Permission Policies in the Reference Architecture
Can you tell me where the permission policies are applied in the code? I’m trying to see what users have access to the secrets manager. --- <ins datetime="2022-08-01T20:27:35Z"> <p><a href="https://support.gruntwork.io/hc/requests/109090">Tracked in ticket #109090</a></p> </ins>
In the reference architecture in `security/_global/account-baseline/users.yml` we can see the users and IAM groups that they belong to. Looking at `security/_global/account-baseline/terragrunt.hcl`, we can see that it is sourcing the service catalog (roughly lines 13 and 65-66): ``` source = "${local.source_base_url}?ref=v0.82.0" ... locals { source_base_url = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-security" ``` Let's jump over to the service catalog, specifically [modules/landingzone/account-baseline-security/main.tf](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/modules/landingzone/account-baseline-security/main.tf) (about line 200): ``` module "iam_groups" { source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/iam-groups?ref=v0.65.8" ``` So we'll dive down to the module level and take a look at [terraform-aws-security/modules/iam-groups/main.tf](https://github.com/gruntwork-io/terraform-aws-security/blob/master/modules/iam-groups/main.tf): The groups are defined here, for example, the `full_access` group on line 52: ``` # ---------------------------------------------------------------------------------------------------------------------- # CREATE IAM GROUP - FULL ACCESS # Full Access users have full access to all AWS Resources. # ---------------------------------------------------------------------------------------------------------------------- resource "aws_iam_group" "full_access" { count = var.should_create_iam_group_full_access && var.create_resources ? 1 : 0 name = var.iam_group_name_full_access } # Enable administrator users to have access to everything resource "aws_iam_group_policy" "full_access" { count = var.should_create_iam_group_full_access && var.create_resources ? 1 : 0 name = "full-access" group = aws_iam_group.full_access[0].id policy = module.iam_policies.full_access } # Full-access users should also be able to manage their own IAM User accounts (without MFA), so attach the "iam-user-self-mgmt" IAM Policy. resource "aws_iam_group_policy_attachment" "full_access_iam_user_self_mgmt" { count = var.should_create_iam_group_full_access && var.create_resources ? 1 : 0 group = aws_iam_group.full_access[0].name policy_arn = aws_iam_policy.iam_user_self_mgmt[0].arn } ``` The policies are defined on line 35: ``` module "iam_policies" { source = "../iam-policies" ``` Note that this is loading another module, [iam-policies](https://github.com/gruntwork-io/terraform-aws-security/blob/master/modules/iam-policies/main.tf). In this module we see the policy documents that then get attached and used, for example: ``` data "aws_iam_policy_document" "full_access" { statement { sid = "fullAccess" actions = ["*"] resources = ["*"] effect = "Allow" ... ``` Note that there are no references specifically to any `secretsmanager:*` resources, and Secrets Manager is not called out in the `read_only` policy. The `full_access` policy has blanket permissions. If you want to create your own policies, you can do that with the [custom-iam-entity module](https://github.com/gruntwork-io/terraform-aws-security/blob/master/examples/custom-iam-entity/main.tf).