Add description for IAM role, policy and permissions required for req…

…uester and accepter (#5)

* Add description for the IAM role, policy and permissions required by the requester and accepter

* Add description for the IAM role, policy and permissions required by the requester and accepter

* Update README

* Update README

* Update README

* Update README

* Update README

README.md

@@ -68,16 +68,187 @@ module "vpc_peering_cross_account" {
 
  requester_aws_assume_role_arn = "arn:aws:iam::XXXXXXXX:role/cross-account-vpc-peering-test"
  requester_region = "us-west-2"
- requester_vpc_id = "vpc-XXXXXXXX"
+ requester_vpc_id = "vpc-xxxxxxxx"
  requester_allow_remote_vpc_dns_resolution = "true"
 
  accepter_aws_assume_role_arn = "arn:aws:iam::YYYYYYYY:role/cross-account-vpc-peering-test"
  accepter_region = "us-east-1"
- accepter_vpc_id = "vpc-YYYYYYYY"
+ accepter_vpc_id = "vpc-yyyyyyyy"
  accepter_allow_remote_vpc_dns_resolution = "true"
 }
 ```
 
+The `arn:aws:iam::XXXXXXXX:role/cross-account-vpc-peering-test` requester IAM Role should have the following Trust Policy:
+
+<details><summary>Show Trust Policy</summary>
+
+```js
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::XXXXXXXX:root"
+ },
+ "Action": "sts:AssumeRole",
+ "Condition": {}
+ }
+ ]
+}
+```
+
+</details>
+<br/>
+
+and the following IAM Policy attached to it:
+
+__NOTE:__ the policy specifies the permissions to create (with `terraform plan/apply`) and delete (with `terraform destroy`) all the required resources in the requester AWS account
+
+<details><summary>Show IAM Policy</summary>
+
+```js
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:CreateRoute",
+ "ec2:DeleteRoute"
+ ],
+ "Resource": "arn:aws:ec2:*:XXXXXXXX:route-table/*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:DescribeVpcPeeringConnections",
+ "ec2:DescribeVpcs",
+ "ec2:ModifyVpcPeeringConnectionOptions",
+ "ec2:DescribeSubnets",
+ "ec2:DescribeVpcAttribute",
+ "ec2:DescribeRouteTables"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:AcceptVpcPeeringConnection",
+ "ec2:DeleteVpcPeeringConnection",
+ "ec2:CreateVpcPeeringConnection",
+ "ec2:RejectVpcPeeringConnection"
+ ],
+ "Resource": [
+ "arn:aws:ec2:*:XXXXXXXX:vpc-peering-connection/*",
+ "arn:aws:ec2:*:XXXXXXXX:vpc/*"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:DeleteTags",
+ "ec2:CreateTags"
+ ],
+ "Resource": "arn:aws:ec2:*:XXXXXXXX:vpc-peering-connection/*"
+ }
+ ]
+}
+```
+
+</details>
+
+where `XXXXXXXX` is the requester AWS account ID.
+
+<br/>
+
+The `arn:aws:iam::YYYYYYYY:role/cross-account-vpc-peering-test` accepter IAM Role should have the following Trust Policy:
+
+<details><summary>Show Trust Policy</summary>
+
+```js
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::XXXXXXXX:root"
+ },
+ "Action": "sts:AssumeRole",
+ "Condition": {}
+ }
+ ]
+}
+```
+
+</details>
+
+__NOTE__: The accepter Trust Policy is the same as the requester Trust Policy since it defines who can assume the IAM Role.
+In the requester case, the requester account ID itself is the trusted entity.
+For the accepter, the Trust Policy specifies that the requester account ID `XXXXXXXX` can assume the role in the accepter AWS account `YYYYYYYY`.
+
+and the following IAM Policy attached to it:
+
+__NOTE:__ the policy specifies the permissions to create (with `terraform plan/apply`) and delete (with `terraform destroy`) all the required resources in the accepter AWS account
+
+<details><summary>Show IAM Policy</summary>
+
+```js
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:CreateRoute",
+ "ec2:DeleteRoute"
+ ],
+ "Resource": "arn:aws:ec2:*:YYYYYYYY:route-table/*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:DescribeVpcPeeringConnections",
+ "ec2:DescribeVpcs",
+ "ec2:ModifyVpcPeeringConnectionOptions",
+ "ec2:DescribeSubnets",
+ "ec2:DescribeVpcAttribute",
+ "ec2:DescribeRouteTables"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:AcceptVpcPeeringConnection",
+ "ec2:DeleteVpcPeeringConnection",
+ "ec2:CreateVpcPeeringConnection",
+ "ec2:RejectVpcPeeringConnection"
+ ],
+ "Resource": [
+ "arn:aws:ec2:*:YYYYYYYY:vpc-peering-connection/*",
+ "arn:aws:ec2:*:YYYYYYYY:vpc/*"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:DeleteTags",
+ "ec2:CreateTags"
+ ],
+ "Resource": "arn:aws:ec2:*:YYYYYYYY:vpc-peering-connection/*"
+ }
+ ]
+}
+```
+
+</details>
+
+where `YYYYYYYY` is the accepter AWS account ID.
+
+For more information on IAM policies and permissions for VPC peering, see [Creating and managing VPC peering connections](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_IAM.html#vpcpeeringiam).
+
 
 
 

README.yaml

@@ -81,16 +81,187 @@ usage: |-
 
  requester_aws_assume_role_arn = "arn:aws:iam::XXXXXXXX:role/cross-account-vpc-peering-test"
  requester_region = "us-west-2"
- requester_vpc_id = "vpc-XXXXXXXX"
+ requester_vpc_id = "vpc-xxxxxxxx"
  requester_allow_remote_vpc_dns_resolution = "true"
 
  accepter_aws_assume_role_arn = "arn:aws:iam::YYYYYYYY:role/cross-account-vpc-peering-test"
  accepter_region = "us-east-1"
- accepter_vpc_id = "vpc-YYYYYYYY"
+ accepter_vpc_id = "vpc-yyyyyyyy"
  accepter_allow_remote_vpc_dns_resolution = "true"
  }
  ```
 
