Skip to content

Latest commit

 

History

History

terraform_module

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
demo
demo
 
 
iam-policies
iam-policies
 
 
ps-template
ps-template
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
provider.tf
provider.tf
 
 
variables.tf
variables.tf
 
 

README.md

Policy Sentry Terraform Module

Builds secure IAM Policies with resource constraints. For more information on Policy Sentry, see the documentation.

Prerequisites

  • You must have Policy Sentry 0.10.0 installed beforehand and it must be executable from your $PATH. Follow the installation instructions here
    • This module requires Terraform 0.12.8 or higher. It has been tested through 0.13.5.

Usage

Example

  • Install Terraform 0.12.8
# tfenv is a Terraform version manager
brew install tfenv
tfenv install 0.12.8
  • Install Policy Sentry
brew tap salesforce/policy_sentry https://github.com/salesforce/policy_sentry
brew install policy_sentry
  • Use the module as shown in main.tf:
module "policy_sentry_demo" {
  source                              = "github.com/salesforce/policy_sentry.git?ref=master//terraform_module/"
  name                                = var.name
  read_access_level                   = var.read_access_level
  write_access_level                  = var.write_access_level
  list_access_level                   = var.list_access_level
  tagging_access_level                = var.tagging_access_level
  permissions_management_access_level = var.permissions_management_access_level
  wildcard_only_single_actions        = var.wildcard_only_actions
  minimize                            = var.minimize
  skip_resource_constraints           = var.skip_resource_constraints
  exclude_actions                     = var.exclude_actions
}

Assuming you have your variables.tf file set properly (redacted from this README for readability), provide the following in your terraform.tfvars file.

name = "PolicySentryTest"

list_access_level = [
  "arn:aws:s3:::example-org",
]

read_access_level = [
  "arn:aws:kms:us-east-1:123456789012:key/shaq"
]

write_access_level = [
  "arn:aws:kms:us-east-1:123456789012:key/shaq"
]

Requirements

Name Version
terraform >= 0.12.8
aws ~> 2.48.0
external ~> 1.2
local ~> 1.3
null ~> 2.1
template ~> 2.1.2

Providers

No provider.

Inputs

Name Description Type Default Required
description The description to include for the IAM policy. string "Generated by Policy Sentry" no
exclude_actions Exclude actions from the output by specifying them here. Accepts wildcards, like kms:Delete* list(string) [] no
list_access_level Provide a list of Amazon Resource Names (ARNs) that your role needs LIST access to. list(string) [] no
minimize If set to true, it will minimize the size of the IAM Policy file. Defaults to TRUE. bool true no
name The name of the rendered policy file (no file extension). string n/a yes
permissions_management_access_level Provide a list of Amazon Resource Names (ARNs) that your role needs PERMISSIONS MANAGEMENT access to. list(string) [] no
read_access_level Provide a list of Amazon Resource Names (ARNs) that your role needs READ access to. list(string) [] no
region The AWS region for these resources. Defaults to us-east-1 string "us-east-1" no
skip_resource_constraints Skip resource constraint requirements by listing individual actions here, like s3:GetObject. list(string) [] no
tagging_access_level Provide a list of Amazon Resource Names (ARNs) that your role needs TAGGING access to. list(string) [] no
wildcard_only_list_service To generate a list of AWS service actions that (1) are at the LIST access level and (2) do not support resource constraints, list the service prefix here. list(string) [] no
wildcard_only_permissions_management_service To generate a list of AWS service actions that (1) are at the PERMISSIONS MANAGEMENT access level and (2) do not support resource constraints, list the service prefix here. list(string) [] no
wildcard_only_read_service To generate a list of AWS service actions that (1) are at the READ access level and (2) do not support resource constraints, list the service prefix here. list(string) [] no
wildcard_only_single_actions Individual actions that do not support resource constraints. For example, s3:ListAllMyBuckets list(string) [] no
wildcard_only_tagging_service To generate a list of AWS service actions that (1) are at the TAGGING access level and (2) do not support resource constraints, list the service prefix here. list(string) [] no
wildcard_only_write_service To generate a list of AWS service actions that (1) are at the WRITE access level and (2) do not support resource constraints, list the service prefix here. list(string) [] no
write_access_level Provide a list of Amazon Resource Names (ARNs) that your role needs WRITE access to. list(string) [] no

Outputs

Name Description
iam_policy_arn The ARN assigned by AWS to this policy.
iam_policy_document The policy document.
iam_policy_id The policy's ID.
iam_policy_name The name of the policy.
iam_policy_path The path of the policy in IAM

Maintenance

Run this every time before you push to Git.

pre-commit run -a

Todo

  • Publish this on Terraform module registry