Initial commit of policy generator module

Author: Jamie Nelson

README.md

@@ -0,0 +1,121 @@
+
+## Variables
+
+| Name 								| Description 																																																														| Required 	|
+|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------|-----------|
+| parameter_root_name | The prefix or root parameter that you want to allow access to 																																				  | No       	|
+| kms_key 						| The arn of the KMS key that you want to allow access to. If empty it uses a wildcard resource. `*` 																			| No 				|
+| region 							| The region of the parameter store value that you want to allow access to. If none supplied, it uses the current region of the provider. | No 				|
+| account_id 					| The account id of the parameter store you want to allow access to. If none supplied, it uses the current account id of the provider. 		| No 				|
+
+## Outputs
+
+| Name  													| Description       																																							  |
+|---------------------------------|---------------------------------------------------------------------------------------------------|
+| read_parameter_store_policy 		| A JSON policy document that only allows read access to the parameter store  											|
+| write_parameter_store_policy    | A JSON policy document that only allows write access to the parameter store 											|
+| manage_kms_store_policy   			| A JSON policy document that allows decryption access to a KMS key           											|
+| manage_parameter_store_policy 	| A JSON policy document that allows full access to the parameter store 		 											 	|
+| put_xray_trace_policy 					| A JSON policy document that allows putting data into x-ray for tracing parameter store requests 	|
+
+## Examples
+
+### Create a policy that allows access to read all parameters
+
+```hcl
+module "ps_policy" {
+	source = "git::https://github.com/cloudposse/terraform-aws-parameter-store-policy.git?ref=master"
+}
+
+resource "aws_iam_policy" "ps_read" {
+  name_prefix   = "read_any_parameter_store_value"
+  path   = "/"
+  policy = "${module.ps_policy.read_parameter_store_policy}"
+}
+```
+
+### Create a policy that allows access to write all parameters
+
+```hcl
+module "ps_policy" {
+	source = "git::https://github.com/cloudposse/terraform-aws-parameter-store-policy.git?ref=master"
+}
+
+resource "aws_iam_policy" "ps_write" {
+  name_prefix   = "write_any_parameter_store_value"
+  path   = "/"
+  policy = "${module.ps_policy.write_parameter_store_policy}"
+}
+```
+
+### Create a policy that allows managing all policies
+```hcl
+module "ps_policy" {
+	source = "git::https://github.com/cloudposse/terraform-aws-parameter-store-policy.git?ref=master"
+}
+
+resource "aws_iam_policy" "ps_manage" {
+  name_prefix   = "manage_any_parameter_store_value"
+  path   = "/"
+  policy = "${module.ps_policy.manage_parameter_store_policy}"
+}
+```
+
+### Create a policy that allows reading all parameters that start with a certain prefix
+```hcl
+module "ps_policy" {
+	source 							= "git::https://github.com/cloudposse/terraform-aws-parameter-store-policy.git?ref=master"
+	parameter_root_name = "/cp/dev/app"
+
+}
+
+resource "aws_iam_policy" "ps_manage" {
+  name_prefix   = "write_specific_parameter_store_value"
+  path   = "/"
+  policy = "${module.ps_policy.manage_parameter_store_policy}"
+}
+```
+
+### Create a kms policy to allow decrypting of the parameter store values
+```hcl
+module "kms_key" {
+  source                  = "git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=master"
+  namespace               = "cp"
+  stage                   = "prod"
+  name                    = "app"
+  description             = "KMS key"
+  deletion_window_in_days = 10
+  enable_key_rotation     = "true"
+  alias                   = "alias/parameter_store_key"
+}
+
+module "ps_policy" {
+	source 							= "git::https://github.com/cloudposse/terraform-aws-parameter-store-policy.git?ref=master"
+	parameter_root_name = "/cp/dev/app"
+	kms_key 						= "${module.kms_key.key_arn}"
+
+}
+
+resource "aws_iam_policy" "ps_kms" {
+  name_prefix   = "decrypt_parameter_store_value"
+  path   = "/"
+  policy = "${module.ps_policy.manage_kms_store_policy}"
+}
+```
+
+### Create a policy for another account, or region
+```hcl
+module "ps_policy" {
+	source 							= "git::https://github.com/cloudposse/terraform-aws-parameter-store-policy.git?ref=master"
+	parameter_root_name = "/cp/dev/app"
+	account_id          = "783649272629220"
+	region 							= "ap-southeast-2"
+
+}
+
+resource "aws_iam_policy" "ps_manage" {
+  name_prefix   = "manage_any_parameter_store_value"
+  path   = "/"
+  policy = "${module.ps_policy.manage_parameter_store_policy}"
+}
+```

main.tf

@@ -0,0 +1,106 @@
+variable "parameter_root_name" {
+  description = "The prefix or root parameter that you want to allow access to"
+  default     = ""
+}
+
+variable "kms_key" {
+  description = "The arn of the KMS key that you want to allow access to. If empty it uses a wildcard resource. `*` "
+  default     = ""
+}
+
+variable "region" {
+  description = "The region of the parameter store value that you want to allow access to. If none supplied, it uses the current region of the provider."
+  default     = ""
+}
+
+variable "account_id" {
+  description = "The account id of the parameter store you want to allow access to. If none supplied, it uses the current account id of the provider. "
+  default     = ""
+}
+
+data "aws_region" "default" {}
+data "aws_caller_identity" "default" {}
+
+locals {
+  region     = "${ var.region == "" ? data.aws_region.default.name : var.region}"
+  account_id = "${var.account_id == "" ? data.aws_caller_identity.default.account_id : var.account_id}"
+
+  # Normalise the parameter name, and remove any duplicate slashes
+  parameter_root_name = "${join("/",compact(split("/", var.parameter_root_name)))}"
+
+  # If no KMS arn supplied, allow access to any KMS 
+  kms_key = "${var.kms_key == "" ? "*" : var.kms_key }"
+}
+
+data "aws_iam_policy_document" "read_parameter_store" {
+  statement {
+    actions   = ["ssm:GetParameters", "ssm:GetParameter", "ssm:GetParameterHistory", "ssm:GetParametersByPath"]
+    resources = ["arn:aws:ssm:${local.region}:${local.account_id}:parameter/${local.parameter_root_name}*"]
+  }
+}
+
+data "aws_iam_policy_document" "write_parameter_store" {
+  statement {
+    actions   = ["ssm:PutParameters", "ssm:PutParameter"]
+    resources = ["arn:aws:ssm:${local.region}:${local.account_id}:parameter/${local.parameter_root_name}*"]
+  }
+}
+
+data "aws_iam_policy_document" "manage_parameter_store" {
+  statement {
+    actions = [
+      "ssm:PutParameters",
+      "ssm:PutParameter",
+      "ssm:DeleteParameter",
+      "ssm:DeleteParameters",
+      "ssm:GetParameters",
+      "ssm:GetParameter",
+      "ssm:GetParameterHistory",
+      "ssm:GetParametersByPath",
+    ]
+
+    resources = ["arn:aws:ssm:${local.region}:${local.account_id}:parameter/${local.parameter_root_name}*"]
+  }
+}
+
+data "aws_iam_policy_document" "put_xray_trace" {
+  statement {
+    actions   = ["xray:PutTraceSegments", "xray:PutTelemetryRecords"]
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "manage_kms_store" {
+  statement {
+    actions = [
+      "kms:ListKeys",
+      "kms:ListAliases",
+      "kms:Describe*",
+      "kms:Decrypt",
+    ]
+
+    resources = [
+      "${local.kms_key}",
+    ]
+  }
+}
+
+output "read_parameter_store_policy" {
+  value = "${data.aws_iam_policy_document.read_parameter_store.json}"
+}
+
+output "write_parameter_store_policy" {
+  value = "${data.aws_iam_policy_document.write_parameter_store.json}"
+}
+
+output "manage_kms_store_policy" {
+  value = "${data.aws_iam_policy_document.manage_kms_store.json}"
+}
+
+output "manage_parameter_store_policy" {
+  value = "${data.aws_iam_policy_document.manage_parameter_store.json}"
+}
+
+output "put_xray_trace_policy" {
+  value = "${data.aws_iam_policy_document.put_xray_trace.json}"
+}