From c026b8404bd00be3e3cfb592a38bf238fbcd2527 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= <jakub@status.im>
Date: Wed, 31 Jul 2019 10:26:24 -0400
Subject: [PATCH] narrow down permissions of deploy user policy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jakub Sokołowski <jakub@status.im>
---
 modules/aws-eb-env/access.tf | 81 ++++++++++++++++++++++++++++++++++++
 modules/aws-eb-env/main.tf   |  8 ++--
 2 files changed, 86 insertions(+), 3 deletions(-)

diff --git a/modules/aws-eb-env/access.tf b/modules/aws-eb-env/access.tf
index 0b2014a..e649133 100644
--- a/modules/aws-eb-env/access.tf
+++ b/modules/aws-eb-env/access.tf
@@ -25,3 +25,84 @@ resource "aws_iam_group_policy_attachment" "deploy" {
   group      = aws_iam_group.deploy.name
   policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess"
 }
+
+/* This doesn't work right now, needs improvement */
+//data "aws_region" "current" {}
+//data "aws_caller_identity" "current" {}
+//data "aws_iam_user" "deploy" {
+//  user_name = aws_iam_user.deploy.name
+//}
+//
+///* shorthands for neater templating */
+//locals {
+//  region           = data.aws_region.current.name
+//  account_id       = data.aws_caller_identity.current.account_id
+//  instance_profile = module.eb_environment.ec2_instance_profile_role_name
+//  full_app_name    = "${var.stage}-${local.app_name}"
+//}
+//
+///* Source: https://gist.github.com/magnetikonline/5034bdbb049181a96ac9 */
+//resource "aws_iam_group_policy" "deploy" {
+//  name       = "${var.name}-deploy-policy"
+//  group      = aws_iam_group.deploy.name
+//
+//  policy = <<EOF
+//{
+//  "Version": "2012-10-17",
+//  "Statement": [
+//    {
+//      "Action": [
+//        "autoscaling:*",
+//        "cloudformation:*",
+//        "ec2:*"
+//      ],
+//      "Effect": "Allow",
+//      "Resource": ["*"]
+//    },
+//    {
+//      "Action": ["elasticbeanstalk:CreateStorageLocation"],
+//      "Effect": "Allow",
+//      "Resource": ["*"]
+//    },
+//    {
+//      "Action": ["elasticbeanstalk:*"],
+//      "Effect": "Allow",
+//      "Resource": [
+//        "arn:aws:elasticbeanstalk:*::solutionstack/*",
+//        "arn:aws:elasticbeanstalk:${local.region}:${local.account_id}:application/${local.full_app_name}",
+//        "arn:aws:elasticbeanstalk:${local.region}:${local.account_id}:applicationversion/${local.full_app_name}/*",
+//        "arn:aws:elasticbeanstalk:${local.region}:${local.account_id}:environment/${local.full_app_name}/*",
+//        "arn:aws:elasticbeanstalk:${local.region}:${local.account_id}:template/${local.full_app_name}/*"
+//      ]
+//    },
+//    {
+//      "Action": ["s3:GetObject"],
+//      "Effect": "Allow",
+//      "Resource": ["arn:aws:s3:::elasticbeanstalk-*/*"]
+//    },
+//    {
+//      "Action": [
+//        "s3:CreateBucket",
+//        "s3:DeleteObject",
+//        "s3:GetBucketPolicy",
+//        "s3:GetObjectAcl",
+//        "s3:ListBucket",
+//        "s3:PutBucketPolicy",
+//        "s3:PutObject",
+//        "s3:PutObjectAcl"
+//      ],
+//      "Effect": "Allow",
+//      "Resource": [
+//        "arn:aws:s3:::elasticbeanstalk-${local.region}-${local.account_id}",
+//        "arn:aws:s3:::elasticbeanstalk-${local.region}-${local.account_id}/*"
+//      ]
+//    },
+//    {
+//      "Action": ["iam:PassRole"],
+//      "Effect": "Allow",
+//      "Resource": ["arn:aws:iam::${local.account_id}:role/${local.instance_profile}"]
+//    }
+//  ]
+//}
+//EOF
+//}
diff --git a/modules/aws-eb-env/main.tf b/modules/aws-eb-env/main.tf
index 987d83a..0a5ff27 100644
--- a/modules/aws-eb-env/main.tf
+++ b/modules/aws-eb-env/main.tf
@@ -1,5 +1,7 @@
 locals {
-  fqdn = "${var.stage}.${var.dns_domain}"
+  fqdn     = "${var.stage}.${var.dns_domain}"
+  /* also used in deployment user policy */
+  app_name = "${replace(var.dns_domain, ".", "-")}-app"
 }
 
 data "aws_availability_zones" "available" {
@@ -31,7 +33,7 @@ module "subnets" {
 module "eb_application" {
   source = "git::https://github.com/lodotek/terraform-aws-elastic-beanstalk-application.git?ref=ref-0.12"
 
-  name        = "${replace(var.dns_domain, ".", "-")}-app"
+  name        = local.app_name
   description = "${local.fqdn} application"
   stage       = var.stage
   namespace   = ""
@@ -41,7 +43,7 @@ module "eb_environment" {
   source = "git::https://github.com/lodotek/terraform-aws-elastic-beanstalk-environment.git?ref=master"
 
   description         = "Dapp Discovery Store - ${local.fqdn}"
-  name                = "${replace(var.dns_domain, ".", "-")}-app"
+  name                = local.app_name
   stage               = var.stage
   namespace           = ""
   solution_stack_name = var.stack_name