From 0ac647c2499e094ca7eed08f40b30cdedaa339ba Mon Sep 17 00:00:00 2001 From: Jim Enright Date: Fri, 16 Aug 2024 17:35:00 +0100 Subject: [PATCH] Fix formatting and remove unused code Signed-off-by: Jim Enright --- .../terraform-aws-cred-permissions/main.tf | 30 ----- modules/terraform-aws-permissions/main.tf | 118 +++++------------- 2 files changed, 30 insertions(+), 118 deletions(-) diff --git a/modules/terraform-aws-cred-permissions/main.tf b/modules/terraform-aws-cred-permissions/main.tf index 9e32f7e..9135751 100644 --- a/modules/terraform-aws-cred-permissions/main.tf +++ b/modules/terraform-aws-cred-permissions/main.tf @@ -68,33 +68,3 @@ resource "time_sleep" "iam_propagation" { depends_on = [aws_iam_role.cdp_xaccount_role] create_duration = "45s" } - - -# # ------- Add missing iam:Tag* permissions to Cross-Account Policy ------- -# # First create the extra policy document -# data "aws_iam_policy_document" "cdp_extra_xaccount_policy_doc" { -# count = var.create_extra_xaccount_policy ? 1 : 0 - -# version = "2012-10-17" - -# statement { -# sid = "AllowIAMTagRole" - -# actions = ["iam:TagRole"] -# effect = "Allow" - -# resources = [ -# "*", -# ] -# } -# } - -# # Then create the inline policy using the document -# resource "aws_iam_role_policy" "cdp_extra_xaccount_policy" { -# count = var.create_extra_xaccount_policy ? 1 : 0 - -# name = "${var.env_prefix}-cross-account-extra" -# role = aws_iam_role.cdp_xaccount_role.id - -# policy = data.aws_iam_policy_document.cdp_extra_xaccount_policy_doc[0].json -# } diff --git a/modules/terraform-aws-permissions/main.tf b/modules/terraform-aws-permissions/main.tf index 65a0a88..5f1aee0 100644 --- a/modules/terraform-aws-permissions/main.tf +++ b/modules/terraform-aws-permissions/main.tf @@ -1,7 +1,7 @@ # ------- CDP IDBroker Assume Role policy ------- resource "aws_iam_policy" "cdp_idbroker_policy" { - name = var.idbroker_policy_name - # description = "CDP IDBroker Assume Role policy for ${var.env_prefix}" + name = var.idbroker_policy_name + description = "CDP IDBroker Assume Role policy" tags = merge(var.tags, { Name = var.idbroker_policy_name }) @@ -10,8 +10,8 @@ resource "aws_iam_policy" "cdp_idbroker_policy" { # ------- CDP Data Access Policies - Log ------- resource "aws_iam_policy" "cdp_log_data_access_policy" { - name = var.log_data_access_policy_name - # description = "CDP Log Location Access policy for ${var.env_prefix}" + name = var.log_data_access_policy_name + description = "CDP Log Location Access policy" tags = merge(var.tags, { Name = var.log_data_access_policy_name }) @@ -20,8 +20,8 @@ resource "aws_iam_policy" "cdp_log_data_access_policy" { } # ------- CDP Data Access Policies - ranger_audit_s3 ------- resource "aws_iam_policy" "cdp_ranger_audit_s3_data_access_policy" { - name = var.ranger_audit_s3_policy_name - # description = "CDP Ranger Audit S3 Access policy for ${var.env_prefix}" + name = var.ranger_audit_s3_policy_name + description = "CDP Ranger Audit S3 Access policy" tags = merge(var.tags, { Name = var.ranger_audit_s3_policy_name }) @@ -30,8 +30,8 @@ resource "aws_iam_policy" "cdp_ranger_audit_s3_data_access_policy" { # ------- CDP Data Access Policies - datalake_admin_s3 ------- resource "aws_iam_policy" "cdp_datalake_admin_s3_data_access_policy" { - name = var.datalake_admin_s3_policy_name - # description = "CDP Datalake Admin S3 Access policy for ${var.env_prefix}" + name = var.datalake_admin_s3_policy_name + description = "CDP Datalake Admin S3 Access policy" tags = merge(var.tags, { Name = var.datalake_admin_s3_policy_name }) @@ -42,8 +42,8 @@ resource "aws_iam_policy" "cdp_datalake_admin_s3_data_access_policy" { # ------- CDP Data Access Policies - bucket_access ------- # Policy for Data bucket resource "aws_iam_policy" "cdp_data_bucket_data_access_policy" { - name = var.data_bucket_access_policy_name - # description = "CDP Data Bucket S3 Access policy for ${var.env_prefix}" + name = var.data_bucket_access_policy_name + description = "CDP Data Bucket S3 Access policy" tags = merge(var.tags, { Name = var.data_bucket_access_policy_name }) @@ -52,14 +52,8 @@ resource "aws_iam_policy" "cdp_data_bucket_data_access_policy" { # Policy for Log bucket...Only required if log bucket different from data bucket resource "aws_iam_policy" "cdp_log_bucket_data_access_policy" { - - # count = (( - # var.log_storage_bucket != var.data_storage_bucket) ? - # 1 : 0 - # ) - - name = var.log_bucket_access_policy_name - # description = "CDP Log Bucket S3 Access policy for ${var.env_prefix}" + name = var.log_bucket_access_policy_name + description = "CDP Log Bucket S3 Access policy" tags = merge(var.tags, { Name = var.log_bucket_access_policy_name }) @@ -67,16 +61,8 @@ resource "aws_iam_policy" "cdp_log_bucket_data_access_policy" { } # Policy for backup bucket...requied only if different from backup and log bucket resource "aws_iam_policy" "cdp_backup_bucket_data_access_policy" { - - # count = (( - # var.backup_storage_bucket != var.data_storage_bucket - # || - # var.backup_storage_bucket != var.log_storage_bucket) ? - # 1 : 0 - # ) - - name = var.backup_bucket_access_policy_name - # description = "CDP Backup Bucket S3 Access policy for ${var.env_prefix}" + name = var.backup_bucket_access_policy_name + description = "CDP Backup Bucket S3 Access policy" tags = merge(var.tags, { Name = var.backup_bucket_access_policy_name }) @@ -85,8 +71,8 @@ resource "aws_iam_policy" "cdp_backup_bucket_data_access_policy" { # ------- CDP Data Access Policies - datalake_backup_policy ------- resource "aws_iam_policy" "cdp_datalake_backup_policy" { - name = var.datalake_backup_policy_name - # description = "CDP Datalake Backup policy for ${var.env_prefix}" + name = var.datalake_backup_policy_name + description = "CDP Datalake Backup policy" tags = merge(var.tags, { Name = var.datalake_backup_policy_name }) @@ -95,8 +81,8 @@ resource "aws_iam_policy" "cdp_datalake_backup_policy" { # ------- CDP Data Access Policies - datalake_restore_policy ------- resource "aws_iam_policy" "cdp_datalake_restore_policy" { - name = var.datalake_restore_policy_name - # description = "CDP Datalake Restore policy for ${var.env_prefix}" + name = var.datalake_restore_policy_name + description = "CDP Datalake Restore policy" tags = merge(var.tags, { Name = var.datalake_restore_policy_name }) @@ -121,8 +107,8 @@ data "aws_iam_policy_document" "cdp_idbroker_role_policy_doc" { # Create the IAM role that uses the above assume_role_policy document resource "aws_iam_role" "cdp_idbroker_role" { - name = var.idbroker_role_name - # description = "CDP IDBroker role for ${var.env_prefix}" + name = var.idbroker_role_name + description = "CDP IDBroker role" assume_role_policy = data.aws_iam_policy_document.cdp_idbroker_role_policy_doc.json @@ -143,7 +129,6 @@ resource "aws_iam_role_policy_attachment" "cdp_idbroker_role_attach1" { # Attach AWS Log Location Policy to the Role resource "aws_iam_role_policy_attachment" "cdp_idbroker_role_attach2" { - role = aws_iam_role.cdp_idbroker_role.name policy_arn = aws_iam_policy.cdp_log_data_access_policy.arn } @@ -166,8 +151,8 @@ data "aws_iam_policy_document" "cdp_log_role_policy_doc" { # Create the IAM role that uses the above assume_role_policy document resource "aws_iam_role" "cdp_log_role" { - name = var.log_role_name - # description = "CDP Log role for ${var.env_prefix}" + name = var.log_role_name + description = "CDP Log role" assume_role_policy = data.aws_iam_policy_document.cdp_log_role_policy_doc.json @@ -182,7 +167,6 @@ resource "aws_iam_instance_profile" "cdp_log_role_instance_profile" { # Attach AWS Log Location Policy to the Role resource "aws_iam_role_policy_attachment" "cdp_log_role_attach1" { - role = aws_iam_role.cdp_log_role.name policy_arn = aws_iam_policy.cdp_log_data_access_policy.arn } @@ -196,7 +180,6 @@ resource "aws_iam_role_policy_attachment" "cdp_log_role_attach2" { # Attach AWS Datalake Backup Policy to the Role resource "aws_iam_role_policy_attachment" "cdp_log_role_attach3" { - role = aws_iam_role.cdp_log_role.name policy_arn = aws_iam_policy.cdp_datalake_backup_policy.arn } @@ -219,8 +202,8 @@ data "aws_iam_policy_document" "cdp_datalake_admin_role_policy_doc" { # Create the IAM role that uses the above assume_role_policy document resource "aws_iam_role" "cdp_datalake_admin_role" { - name = var.datalake_admin_role_name - # description = "CDP Datalake Admin role for ${var.env_prefix}" + name = var.datalake_admin_role_name + description = "CDP Datalake Admin role" assume_role_policy = data.aws_iam_policy_document.cdp_datalake_admin_role_policy_doc.json @@ -235,7 +218,6 @@ resource "aws_iam_instance_profile" "cdp_datalake_admin_role_instance_profile" { # Attach AWS Datalake Admin S3 Policy to the Role resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach1" { - role = aws_iam_role.cdp_datalake_admin_role.name policy_arn = aws_iam_policy.cdp_datalake_admin_s3_data_access_policy.arn } @@ -243,49 +225,30 @@ resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach1" { # Attach AWS Bucket Access Policy to the Role # ..data bucket policy resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach2" { - role = aws_iam_role.cdp_datalake_admin_role.name policy_arn = aws_iam_policy.cdp_data_bucket_data_access_policy.arn } # ..log bucket policy, if required resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach3" { - - # count = (( - # var.log_storage_bucket != var.data_storage_bucket) ? - # 1 : 0 - # ) - - role = aws_iam_role.cdp_datalake_admin_role.name - # policy_arn = aws_iam_policy.cdp_log_bucket_data_access_policy[0].arn + role = aws_iam_role.cdp_datalake_admin_role.name policy_arn = aws_iam_policy.cdp_log_bucket_data_access_policy.arn } # ..backup bucket policy, if required resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach4" { - - # count = (( - # var.backup_storage_bucket != var.data_storage_bucket - # || - # var.backup_storage_bucket != var.log_storage_bucket) ? - # 1 : 0 - # ) - - role = aws_iam_role.cdp_datalake_admin_role.name - # policy_arn = aws_iam_policy.cdp_backup_bucket_data_access_policy[0].arn + role = aws_iam_role.cdp_datalake_admin_role.name policy_arn = aws_iam_policy.cdp_backup_bucket_data_access_policy.arn } # Attach AWS Datalake Backup Policy to the Role resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach5" { - role = aws_iam_role.cdp_datalake_admin_role.name policy_arn = aws_iam_policy.cdp_datalake_backup_policy.arn } # Attach AWS Datalake Restore Policy to the Role resource "aws_iam_role_policy_attachment" "cdp_datalake_admin_role_attach6" { - role = aws_iam_role.cdp_datalake_admin_role.name policy_arn = aws_iam_policy.cdp_datalake_restore_policy.arn } @@ -309,8 +272,8 @@ data "aws_iam_policy_document" "cdp_ranger_audit_role_policy_doc" { # Create the IAM role that uses the above assume_role_policy document resource "aws_iam_role" "cdp_ranger_audit_role" { - name = var.ranger_audit_role_name - # description = "CDP Ranger Audit role for ${var.env_prefix}" + name = var.ranger_audit_role_name + description = "CDP Ranger Audit role" assume_role_policy = data.aws_iam_policy_document.cdp_ranger_audit_role_policy_doc.json @@ -325,7 +288,6 @@ resource "aws_iam_instance_profile" "cdp_ranger_audit_role_instance_profile" { # Attach AWS Ranger Audit S3 Policy to the Role resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach1" { - role = aws_iam_role.cdp_ranger_audit_role.name policy_arn = aws_iam_policy.cdp_ranger_audit_s3_data_access_policy.arn } @@ -333,50 +295,30 @@ resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach1" { # Attach AWS Bucket Access Policies to the Role # ..data bucket policy resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach2" { - role = aws_iam_role.cdp_ranger_audit_role.name policy_arn = aws_iam_policy.cdp_data_bucket_data_access_policy.arn } # ..log bucket policy, if required resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach3" { - - # count = (( - # var.log_storage_bucket != var.data_storage_bucket) ? - # 1 : 0 - # ) - - role = aws_iam_role.cdp_ranger_audit_role.name - # policy_arn = aws_iam_policy.cdp_log_bucket_data_access_policy[0].arn + role = aws_iam_role.cdp_ranger_audit_role.name policy_arn = aws_iam_policy.cdp_log_bucket_data_access_policy.arn } # ..backup bucket policy, if required resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach4" { - - # count = (( - # var.backup_storage_bucket != var.data_storage_bucket - # || - # var.backup_storage_bucket != var.log_storage_bucket) ? - # 1 : 0 - # ) - - role = aws_iam_role.cdp_ranger_audit_role.name - # policy_arn = aws_iam_policy.cdp_backup_bucket_data_access_policy[0].arn + role = aws_iam_role.cdp_ranger_audit_role.name policy_arn = aws_iam_policy.cdp_backup_bucket_data_access_policy.arn } # Attach AWS Datalake Backup Policy to the Role resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach5" { - role = aws_iam_role.cdp_ranger_audit_role.name policy_arn = aws_iam_policy.cdp_datalake_backup_policy.arn } # Attach AWS Datalake Restore Policy to the Role resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach6" { - role = aws_iam_role.cdp_ranger_audit_role.name policy_arn = aws_iam_policy.cdp_datalake_restore_policy.arn } -