eli-204 removing stack interdependency

Author: eddalmond1

infrastructure/stacks/_shared/iams_permissions_boundary.tf

@@ -0,0 +1,92 @@
+# Policy document for Permissions boundary
+data "aws_iam_policy_document" "permissions_boundary" {
+  #checkov:skip=CKV2_AWS_40: Ensure AWS IAM policy does not allow full IAM privileges
+  statement {
+    sid    = "RestrictRegion"
+    effect = "Allow"
+
+    actions = [
+      "acm:*",
+      "application-autoscaling:*",
+      "apigateway:*",
+      "cloudtrail:*",
+      "cloudwatch:*",
+      "config:*",
+      "dynamodb:*",
+      "ec2:*",
+      "events:*",
+      "firehose:*",
+      "glue:*",
+      "health:*",
+      "iam:*",
+      "kms:*",
+      "lambda:*",
+      "logs:*",
+      "network-firewall:*",
+      "pipes:*",
+      "s3:*",
+      "schemas:*",
+      "sns:*",
+      "servicequotas:*",
+      "ssm:*",
+      "states:*",
+      "support:*",
+      "sqs:*",
+      "tag:*",
+      "trustedadvisor:*"
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestedRegion"
+      values   = [var.default_aws_region]
+    }
+  }
+
+  statement {
+    sid    = "DenyPrivEsculationViaIamRoles"
+    effect = "Deny"
+    actions = ["iam:*"]
+    resources = ["*"]
+    condition {
+      test     = "ArnLike"
+      variable = "iam:PolicyARN"
+      values   = ["arn:aws:iam::*:policy/${upper(var.project_name)}-*"]
+    }
+  }
+
+  statement {
+    sid    = "DenyPrivEsculationViaIamProfiles"
+    effect = "Deny"
+    actions = ["iam:*"]
+    resources = ["arn:aws:iam::*:role/${upper(var.project_name)}-*"]
+  }
+}
+
+# Permissions Boundary policy created only in owner workspace
+resource "aws_iam_policy" "permissions_boundary" {
+  count       = local.is_iam_owner ? 1 : 0
+  name        = "${upper(var.project_name)}-PermissionsBoundary"
+  description = "Allows access to AWS services in the regions the client uses only"
+  policy      = data.aws_iam_policy_document.permissions_boundary.json
+
+  tags = merge(
+    local.tags,
+    {
+      Stack = "iams-developer-roles"
+    }
+  )
+}
+
+# Data source for non-owner workspaces (using ARN)
+data "aws_iam_policy" "permissions_boundary" {
+  count = local.is_iam_owner ? 0 : 1
+  arn   = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${upper(var.project_name)}-PermissionsBoundary"
+}
+
+# Local to always reference the correct policy ARN
+locals {
+  permissions_boundary_arn = local.is_iam_owner ? aws_iam_policy.permissions_boundary[0].arn : data.aws_iam_policy.permissions_boundary[0].arn
+}

infrastructure/stacks/api-layer/iam_roles.tf

@@ -1,7 +1,3 @@
-module "iam_permissions_boundary" {
-  source = "../iams-developer-roles"
-}
-
 # Lambda trust policy
 data "aws_iam_policy_document" "lambda_assume_role" {
   statement {
@@ -29,15 +25,15 @@ resource "aws_iam_role" "lambda_read_role" {
   count                = local.is_iam_owner ? 1 : 0
   name                 = "lambda-read-role"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role.json
-  permissions_boundary = module.iam_permissions_boundary.permissions_boundary_arn
+  permissions_boundary = local.permissions_boundary_arn
 }
 
 # External write role: only created in default workspace
 resource "aws_iam_role" "write_access_role" {
   count                = local.is_iam_owner ? 1 : 0
   name                 = "external-write-role"
   assume_role_policy   = data.aws_iam_policy_document.dps_assume_role.json
-  permissions_boundary = module.iam_permissions_boundary.permissions_boundary_arn
+  permissions_boundary = local.permissions_boundary_arn
 }
 
 # Data sources for referencing existing roles in non-default workspaces

infrastructure/stacks/api-layer/iams_permissions_boundary.tf

@@ -0,0 +1 @@
+../_shared/iams_permissions_boundary.tf

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -0,0 +1 @@
+../_shared/iams_permissions_boundary.tf