+ The `arn:aws:iam::XXXXXXXX:role/cross-account-vpc-peering-test` requester IAM Role should have the following Trust Policy:
+
+ <details><summary>Show Trust Policy</summary>
+
+ ```js
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::XXXXXXXX:root"
+ },
+ "Action": "sts:AssumeRole",
+ "Condition": {}
+ }
+ ]
+ }
+ ```
+
+ </details>
+ <br/>
+
+ and the following IAM Policy attached to it:
+
+ __NOTE:__ the policy specifies the permissions to create (with `terraform plan/apply`) and delete (with `terraform destroy`) all the required resources in the requester AWS account
+
+ <details><summary>Show IAM Policy</summary>
+
+ ```js
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:CreateRoute",
+ "ec2:DeleteRoute"
+ ],
+ "Resource": "arn:aws:ec2:*:XXXXXXXX:route-table/*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:DescribeVpcPeeringConnections",
+ "ec2:DescribeVpcs",
+ "ec2:ModifyVpcPeeringConnectionOptions",
+ "ec2:DescribeSubnets",
+ "ec2:DescribeVpcAttribute",
+ "ec2:DescribeRouteTables"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:AcceptVpcPeeringConnection",
+ "ec2:DeleteVpcPeeringConnection",
+ "ec2:CreateVpcPeeringConnection",
+ "ec2:RejectVpcPeeringConnection"
+ ],
+ "Resource": [
+ "arn:aws:ec2:*:XXXXXXXX:vpc-peering-connection/*",
+ "arn:aws:ec2:*:XXXXXXXX:vpc/*"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:DeleteTags",
+ "ec2:CreateTags"
+ ],
+ "Resource": "arn:aws:ec2:*:XXXXXXXX:vpc-peering-connection/*"
+ }
+ ]
+ }
+ ```
+
+ </details>
+
+ where `XXXXXXXX` is the requester AWS account ID.
+
+ <br/>
+
+ The `arn:aws:iam::YYYYYYYY:role/cross-account-vpc-peering-test` accepter IAM Role should have the following Trust Policy:
+
+ <details><summary>Show Trust Policy</summary>
+
+ ```js
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::XXXXXXXX:root"
+ },
+ "Action": "sts:AssumeRole",
+ "Condition": {}
+ }
+ ]
+ }
+ ```
+
+ </details>
+
+ __NOTE__: The accepter Trust Policy is the same as the requester Trust Policy since it defines who can assume the IAM Role.
+ In the requester case, the requester account ID itself is the trusted entity.
+ For the accepter, the Trust Policy specifies that the requester account ID `XXXXXXXX` can assume the role in the accepter AWS account `YYYYYYYY`.
+
+ and the following IAM Policy attached to it:
+
+ __NOTE:__ the policy specifies the permissions to create (with `terraform plan/apply`) and delete (with `terraform destroy`) all the required resources in the accepter AWS account
+
+ <details><summary>Show IAM Policy</summary>
+
+ ```js
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:CreateRoute",
+ "ec2:DeleteRoute"
+ ],
+ "Resource": "arn:aws:ec2:*:YYYYYYYY:route-table/*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:DescribeVpcPeeringConnections",
+ "ec2:DescribeVpcs",
+ "ec2:ModifyVpcPeeringConnectionOptions",
+ "ec2:DescribeSubnets",
+ "ec2:DescribeVpcAttribute",
+ "ec2:DescribeRouteTables"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:AcceptVpcPeeringConnection",
+ "ec2:DeleteVpcPeeringConnection",
+ "ec2:CreateVpcPeeringConnection",
+ "ec2:RejectVpcPeeringConnection"
+ ],
+ "Resource": [
+ "arn:aws:ec2:*:YYYYYYYY:vpc-peering-connection/*",
+ "arn:aws:ec2:*:YYYYYYYY:vpc/*"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:DeleteTags",
+ "ec2:CreateTags"
+ ],
+ "Resource": "arn:aws:ec2:*:YYYYYYYY:vpc-peering-connection/*"
+ }
+ ]
+ }
+ ```
+
+ </details>
+
+ where `YYYYYYYY` is the accepter AWS account ID.
+
+ For more information on IAM policies and permissions for VPC peering, see [Creating and managing VPC peering connections](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_IAM.html#vpcpeeringiam).
+
 references:
  - name: "What is VPC Peering?"
  description: "VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses."