AWS IAM groups and policies – Terraform

Let’s create a module to create and manage AWS IAM groups and policies with Terraform! In summary a Terraform module is one or more Terraform resources bundled together to be used a single Terraform resource. You can learn more about Terraform module’s here. If you have no idea what Terraform or Terragrunt then start here. Let’s code!

The Terraform module structure

aws-iam-group/
main.tf
vars.tf
README.md

The main file

The main.tf contains all the resources required to create AWS IAM groups and their policies. Notice this one uses three resources!

resource "aws_iam_group" "this" {
name = var.iam_group_name
}

resource "aws_iam_policy" "this" {
name = var.policy_name
description = var.policy_description
policy = var.policy
}

resource "aws_iam_group_policy_attachment" "this" {
group = aws_iam_group.this.name
policy_arn = aws_iam_policy.this.arn
}

The vars file

variable iam_group_name {}

variable policy_name {}

variable policy_description {}

variable policy {}

Here’s the AWS IAM groups and policies Terraform module on GitHub: https://github.com/masterwali/tf-module-aws-iam-group

Create AWS IAM groups and policies with Terraform

Let’s use the Terraform module to create one or many IAM groups and their policies! You can deploy with Terraform but I like to use Terragrunt.

The Terragrunt/Terraform structure

This is one way to create your deployment structure. You can name this directory anything you like.

aws-iam
├── LICENSE
├── README.md
├── cloud-engineers-policy.tf
├── database-admins-policy.tf
├── developers-policy.tf
├── network-admins-policies.tf
├── groups.tf
├── main.tf
├── dev
│   ├── inputs.yml
│   ├── terragrunt.hcl
│   └── vars.tf
├── prod
│   └── terragrunt.hcl
│   ├── inputs.yml
│   └── vars.tf
├── qa
│   └── terragrunt.hcl
│   ├── inputs.yml
│   └── vars.tf
├── sec
│   └── terragrunt.hcl
│   ├── inputs.yml
│   └── vars.tf
└── terragrunt.hcl

In this example we will be creating groups and policies for developers, cloud engineers, database admins, and network admins all with one and same Terraform module! Using a module will ensure consistency and governance for our AWS resources.

The Terraform files

I like to keep the main file clean. I mainly use it for data calls and local variables.

main.tf

locals {
  account_id = data.aws_caller_identity.current.account_id
}

provider "aws" {
  region  = var.aws_region
  profile = var.aws_cli_profile
}

terraform {
  backend "s3" {}
}

data "aws_caller_identity" "current" {}

groups.tf

# CLOUD ENGINEERS
module "cloud_engineers" {
  source = "git@github.com:masterwali/tf-module-aws-iam-group.git"

  iam_group_name     = "cloud-engineers"
  policy_name        = "cloud-engineers"
  policy_description = "Cloud Engineers policy"
  policy             = data.aws_iam_policy_document.cloud_engineers.json
}
# ......... etc. 

# NETWORK ADMINS
# Modules creates group and policy and attaches policy to group. 
module "network_admins" {
  source = "git@github.com:masterwali/tf-module-aws-iam-group.git"

  iam_group_name     = "network-admins"
  policy_name        = "network-admins"
  policy_description = "Network Admins policy"
  policy             = data.aws_iam_policy_document.network_admins_main.json
}
# Create the network admins misc policy 
resource "aws_iam_policy" "network_admins_misc" {
  name        = "network-admins-misc"
  description = "Network Admins"
  policy      = data.aws_iam_policy_document.network_admins_misc.json
}
# Attach the above policy to the network admins group. 
resource "aws_iam_group_policy_attachment" "network_admins_misc" {
  group      = "network-admins"
  policy_arn = aws_iam_policy.network_admins_misc.arn

  depends_on = [aws_iam_policy.network_admins_misc]
}

The “cloud engineers” IAM policy file

data "aws_iam_policy_document" "cloud_engineers" {
  statement {
    sid    = "FullAccess"
    effect = "Allow"
    actions = [
      "iam:*",
      "kms:*",
      "s3:*"
    ]
    resources = ["*"]
  }
}

To see the developers policy and more take a look at the complete code at https://github.com/masterwali/aws-iam

Now let’s apply the code by navigating to the desired environment directory. Then initiate with ‘terragrunt init’ and apply with ‘terragrunt apply’. More on Terragrunt initiation, plans and apply.

Subscribe to get notified when more AWS and Terraform code is published!

TOP 13 CLOUD ENGINEER POSITION INTERVIEW QUESTIONS AND ANSWERSBe prepared for you interview!

IAM

AWS IAM console groups
AWS IAM console: Groups
AWS IAM console group policies
AWS IAM Group policies

AWS Account settings with Terraform and terragrunt Part 2

This is continuation of AWS account settings as code with Terraform and Terragrunt. Be sure to start with part one. Part will I’ll be blocking Amazon S3 bucket public access, enable EBS volume encryption at the AWS account level, and apply the IAM account password policies.

Cost: These exact settings applied on the account have no cost unless you use customer managed keys from KMS.

AWS IAM account password policies

# password policy
resource "aws_iam_account_password_policy" "this" {
  minimum_password_length        = 10
  max_password_age               = 365
  password_reuse_prevention      = 10
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
}

This applies the IAM account password settings as code.

This change requires the IAM permission “UpdateAccountPasswordPolicy” action allowed.

Update your “settings” repository dev branch. Then in the “settings” terragrunt update your code with

terragrunt init --terragrunt-source-update

terragrunt plan

# then
terragrunt apply

Check by going to the IAM service dashboard… now have a green check mark for “Apply an IAM password policy”.

Block Amazon S3 bucket public access

So many horror stories on the news about Amazon Simple Storage Service (S3) buckets being accidentally open to the public. Let’s prevent accidental public access on S3 buckets at the account level just in case if you get to block at the bucket level.

resource "aws_s3_account_public_access_block" "this" {
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

This sets the following settings on S3. As stated on the S3 “Block public access…” in the S3 console.

  • Blocks public access to buckets and objects granted through new access control lists (ACLs)
  • Blocks public access to buckets and objects granted through any access control lists (ACLs)
  • Blocks public access to buckets and objects granted through new public bucket or access point policies
  • Blocks public and cross-account access to buckets and objects through any public bucket or access point policies

You’ll need “PutAccountPublicAccessBlock” S3 action for this setting.

Update your “settings” repository dev branch. Then in the “settings” terragrunt update your code with

terragrunt init --terragrunt-source-update

terragrunt plan

# then
terragrunt apply

Verify by going to S3 service -> on the left navigation click “Block public access (account settings)“. You should see all green “On” for every single line.

block s3 public settings

Default EBS volume encryption

This account level setting will always set EC2 default EBS volume encryption during creation of any EBS volume regardless of what and how it’s provisioned. If you provision an EC2 using the console or use of any of the AWS CLI commands or any of the AWS SDKS and you don’t explicitly apply EBS volume encryption then this will do it for you! It’s quite amazing and simple to apply or remove.

What key will it use? It can use a default Amazon managed key or your a customer (you) managed KMS key. I haven’t setup KMS keys yet, so I’ll use the default Amazon managed key for now.

resource "aws_ebs_encryption_by_default" "this" {
  enabled = true
}

You’ll need the following IAM policy statement to apply this setting.

{
            "Sid": "AllowsEBSdefaultEncryption",
            "Effect": "Allow",
            "Action": [
                "ec2:GetEbsEncryptionByDefault",
                "ec2:EnableEbsEncryptionByDefault",
                "ec2:DisableEbsEncryptionByDefault",
                "ec2:ResetEbsDefaultKmsKeyId",
                "ec2:ModifyEbsDefaultKmsKeyId"
            ],
            "Resource": "*"
        }

and again, update your Terraform git repository then update your Terragrunt deployment code and apply.

Navigate to the EC2 service then on the main page on the right panel within the “Account attributes” click on “EBS encryption“.

Due note this only applied for a single region!

Bonus

Billing settings

These aren’t automated but it’s only enabled once your consolidated billing account. If you have permissions to enable billing alerts and emails. Within the Billing Preferences select the following settings.

Sends a PDF version of your invoice by email
As stated get notified on your free tier usage and cost

That’s it for now!

As always if you see any errors, mistakes, have suggestions or questions please comment below. Don’t forget to like, share, and subscribe for more!

Image by Денис Марчук from Pixabay