Home > Blockchain >  how to create an iam role with policy that grants access to the SQS created
how to create an iam role with policy that grants access to the SQS created

Time:10-20

I created 2 SQS and the DeadLetterQueue with the code in my main.tf calling the SQS/main.tf module.I would like to destroy and create them again but this time,I want to call IAM/iam_role.tf as well to create one IAM role together with the policy documents.I don't know how to specify that in my main.tf so that the resources section of the data policy document has both CloudTrail_SQS created ,meaning "CloudTrail_SQS_Data_Event" and "cloudTrail_SQS_Management_Event" and the resources arn of the S3 give the role access to the 2 different buckets used for the SQS,meaning "cloudtrail-management-event-logs" and "aws-cloudtrail143-sqs-logs"

SQS/main.tf

resource "aws_sqs_queue" "CloudTrail_SQS"{
    name                       = var.sqs_queue_name
    redrive_policy = jsonencode({
        deadLetterTargetArn    = aws_sqs_queue.CloudTrail_SQS_DLQ.arn
        maxReceiveCount        = 4
    })
}
resource "aws_sqs_queue" "CloudTrail_SQS_DLQ"{
    name                       = var.dead_queue_name


IAM/iam_role.tf

resource "aws_iam_role" "access_role" {
  name               = var.role_name
  description        = var.description
  assume_role_policy = data.aws_iam_policy_document.trust_relationship.json
}

trust policy

data "aws_iam_policy_document" "trust_relationship" {
  statement {
    sid     = "AllowAssumeRole"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "AWS"
      identifiers = [var.account_id]
    }

    condition {
      test     = "StringEquals"
      variable = "sts:ExternalId"

      values = [var.external_id]
    }
  }
}

data "aws_iam_policy_document" "policy_document"{
  statement{
    actions = [
      "sqs:GetQueueUrl",
      "sqs:ReceiveMessage",
      "sqs:SendMessage"
    ]
    effect = "Allow"
    resources = aws_sqs_queue.CloudTrail_SQS.arn
  }
  statement {
    actions = ["sqs:ListQueues"]
    effect  = "Allow"
    resources = ["*"]
  }
  statement {
    actions = ["s3:GetObject", "s3:GetBucketLocation"]
    resources = [
      "arn:aws:s3:::${var.cloudtrail_event_log_bucket_name}/*"
    ]
    effect = "Allow"
  }
  statement {
    actions = ["s3:ListBucket"]
    resources = [
      "arn:aws:s3:::${var.cloudtrail_event_log_bucket_name}"
    ]
    effect = "Allow"
  }
  statement {
    actions = ["kms:Decrypt", "kms:GenerateDataKey","kms:DescribeKey" ]
    effect = "Allow"
    resources = [var.kms_key_arn]
  }
}

main.tf

module "data_events"{
  source = "../SQS"

  cloudtrail_event_log_bucket_name = "aws-cloudtrail143-sqs-logs"
  sqs_queue_name                   = "CloudTrail_SQS_Data_Event"
  dead_queue_name                  = "CloudTrail_DLQ_Data_Event"
}


module "management_events"{
  source = "../SQS"

  cloudtrail_event_log_bucket_name = "cloudtrail-management-event-logs"
  sqs_queue_name                   = "cloudTrail_SQS_Management_Event"
  dead_queue_name                  = "cloudTrail_DLQ_Management_Event"

}

CodePudding user response:

You can use the data sources of terraform.

At this time, you should write the output for SQS folder, write them as data in IAM folder and use it

CodePudding user response:

The role would be created as shown below. But your question has so many mistakes and missing information, that its impossible to provide full, working code. So the below code should be treated as a template which you need to adjust for your use.


resource "aws_iam_role" "access_role" {
  name               = var.role_name
  description        = var.description
  
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })
  
  inline_policy {
    name   = "allow-access-to-s3-sqs"
    policy = data.aws_iam_policy_document.policy_document.json
  }  
  
}


data "aws_iam_policy_document" "policy_document"{
  statement{
    actions = [
      "sqs:GetQueueUrl",
      "sqs:ReceiveMessage",
      "sqs:SendMessage"
    ]
    effect = "Allow"
    resources = [
           module.data_events.sqs.arn,
           module.management_events.sqs.arn,
           ]
  }
  statement {
    actions = ["sqs:ListQueues"]
    effect  = "Allow"
    resources = ["*"]
  }
  statement {
    actions = ["s3:GetObject", "s3:GetBucketLocation"]
    resources = [
      "arn:aws:s3:::aws-cloudtrail143-sqs-logs/*"
      "arn:aws:s3:::cloudtrail-management-event-logs/*"
    ]
    effect = "Allow"
  }
  statement {
    actions = ["s3:ListBucket"]
    resources = [
      "arn:aws:s3:::aws-cloudtrail143-sqs-logs",
      "arn:aws:s3:::cloudtrail-management-event-logs"      
    ]
    effect = "Allow"
  }
  statement {
    actions = ["kms:Decrypt", "kms:GenerateDataKey","kms:DescribeKey" ]
    effect = "Allow"
    resources = [var.kms_key_arn]
  }
}

Page link:https//www.codepudding.com/Blockchain/159424.html

Prev:Replacing corrupt GIT blob
Next:Access S3 from lambda using assume role
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding