Builds secure IAM Policies with resource constraints. For more information on Policy Sentry, see the documentation.
- You must have Policy Sentry 0.10.0 installed beforehand and it must be executable from your
$PATH. Follow the installation instructions here
Use the module as below:
module "policy_sentry_demo" {
source = "github.com/kmcquade/terraform-aws-policy-sentry"
name = var.name
read_access_level = var.read_access_level
write_access_level = var.write_access_level
list_access_level = var.list_access_level
tagging_access_level = var.tagging_access_level
permissions_management_access_level = var.permissions_management_access_level
wildcard_only_single_actions = var.wildcard_only_actions
minimize = var.minimize
}Assuming you have your variables.tf file set properly (redacted from this README for readability), provide the following in your terraform.tfvars file.
name = "PolicySentryTest"
list_access_level = [
"arn:aws:s3:::example-org",
]
read_access_level = [
"arn:aws:kms:us-east-1:123456789012:key/shaq"
]
write_access_level = [
"arn:aws:kms:us-east-1:123456789012:key/shaq"
]No provider.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| description | The description to include for the IAM policy. | string |
"Generated by Policy Sentry" |
no |
| list_access_level | Provide a list of Amazon Resource Names (ARNs) that your role needs LIST access to. | list |
[ |
no |
| minimize | If set to true, it will minimize the size of the IAM Policy file. Defaults to false. | bool |
false |
no |
| name | The name of the rendered policy file (no file extension). | string |
n/a | yes |
| permissions_management_access_level | Provide a list of Amazon Resource Names (ARNs) that your role needs PERMISSIONS MANAGEMENT access to. | list |
[ |
no |
| read_access_level | Provide a list of Amazon Resource Names (ARNs) that your role needs READ access to. | list |
[ |
no |
| region | The AWS region for these resources. Defaults to us-east-1 | string |
"us-east-1" |
no |
| tagging_access_level | Provide a list of Amazon Resource Names (ARNs) that your role needs TAGGING access to. | list |
[ |
no |
| wildcard_only_list_service | To generate a list of AWS service actions that (1) are at the LIST access level and (2) do not support resource constraints, list the service prefix here. | list |
[ |
no |
| wildcard_only_permissions_management_service | To generate a list of AWS service actions that (1) are at the PERMISSIONS MANAGEMENT access level and (2) do not support resource constraints, list the service prefix here. | list |
[ |
no |
| wildcard_only_read_service | To generate a list of AWS service actions that (1) are at the READ access level and (2) do not support resource constraints, list the service prefix here. | list |
[ |
no |
| wildcard_only_single_actions | Individual actions that do not support resource constraints. For example, s3:ListAllMyBuckets | list |
[ |
no |
| wildcard_only_tagging_service | To generate a list of AWS service actions that (1) are at the TAGGING access level and (2) do not support resource constraints, list the service prefix here. | list |
[ |
no |
| wildcard_only_write_service | To generate a list of AWS service actions that (1) are at the WRITE access level and (2) do not support resource constraints, list the service prefix here. | list |
[ |
no |
| write_access_level | Provide a list of Amazon Resource Names (ARNs) that your role needs WRITE access to. | list |
[ |
no |
| Name | Description |
|---|---|
| iam_policy_arn | The ARN assigned by AWS to this policy. |
| iam_policy_document | The policy document. |
| iam_policy_id | The policy's ID. |
| iam_policy_name | The name of the policy. |
| iam_policy_path | The path of the policy in IAM |
Run this every time before you push to Git.
pre-commit run -a
- Update the documentation in the Policy Sentry docs.
- Publish this on Terraform module registry
Copyright: © 2020 Kinnaird McQuade