aws-lambda-serverless-reference
aws-lambda-serverless-reference copied to clipboard
Lock down Terraform State
In spirit of terraform-aws-serverless where you guys lock everything down as much as possible, how about changing aws/bootstrap.yml to incorporate the limited restrictions needed for terraform:
https://www.terraform.io/docs/backends/types/s3.html
S3 Bucket Permissions
Terraform will need the following AWS IAM permissions on the target backend bucket:
-
s3:ListBucket
onarn:aws:s3:::mybucket
-
s3:GetObject
onarn:aws:s3:::mybucket/path/to/my/key
-
s3:PutObject
onarn:aws:s3:::mybucket/path/to/my/key
This is seen in the following AWS IAM Statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::mybucket/path/to/my/key"
}
]
}
DynamoDB Table Permissions
If you are using state locking, Terraform will need the following AWS IAM
permissions on the DynamoDB table (arn:aws:dynamodb:::table/mytable
):
-
dynamodb:GetItem
-
dynamodb:PutItem
-
dynamodb:DeleteItem
This is seen in the following AWS IAM Statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem"
],
"Resource": "arn:aws:dynamodb:*:*:table/mytable"
}
]
}
Unfortunately, we have a "who watches the watchers?" problem here. The CloudFormation bootstrap stack and Terraform service stack are the things that define the IAM permissions for the Serverless app. The bootstrap/service user is typically a superadmin. Otherwise, you'd need another stack of something to constrain the CF + TF stacks (and then one to constrain that 😉 )