Skip to content

Commit acab2dd

Browse files
committed
Add common policy module for per-zone route53 access
Use the common policy for the cert-manager-ocp-massopen user and the innabox-dns-manager user.
1 parent 5e3d149 commit acab2dd

5 files changed

Lines changed: 90 additions & 38 deletions

File tree

iam-users/cert-manager-ocp-massopen.tf

Lines changed: 6 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -1,49 +1,17 @@
11
# -- cert-manager-ocp-massopen ------------------------------------------------
22

3-
data "aws_route53_zone" "ocp_massopen_cloud" {
4-
name = "ocp.massopen.cloud"
5-
}
6-
7-
data "aws_iam_policy_document" "cert_manager_ocp_massopen" {
8-
statement {
9-
sid = "ManageRecords"
10-
effect = "Allow"
11-
actions = [
12-
"route53:ChangeResourceRecordSets",
13-
"route53:ListResourceRecordSets",
14-
]
15-
resources = [data.aws_route53_zone.ocp_massopen_cloud.arn]
16-
}
17-
18-
statement {
19-
sid = "GetChange"
20-
effect = "Allow"
21-
actions = ["route53:GetChange"]
22-
resources = ["arn:aws:route53:::change/*"]
23-
}
24-
25-
statement {
26-
sid = "ListZones"
27-
effect = "Allow"
28-
actions = [
29-
"route53:ListHostedZones",
30-
"route53:ListHostedZonesByName",
31-
]
32-
resources = ["*"]
33-
}
34-
}
35-
36-
resource "aws_iam_policy" "cert_manager_ocp_massopen" {
37-
name = "ocp-massopen-cloud"
38-
description = "modify records in ocp.massopen.cloud mainly for the purposes for dns01 challenged."
39-
policy = data.aws_iam_policy_document.cert_manager_ocp_massopen.json
3+
module "route53_policy_ocp_massopen" {
4+
source = "../modules/route53-policy"
5+
zone_name = "ocp.massopen.cloud"
6+
policy_name = "ocp-massopen-cloud"
7+
policy_description = "modify records in ocp.massopen.cloud mainly for the purposes for dns01 challenged."
408
}
419

4210
module "cert_manager_ocp_massopen" {
4311
source = "../modules/iam-user"
4412
name = "cert-manager-ocp-massopen"
4513
policy_arns = {
46-
ocp-massopen-cloud = aws_iam_policy.cert_manager_ocp_massopen.arn
14+
ocp-massopen-cloud = module.route53_policy_ocp_massopen.policy_arn
4715
}
4816
tags = {
4917
"AKIAYLUGMT7YKZRT4APO" = "cert-manager-nist-clusters"

iam-users/innabox-dns-manager.tf

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
# -- innabox-dns-manager ------------------------------------------------
2+
3+
module "route53_policy_innabox" {
4+
source = "../modules/route53-policy"
5+
zone_name = "box.massopen.cloud"
6+
policy_name = "box-massopen-cloud"
7+
policy_description = "allow cert-manager in innabox dev cluster to manage box.massopen.cloud"
8+
}
9+
10+
module "innbox_dns_manager" {
11+
source = "../modules/iam-user"
12+
name = "innabox-dns-manager"
13+
policy_arns = {
14+
ocp-massopen-cloud = module.route53_policy_innabox.policy_arn
15+
}
16+
tags = {
17+
AKIAYLUGMT7YLZGBNPO2 = "create dns record for innabox tenant clusters"
18+
AKIAYLUGMT7YL5VWQTCR = "innabox AAP credentials"
19+
}
20+
}

modules/route53-policy/main.tf

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
data "aws_route53_zone" "this" {
2+
name = var.zone_name
3+
}
4+
5+
data "aws_iam_policy_document" "this" {
6+
statement {
7+
sid = "ManageRecords"
8+
effect = "Allow"
9+
actions = [
10+
"route53:ChangeResourceRecordSets",
11+
"route53:ListResourceRecordSets",
12+
]
13+
resources = [data.aws_route53_zone.this.arn]
14+
}
15+
16+
statement {
17+
sid = "GetChange"
18+
effect = "Allow"
19+
actions = ["route53:GetChange"]
20+
resources = ["arn:aws:route53:::change/*"]
21+
}
22+
23+
statement {
24+
sid = "ListZones"
25+
effect = "Allow"
26+
actions = [
27+
"route53:ListHostedZones",
28+
"route53:ListHostedZonesByName",
29+
]
30+
resources = ["*"]
31+
}
32+
}
33+
34+
resource "aws_iam_policy" "this" {
35+
name = var.policy_name
36+
description = var.policy_description
37+
policy = data.aws_iam_policy_document.this.json
38+
}

modules/route53-policy/outputs.tf

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
output "policy_arn" {
2+
value = aws_iam_policy.this.arn
3+
}
4+
5+
output "zone_arn" {
6+
value = data.aws_route53_zone.this.arn
7+
}
8+
9+
output "zone_id" {
10+
value = data.aws_route53_zone.this.zone_id
11+
}
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
variable "zone_name" {
2+
description = "Name of the Route53 hosted zone (e.g. example.com)"
3+
type = string
4+
}
5+
6+
variable "policy_name" {
7+
description = "Name for the IAM policy"
8+
type = string
9+
}
10+
11+
variable "policy_description" {
12+
description = "Description for the IAM policy"
13+
type = string
14+
default = ""
15+
}

0 commit comments

Comments
 (0)