Skip to content

Commit

Permalink
DOPS-101 Specify role arn to work with backend
Browse files Browse the repository at this point in the history
  • Loading branch information
@akagr
akagr committed Sep 13, 2022
1 parent 63150d0 commit 40cca15
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 34 deletions.
3 changes: 3 additions & 0 deletions terraform/aws.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@
provider "aws" {
region = "${var.aws_region}"
version = "~> 1.57"
assume_role = {
role_arn = "arn:aws:iam::587267277416:role/terraform_sandbox_backend_admin"
}
}

data "aws_caller_identity" "current" {}
Expand Down
11 changes: 2 additions & 9 deletions terraform/bootstrap/jenkins.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,8 @@ data "aws_iam_policy_document" "terraform_backend_role_policy_document" {
statement {
effect = "Allow"

actions = ["s3:*"]
resources = ["arn:aws:s3:::${module.bootstrap.state_bucket}/*"]
}

statement {
effect = "Allow"

actions = ["dynamodb:*"]
resources = ["arn:aws:dynamodb:${var.aws_region}:${data.aws_caller_identity.current.account_id}:table/${module.bootstrap.dynamodb_table}"]
actions = ["*"]
resources = ["*"]
}
}

Expand Down
33 changes: 8 additions & 25 deletions terraform/bootstrap/terraform.tfstate
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"version": 4,
"terraform_version": "1.2.9",
"serial": 215,
"serial": 217,
"lineage": "3466ed5e-b3d1-107e-19aa-0306c957a966",
"outputs": {
"account_id": {
Expand Down Expand Up @@ -104,8 +104,8 @@
{
"schema_version": 0,
"attributes": {
"id": "1540866772",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\"\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"dynamodb:*\",\n \"Resource\": \"arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock\"\n }\n ]\n}",
"id": "784443208",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"*\",\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
Expand All @@ -114,22 +114,7 @@
"statement": [
{
"actions": [
"s3:*"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": [
"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*"
],
"sid": ""
},
{
"actions": [
"dynamodb:*"
"*"
],
"condition": [],
"effect": "Allow",
Expand All @@ -138,7 +123,7 @@
"not_resources": [],
"principals": [],
"resources": [
"arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock"
"*"
],
"sid": ""
}
Expand All @@ -164,7 +149,7 @@
"name": "terraform-backend-role-policy",
"name_prefix": null,
"path": "/",
"policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"\"},{\"Action\":\"dynamodb:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
"policy": "{\"Statement\":[{\"Action\":\"*\",\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
"policy_id": "ANPAYRO63QJUEYGCFJVOK",
"tags": {},
"tags_all": {}
Expand Down Expand Up @@ -231,10 +216,8 @@
"dependencies": [
"aws_iam_policy.terraform_backend_role_policy",
"aws_iam_role.terraform_backend_role",
"data.aws_caller_identity.current",
"data.aws_iam_policy_document.terraform_backend_account_policy",
"data.aws_iam_policy_document.terraform_backend_role_policy_document",
"module.bootstrap.aws_dynamodb_table.terraform_state_lock"
"data.aws_iam_policy_document.terraform_backend_role_policy_document"
]
}
]
Expand Down Expand Up @@ -563,7 +546,7 @@
],
"object_lock_configuration": [],
"object_lock_enabled": false,
"policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Sid\":\"inventory-and-analytics\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\",\"aws:SourceAccount\":\"587267277416\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"}}}]}",
"policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Sid\":\"inventory-and-analytics\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"587267277416\",\"s3:x-amz-acl\":\"bucket-owner-full-control\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"}}}]}",
"region": "us-east-1",
"replication_configuration": [],
"request_payer": "BucketOwner",
Expand Down
1 change: 1 addition & 0 deletions terraform/terraform.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ terraform {
dynamodb_table = "moduscreate-devops-demo-state-lock"
region = "us-east-1"
encrypt = "true"
role_arn = "arn:aws:iam::587267277416:role/terraform_sandbox_backend_admin"
}
}

Expand Down

0 comments on commit 40cca15

Please sign in to comment.