0 +1,18 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:ListObject",
+        "s3:HeadObject",
+        "s3:PutObject"
+      ],
+      "Resource": [
+        "${S3_LOG_DESTINATION}",
+        "${S3_LOG_DESTINATION}/*"
+      ]
+    }
+  ]
+} 

templates/rift_compute_logs_policy.json

@@ -0,0 +1,29 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "dynamodb:BatchGetItem",
+        "dynamodb:BatchWriteItem",
+        "dynamodb:CreateTable",
+        "dynamodb:DeleteItem",
+        "dynamodb:DescribeTable",
+        "dynamodb:GetItem",
+        "dynamodb:PutItem",
+        "dynamodb:UpdateItem",
+        "dynamodb:Query"
+      ],
+      "Resource": [
+        "arn:aws:dynamodb:*:${ACCOUNT_ID}:table/tecton-*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "sts:AssumeRole"
+      ],
+      "Resource": ["arn:aws:iam::${ACCOUNT_ID}:role/${CLUSTER_NAME}-cross-account-intermediate"]
+    }
+  ]
+} 

templates/rift_dynamodb_access_policy.json

@@ -0,0 +1,31 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:GetRepositoryPolicy",
+        "ecr:DescribeRepositories",
+        "ecr:ListImages",
+        "ecr:DescribeImages",
+        "ecr:BatchGetImage",
+        "ecr:GetLifecyclePolicy",
+        "ecr:GetLifecyclePolicyPreview",
+        "ecr:ListTagsForResource",
+        "ecr:DescribeImageScanFindings"
+      ],
+      "Resource": [
+        "${RIFT_ENV_ECR_REPOSITORY_ARN}"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetAuthorizationToken"
+      ],
+      "Resource": ["*"]
+    }
+  ]
+} 

templates/rift_ecr_readonly_policy.json

@@ -0,0 +1,14 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:*"
+      ],
+      "Resource": [
+        "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:tecton-*"
+      ]
+    }
+  ]
+}