-
-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathREADME.yaml
137 lines (115 loc) · 4.9 KB
/
README.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#
# This is the canonical configuration for the `README.md`
# Run `make readme` to rebuild the `README.md`
#
# Name of this project
name: terraform-aws-ssm-parameter-store-policy-documents
# License of this project
license: "APACHE2"
# Canonical GitHub repo
github_repo: cloudposse/terraform-aws-ssm-parameter-store-policy-documents
# Badges to display
badges:
- name: Latest Release
image: https://img.shields.io/github/release/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.svg?style=for-the-badge
url: https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents/releases/latest
- name: Last Updated
image: https://img.shields.io/github/last-commit/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.svg?style=for-the-badge
url: https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents/commits
- name: Slack Community
image: https://slack.cloudposse.com/for-the-badge.svg
url: https://slack.cloudposse.com
# List any related terraform modules that this module may be used with or that this module depends on.
related:
- name: "terraform-aws-ssm-parameter-store"
description: "Terraform module to populate AWS Systems Manager (SSM) Parameter Store with values from Terraform. Works great with Chamber."
url: "https://github.com/cloudposse/terraform-aws-ssm-parameter-store"
- name: "terraform-aws-ssm-iam-role"
description: "Terraform module to provision an IAM role with configurable permissions to access SSM Parameter Store"
url: "https://github.com/cloudposse/terraform-aws-ssm-iam-role"
- name: "terraform-aws-kms-key"
description: "Terraform module to provision a KMS key with alias"
url: "https://github.com/cloudposse/terraform-aws-kms-key"
# Short description of this project
description: |-
This module generates JSON documents for restricted permission sets for AWS SSM Parameter Store access.
Helpful when combined with [terraform-aws-ssm-parameter-store](https://github.com/cloudposse/terraform-aws-ssm-parameter-store)
# How to use this project
examples: |-
Create a policy that allows access to write all parameters
```hcl
module "ps_policy" {
source = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.git?ref=master"
}
resource "aws_iam_policy" "ps_write" {
name_prefix = "write_any_parameter_store_value"
path = "/"
policy = "${module.ps_policy.write_parameter_store_policy}"
}
```
Create a policy that allows managing all policies
```hcl
module "ps_policy" {
source = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.git?ref=master"
}
resource "aws_iam_policy" "ps_manage" {
name_prefix = "manage_any_parameter_store_value"
path = "/"
policy = "${module.ps_policy.manage_parameter_store_policy}"
}
```
Create a policy that allows reading all parameters that start with a certain prefix
```hcl
module "ps_policy" {
source = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.git?ref=master"
parameter_root_name = "/cp/dev/app"
}
resource "aws_iam_policy" "ps_manage" {
name_prefix = "write_specific_parameter_store_value"
path = "/"
policy = "${module.ps_policy.manage_parameter_store_policy}"
}
```
Create a kms policy to allow decrypting of the parameter store values
```hcl
module "kms_key" {
source = "git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=master"
namespace = "cp"
stage = "prod"
name = "app"
description = "KMS key"
deletion_window_in_days = 10
enable_key_rotation = "true"
alias = "alias/parameter_store_key"
}
module "ps_policy" {
source = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.git?ref=master"
parameter_root_name = "/cp/dev/app"
kms_key = "${module.kms_key.key_arn}"
}
resource "aws_iam_policy" "ps_kms" {
name_prefix = "decrypt_parameter_store_value"
path = "/"
policy = "${module.ps_policy.manage_kms_store_policy}"
}
```
Create a policy for another account, or region
```hcl
module "ps_policy" {
source = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.git?ref=master"
parameter_root_name = "/cp/dev/app"
account_id = "783649272629220"
region = "ap-southeast-2"
}
resource "aws_iam_policy" "ps_manage" {
name_prefix = "manage_any_parameter_store_value"
path = "/"
policy = "${module.ps_policy.manage_parameter_store_policy}"
}
```
# Other files to include in this README from the project folder
include:
- "docs/terraform.md"
- "docs/targets.md"
# Contributors to this project
contributors: []