From 3cf3f60813a7a97e7acb7df73285be1e18f551dd Mon Sep 17 00:00:00 2001 From: Andriy Knysh Date: Wed, 10 Apr 2019 19:17:30 -0400 Subject: [PATCH] Add description for IAM role, policy and permissions required for requester and accepter (#5) * Add description for the IAM role, policy and permissions required by the requester and accepter * Add description for the IAM role, policy and permissions required by the requester and accepter * Update README * Update README * Update README * Update README * Update README --- README.md | 175 +++++++++++++++++++++++++++++++++++++++++++++++++++- README.yaml | 175 +++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 346 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index af47523..3eaeb67 100644 --- a/README.md +++ b/README.md @@ -68,16 +68,187 @@ module "vpc_peering_cross_account" { requester_aws_assume_role_arn = "arn:aws:iam::XXXXXXXX:role/cross-account-vpc-peering-test" requester_region = "us-west-2" - requester_vpc_id = "vpc-XXXXXXXX" + requester_vpc_id = "vpc-xxxxxxxx" requester_allow_remote_vpc_dns_resolution = "true" accepter_aws_assume_role_arn = "arn:aws:iam::YYYYYYYY:role/cross-account-vpc-peering-test" accepter_region = "us-east-1" - accepter_vpc_id = "vpc-YYYYYYYY" + accepter_vpc_id = "vpc-yyyyyyyy" accepter_allow_remote_vpc_dns_resolution = "true" } ``` +The `arn:aws:iam::XXXXXXXX:role/cross-account-vpc-peering-test` requester IAM Role should have the following Trust Policy: + +
Show Trust Policy + +```js +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::XXXXXXXX:root" + }, + "Action": "sts:AssumeRole", + "Condition": {} + } + ] +} +``` + +
+
+ +and the following IAM Policy attached to it: + +__NOTE:__ the policy specifies the permissions to create (with `terraform plan/apply`) and delete (with `terraform destroy`) all the required resources in the requester AWS account + +
Show IAM Policy + +```js +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateRoute", + "ec2:DeleteRoute" + ], + "Resource": "arn:aws:ec2:*:XXXXXXXX:route-table/*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeVpcs", + "ec2:ModifyVpcPeeringConnectionOptions", + "ec2:DescribeSubnets", + "ec2:DescribeVpcAttribute", + "ec2:DescribeRouteTables" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AcceptVpcPeeringConnection", + "ec2:DeleteVpcPeeringConnection", + "ec2:CreateVpcPeeringConnection", + "ec2:RejectVpcPeeringConnection" + ], + "Resource": [ + "arn:aws:ec2:*:XXXXXXXX:vpc-peering-connection/*", + "arn:aws:ec2:*:XXXXXXXX:vpc/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteTags", + "ec2:CreateTags" + ], + "Resource": "arn:aws:ec2:*:XXXXXXXX:vpc-peering-connection/*" + } + ] +} +``` + +
+ +where `XXXXXXXX` is the requester AWS account ID. + +
+ +The `arn:aws:iam::YYYYYYYY:role/cross-account-vpc-peering-test` accepter IAM Role should have the following Trust Policy: + +
Show Trust Policy + +```js +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::XXXXXXXX:root" + }, + "Action": "sts:AssumeRole", + "Condition": {} + } + ] +} +``` + +
+ +__NOTE__: The accepter Trust Policy is the same as the requester Trust Policy since it defines who can assume the IAM Role. +In the requester case, the requester account ID itself is the trusted entity. +For the accepter, the Trust Policy specifies that the requester account ID `XXXXXXXX` can assume the role in the accepter AWS account `YYYYYYYY`. + +and the following IAM Policy attached to it: + +__NOTE:__ the policy specifies the permissions to create (with `terraform plan/apply`) and delete (with `terraform destroy`) all the required resources in the accepter AWS account + +
Show IAM Policy + +```js +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateRoute", + "ec2:DeleteRoute" + ], + "Resource": "arn:aws:ec2:*:YYYYYYYY:route-table/*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeVpcs", + "ec2:ModifyVpcPeeringConnectionOptions", + "ec2:DescribeSubnets", + "ec2:DescribeVpcAttribute", + "ec2:DescribeRouteTables" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AcceptVpcPeeringConnection", + "ec2:DeleteVpcPeeringConnection", + "ec2:CreateVpcPeeringConnection", + "ec2:RejectVpcPeeringConnection" + ], + "Resource": [ + "arn:aws:ec2:*:YYYYYYYY:vpc-peering-connection/*", + "arn:aws:ec2:*:YYYYYYYY:vpc/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteTags", + "ec2:CreateTags" + ], + "Resource": "arn:aws:ec2:*:YYYYYYYY:vpc-peering-connection/*" + } + ] +} +``` + +
+ +where `YYYYYYYY` is the accepter AWS account ID. + +For more information on IAM policies and permissions for VPC peering, see [Creating and managing VPC peering connections](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_IAM.html#vpcpeeringiam). + diff --git a/README.yaml b/README.yaml index 3274e10..d839288 100644 --- a/README.yaml +++ b/README.yaml @@ -81,16 +81,187 @@ usage: |- requester_aws_assume_role_arn = "arn:aws:iam::XXXXXXXX:role/cross-account-vpc-peering-test" requester_region = "us-west-2" - requester_vpc_id = "vpc-XXXXXXXX" + requester_vpc_id = "vpc-xxxxxxxx" requester_allow_remote_vpc_dns_resolution = "true" accepter_aws_assume_role_arn = "arn:aws:iam::YYYYYYYY:role/cross-account-vpc-peering-test" accepter_region = "us-east-1" - accepter_vpc_id = "vpc-YYYYYYYY" + accepter_vpc_id = "vpc-yyyyyyyy" accepter_allow_remote_vpc_dns_resolution = "true" } ``` + The `arn:aws:iam::XXXXXXXX:role/cross-account-vpc-peering-test` requester IAM Role should have the following Trust Policy: + +
Show Trust Policy + + ```js + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::XXXXXXXX:root" + }, + "Action": "sts:AssumeRole", + "Condition": {} + } + ] + } + ``` + +
+
+ + and the following IAM Policy attached to it: + + __NOTE:__ the policy specifies the permissions to create (with `terraform plan/apply`) and delete (with `terraform destroy`) all the required resources in the requester AWS account + +
Show IAM Policy + + ```js + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateRoute", + "ec2:DeleteRoute" + ], + "Resource": "arn:aws:ec2:*:XXXXXXXX:route-table/*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeVpcs", + "ec2:ModifyVpcPeeringConnectionOptions", + "ec2:DescribeSubnets", + "ec2:DescribeVpcAttribute", + "ec2:DescribeRouteTables" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AcceptVpcPeeringConnection", + "ec2:DeleteVpcPeeringConnection", + "ec2:CreateVpcPeeringConnection", + "ec2:RejectVpcPeeringConnection" + ], + "Resource": [ + "arn:aws:ec2:*:XXXXXXXX:vpc-peering-connection/*", + "arn:aws:ec2:*:XXXXXXXX:vpc/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteTags", + "ec2:CreateTags" + ], + "Resource": "arn:aws:ec2:*:XXXXXXXX:vpc-peering-connection/*" + } + ] + } + ``` + +
+ + where `XXXXXXXX` is the requester AWS account ID. + +
+ + The `arn:aws:iam::YYYYYYYY:role/cross-account-vpc-peering-test` accepter IAM Role should have the following Trust Policy: + +
Show Trust Policy + + ```js + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::XXXXXXXX:root" + }, + "Action": "sts:AssumeRole", + "Condition": {} + } + ] + } + ``` + +
+ + __NOTE__: The accepter Trust Policy is the same as the requester Trust Policy since it defines who can assume the IAM Role. + In the requester case, the requester account ID itself is the trusted entity. + For the accepter, the Trust Policy specifies that the requester account ID `XXXXXXXX` can assume the role in the accepter AWS account `YYYYYYYY`. + + and the following IAM Policy attached to it: + + __NOTE:__ the policy specifies the permissions to create (with `terraform plan/apply`) and delete (with `terraform destroy`) all the required resources in the accepter AWS account + +
Show IAM Policy + + ```js + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateRoute", + "ec2:DeleteRoute" + ], + "Resource": "arn:aws:ec2:*:YYYYYYYY:route-table/*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeVpcs", + "ec2:ModifyVpcPeeringConnectionOptions", + "ec2:DescribeSubnets", + "ec2:DescribeVpcAttribute", + "ec2:DescribeRouteTables" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AcceptVpcPeeringConnection", + "ec2:DeleteVpcPeeringConnection", + "ec2:CreateVpcPeeringConnection", + "ec2:RejectVpcPeeringConnection" + ], + "Resource": [ + "arn:aws:ec2:*:YYYYYYYY:vpc-peering-connection/*", + "arn:aws:ec2:*:YYYYYYYY:vpc/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteTags", + "ec2:CreateTags" + ], + "Resource": "arn:aws:ec2:*:YYYYYYYY:vpc-peering-connection/*" + } + ] + } + ``` + +
+ + where `YYYYYYYY` is the accepter AWS account ID. + + For more information on IAM policies and permissions for VPC peering, see [Creating and managing VPC peering connections](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_IAM.html#vpcpeeringiam). + references: - name: "What is VPC Peering?" description: "VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses."