Fix to support AWS Profile and updated IAM Policy

rcastley · rcastley · commit 45d836f6ab08 · 2024-07-17T16:44:12.000+01:00
diff --git a/workshop/aws/sfx/main.tf b/workshop/aws/sfx/main.tf
@@ -1,5 +1,5 @@
 provider "aws" {
-  profile = "default"
+  profile = var.aws_profile
   region  = var.aws_region
 }
 
@@ -40,66 +40,109 @@ resource "aws_iam_policy" "aws_read_permissions" {
   description = "SignalFx IAM Policy"
   policy      = <<EOF
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Action": [
-                "dynamodb:ListTables",
-                "dynamodb:DescribeTable",
-                "dynamodb:ListTagsOfResource",
-                "ec2:DescribeInstances",
-                "ec2:DescribeInstanceStatus",
-                "ec2:DescribeVolumes",
-                "ec2:DescribeReservedInstances",
-                "ec2:DescribeReservedInstancesModifications",
-                "ec2:DescribeTags",
-                "organizations:DescribeOrganization",
-                "cloudwatch:ListMetrics",
-                "cloudwatch:GetMetricData",
-                "cloudwatch:GetMetricStatistics",
-                "cloudwatch:DescribeAlarms",
-                "sqs:ListQueues",
-                "sqs:GetQueueAttributes",
-                "sqs:ListQueueTags",
-                "elasticmapreduce:ListClusters",
-                "elasticmapreduce:DescribeCluster",
-                "kinesis:ListShards",
-                "kinesis:ListStreams",
-                "kinesis:DescribeStream",
-                "kinesis:ListTagsForStream",
-                "rds:DescribeDBInstances",
-                "rds:ListTagsForResource",
-                "elasticloadbalancing:DescribeLoadBalancers",
-                "elasticloadbalancing:DescribeTags",
-                "elasticache:describeCacheClusters",
-                "redshift:DescribeClusters",
-                "lambda:GetAlias",
-                "lambda:ListFunctions",
-                "lambda:ListTags",
-                "autoscaling:DescribeAutoScalingGroups",
-                "s3:ListAllMyBuckets",
-                "s3:ListBucket",
-                "s3:GetBucketLocation",
-                "s3:GetBucketTagging",
-                "ecs:ListServices",
-                "ecs:ListTasks",
-                "ecs:DescribeTasks",
-                "ecs:DescribeServices",
-                "ecs:ListClusters",
-                "ecs:DescribeClusters",
-                "ecs:ListTaskDefinitions",
-                "ecs:ListTagsForResource",
-                "apigateway:GET",
-                "cloudfront:ListDistributions",
-                "cloudfront:ListTagsForResource",
-                "tag:GetResources",
-                "es:ListDomainNames",
-                "es:DescribeElasticsearchDomain"
-            ],
-            "Effect": "Allow",
-            "Resource": "*"
-        }
-    ]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "airflow:GetEnvironment",
+        "airflow:ListEnvironments",
+        "apigateway:GET",
+        "autoscaling:DescribeAutoScalingGroups",
+        "cloudformation:ListResources",
+        "cloudformation:GetResource",
+        "cloudfront:GetDistributionConfig",
+        "cloudfront:ListDistributions",
+        "cloudfront:ListTagsForResource",
+        "cloudwatch:GetMetricData",
+        "cloudwatch:ListMetrics",
+        "directconnect:DescribeConnections",
+        "dynamodb:DescribeTable",
+        "dynamodb:ListTables",
+        "dynamodb:ListTagsOfResource",
+        "ec2:DescribeInstances",
+        "ec2:DescribeInstanceStatus",
+        "ec2:DescribeNatGateways",
+        "ec2:DescribeRegions",
+        "ec2:DescribeReservedInstances",
+        "ec2:DescribeReservedInstancesModifications",
+        "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
+        "ecs:DescribeClusters",
+        "ecs:DescribeServices",
+        "ecs:DescribeTasks",
+        "ecs:ListClusters",
+        "ecs:ListServices",
+        "ecs:ListTagsForResource",
+        "ecs:ListTaskDefinitions",
+        "ecs:ListTasks",
+        "eks:DescribeCluster",
+        "eks:ListClusters",
+        "elasticache:DescribeCacheClusters",
+        "elasticloadbalancing:DescribeLoadBalancerAttributes",
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:DescribeTags",
+        "elasticloadbalancing:DescribeTargetGroups",
+        "elasticmapreduce:DescribeCluster",
+        "elasticmapreduce:ListClusters",
+        "es:DescribeElasticsearchDomain",
+        "es:ListDomainNames",
+        "kafka:DescribeCluster",
+        "kafka:DescribeClusterV2",
+        "kafka:ListClusters",
+        "kafka:ListClustersV2",
+        "kinesis:DescribeStream",
+        "kinesis:ListShards",
+        "kinesis:ListStreams",
+        "kinesis:ListTagsForStream",
+        "kinesisanalytics:DescribeApplication",
+        "kinesisanalytics:ListApplications",
+        "kinesisanalytics:ListTagsForResource",
+        "lambda:GetAlias",
+        "lambda:ListFunctions",
+        "lambda:ListTags",
+        "logs:DeleteSubscriptionFilter",
+        "logs:DescribeLogGroups",
+        "logs:DescribeSubscriptionFilters",
+        "logs:PutSubscriptionFilter",
+        "organizations:DescribeOrganization",
+        "rds:DescribeDBInstances",
+        "rds:DescribeDBClusters",
+        "rds:ListTagsForResource",
+        "redshift:DescribeClusters",
+        "redshift:DescribeLoggingStatus",
+        "s3:GetBucketLocation",
+        "s3:GetBucketLogging",
+        "s3:GetBucketNotification",
+        "s3:GetBucketTagging",
+        "s3:ListAllMyBuckets",
+        "s3:ListBucket",
+        "s3:PutBucketNotification",
+        "sqs:GetQueueAttributes",
+        "sqs:ListQueues",
+        "sqs:ListQueueTags",
+        "states:ListActivities",
+        "states:ListStateMachines",
+        "tag:GetResources",
+        "workspaces:DescribeWorkspaces"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "cassandra:Select"
+      ],
+      "Resource": [
+        "arn:aws:cassandra:*:*:/keyspace/system/table/local",
+        "arn:aws:cassandra:*:*:/keyspace/system/table/peers",
+        "arn:aws:cassandra:*:*:/keyspace/system_schema/*",
+        "arn:aws:cassandra:*:*:/keyspace/system_schema_mcs/table/tags",
+        "arn:aws:cassandra:*:*:/keyspace/system_schema_mcs/table/tables",
+        "arn:aws:cassandra:*:*:/keyspace/system_schema_mcs/table/columns"
+      ]
+    }
+  ]
 }
 EOF
 }
diff --git a/workshop/aws/sfx/variables.tf b/workshop/aws/sfx/variables.tf
@@ -1,3 +1,7 @@
+variable "aws_profile" {
+  description = "AWS profile to use for the AWS provider."
+}
+
 variable "aws_region" {
   description = "Provide the desired region (for example: us-west-2)"
 }

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,7 @@`
	`1`	`+variable "aws_profile" {`
	`2`	`+ description = "AWS profile to use for the AWS provider."`
	`3`	`+}`
	`4`	`+`
`1`	`5`	`variable "aws_region" {`
`2`	`6`	`description = "Provide the desired region (for example: us-west-2)"`
`3`	`7`	`}`