Lock down Terraform State

[CumpsD]

In spirit of terraform-aws-serverless where you guys lock everything down as much as possible, how about changing aws/bootstrap.yml to incorporate the limited restrictions needed for terraform:

https://www.terraform.io/docs/backends/types/s3.html

S3 Bucket Permissions

Terraform will need the following AWS IAM permissions on the target backend bucket:

• s3:ListBucket on arn:aws:s3:::mybucket
• s3:GetObject on arn:aws:s3:::mybucket/path/to/my/key
• s3:PutObject on arn:aws:s3:::mybucket/path/to/my/key

This is seen in the following AWS IAM Statement:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::mybucket"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::mybucket/path/to/my/key"
    }
  ]
}

DynamoDB Table Permissions

If you are using state locking, Terraform will need the following AWS IAM permissions on the DynamoDB table (arn:aws:dynamodb:::table/mytable):

• dynamodb:GetItem
• dynamodb:PutItem
• dynamodb:DeleteItem

This is seen in the following AWS IAM Statement:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:DeleteItem"
      ],
      "Resource": "arn:aws:dynamodb:*:*:table/mytable"
    }
  ]
}

[ryan-roemer]

Unfortunately, we have a "who watches the watchers?" problem here. The CloudFormation bootstrap stack and Terraform service stack are the things that define the IAM permissions for the Serverless app. The bootstrap/service user is typically a superadmin. Otherwise, you'd need another stack of something to constrain the CF + TF stacks (and then one to constrain that 😉 )