DOPS-101 Specify role arn to work with backend

Author: akagr

terraform/aws.tf

@@ -4,6 +4,9 @@
 provider "aws" {
   region  = "${var.aws_region}"
   version = "~> 1.57"
+  assume_role = {
+    role_arn = "arn:aws:iam::587267277416:role/terraform_sandbox_backend_admin"
+  }
 }
 
 data "aws_caller_identity" "current" {}

terraform/bootstrap/jenkins.tf

@@ -28,15 +28,8 @@ data "aws_iam_policy_document" "terraform_backend_role_policy_document" {
   statement {
     effect = "Allow"
 
-    actions   = ["s3:*"]
-    resources = ["arn:aws:s3:::${module.bootstrap.state_bucket}/*"]
-  }
-
-  statement {
-    effect = "Allow"
-
-    actions   = ["dynamodb:*"]
-    resources = ["arn:aws:dynamodb:${var.aws_region}:${data.aws_caller_identity.current.account_id}:table/${module.bootstrap.dynamodb_table}"]
+    actions   = ["*"]
+    resources = ["*"]
   }
 }
 

terraform/bootstrap/terraform.tfstate

@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.2.9",
-  "serial": 215,
+  "serial": 217,
   "lineage": "3466ed5e-b3d1-107e-19aa-0306c957a966",
   "outputs": {
     "account_id": {
@@ -104,8 +104,8 @@
         {
           "schema_version": 0,
           "attributes": {
-            "id": "1540866772",
-            "json": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"s3:*\",\n      \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\"\n    },\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"dynamodb:*\",\n      \"Resource\": \"arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock\"\n    }\n  ]\n}",
+            "id": "784443208",
+            "json": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"*\",\n      \"Resource\": \"*\"\n    }\n  ]\n}",
             "override_json": null,
             "override_policy_documents": null,
             "policy_id": null,
@@ -114,22 +114,7 @@
             "statement": [
               {
                 "actions": [
-                  "s3:*"
-                ],
-                "condition": [],
-                "effect": "Allow",
-                "not_actions": [],
-                "not_principals": [],
-                "not_resources": [],
-                "principals": [],
-                "resources": [
-                  "arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*"
-                ],
-                "sid": ""
-              },
-              {
-                "actions": [
-                  "dynamodb:*"
+                  "*"
                 ],
                 "condition": [],
                 "effect": "Allow",
@@ -138,7 +123,7 @@
                 "not_resources": [],
                 "principals": [],
                 "resources": [
-                  "arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock"
+                  "*"
                 ],
                 "sid": ""
               }
@@ -164,7 +149,7 @@
             "name": "terraform-backend-role-policy",
             "name_prefix": null,
             "path": "/",
-            "policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"\"},{\"Action\":\"dynamodb:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:dynamodb:us-east-1:587267277416:table/moduscreate-devops-demo-state-lock\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
+            "policy": "{\"Statement\":[{\"Action\":\"*\",\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
             "policy_id": "ANPAYRO63QJUEYGCFJVOK",
             "tags": {},
             "tags_all": {}
@@ -231,10 +216,8 @@
           "dependencies": [
             "aws_iam_policy.terraform_backend_role_policy",
             "aws_iam_role.terraform_backend_role",
-            "data.aws_caller_identity.current",
             "data.aws_iam_policy_document.terraform_backend_account_policy",
-            "data.aws_iam_policy_document.terraform_backend_role_policy_document",
-            "module.bootstrap.aws_dynamodb_table.terraform_state_lock"
+            "data.aws_iam_policy_document.terraform_backend_role_policy_document"
           ]
         }
       ]
@@ -563,7 +546,7 @@
             ],
             "object_lock_configuration": [],
             "object_lock_enabled": false,
-            "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Sid\":\"inventory-and-analytics\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\",\"aws:SourceAccount\":\"587267277416\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"}}}]}",
+            "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Sid\":\"inventory-and-analytics\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"587267277416\",\"s3:x-amz-acl\":\"bucket-owner-full-control\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"}}}]}",
             "region": "us-east-1",
             "replication_configuration": [],
             "request_payer": "BucketOwner",

terraform/terraform.tf

@@ -9,6 +9,7 @@ terraform {
     dynamodb_table = "moduscreate-devops-demo-state-lock"
     region         = "us-east-1"
     encrypt        = "true"
+    role_arn       = "arn:aws:iam::587267277416:role/terraform_sandbox_backend_admin"
   }
 }