Skip to content

Commit 48b2077

Browse files
authored
Add TerraformStateAccess Permission Set (#57)
* Implement Terraform state access permissions Added Terraform state access permission set with policies for S3 and DynamoDB. * Add terraform_state_access_permission_set to permissions
1 parent c172cca commit 48b2077

File tree

2 files changed

+55
-0
lines changed

2 files changed

+55
-0
lines changed

src/main.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,7 @@ module "permission_sets" {
106106
local.terraform_plan_access_permission_set,
107107
local.terraform_apply_access_permission_set,
108108
local.terraform_update_access_permission_set,
109+
local.terraform_state_access_permission_set,
109110
)
110111

111112
context = module.this.context

src/policy-TerraformAccess.tf

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,18 @@ locals {
4343
policy_attachments = ["arn:${local.aws_partition}:iam::aws:policy/AdministratorAccess"]
4444
customer_managed_policy_attachments = []
4545
}] : []
46+
47+
# Terraform State Access permission set
48+
terraform_state_access_permission_set = local.tf_access_enabled ? [{
49+
name = "TerraformStateAccess",
50+
description = "Allow read/write access to Terraform state backend only",
51+
relay_state = "",
52+
session_duration = var.session_duration,
53+
tags = {},
54+
inline_policy = one(data.aws_iam_policy_document.terraform_state_access[*].json),
55+
policy_attachments = []
56+
customer_managed_policy_attachments = []
57+
}] : []
4658
}
4759

4860
# Terraform Plan Access - Read-only state access, read-only account access
@@ -133,3 +145,45 @@ data "aws_iam_policy_document" "terraform_apply_access" {
133145
resources = ["*"]
134146
}
135147
}
148+
149+
# Terraform State Access - Read/write state access only (no account permissions)
150+
data "aws_iam_policy_document" "terraform_state_access" {
151+
count = local.tf_access_enabled ? 1 : 0
152+
153+
# Read/write access to Terraform state S3 bucket
154+
statement {
155+
sid = "TerraformStateBackendS3Bucket"
156+
effect = "Allow"
157+
actions = [
158+
"s3:ListBucket",
159+
"s3:GetObject",
160+
"s3:PutObject",
161+
"s3:DeleteObject",
162+
]
163+
resources = [var.tf_access_bucket_arn, "${var.tf_access_bucket_arn}/*"]
164+
}
165+
166+
# DynamoDB table access for state locking (if configured)
167+
dynamic "statement" {
168+
for_each = (local.tf_access_enabled && var.tf_access_dynamodb_table_arn != "") ? [1] : []
169+
170+
content {
171+
sid = "TerraformStateBackendDynamoDbTable"
172+
effect = "Allow"
173+
actions = ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem"]
174+
resources = [var.tf_access_dynamodb_table_arn]
175+
}
176+
}
177+
178+
# Allow assuming the Terraform state backend role
179+
statement {
180+
sid = "TerraformStateBackendAssumeRole"
181+
effect = "Allow"
182+
actions = [
183+
"sts:AssumeRole",
184+
"sts:TagSession",
185+
"sts:SetSourceIdentity",
186+
]
187+
resources = [var.tf_access_role_arn]
188+
}
189+
}

0 commit comments

Comments
 (0)