search

cloudposse / terraform-aws-vpc-peering-multi-account

Terraform module to provision a VPC peering across multiple VPCs in different accounts by using multiple providers
https://cloudposse.com/accelerate
Apache License 2.0
129 stars 92 forks source link

Submodule to create `accepter_aws_assume_role_arn` peering role #59

Open nitrocode opened 2 years ago

nitrocode commented 2 years ago

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

Docs on how to create this https://github.com/cloudposse/terraform-aws-components/tree/master/modules/vpc-peering

It would be nice to create the accepter_aws_assume_role_arn IAM role using a submodule

locals {
  account_id = data.aws_caller_identity.current.account_id
}

data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "vpc_peering" {
  statement {
    sid       = ""
    effect    = "Allow"
    resources = ["arn:aws:ec2:*:${var.accepter_account}:route-table/*"]

    actions = [
      "ec2:CreateRoute",
      "ec2:DeleteRoute",
    ]
  }

  statement {
    sid       = ""
    effect    = "Allow"
    resources = ["*"]

    actions = [
      "ec2:DescribeVpcPeeringConnections",
      "ec2:DescribeVpcs",
      "ec2:ModifyVpcPeeringConnectionOptions",
      "ec2:DescribeSubnets",
      "ec2:DescribeVpcAttribute",
      "ec2:DescribeRouteTables",
    ]
  }

  statement {
    sid    = ""
    effect = "Allow"

    resources = [
      "arn:aws:ec2:*:${var.accepter_account}:vpc-peering-connection/*",
      "arn:aws:ec2:*:${var.accepter_account}:vpc/*",
    ]

    actions = [
      "ec2:AcceptVpcPeeringConnection",
      "ec2:DeleteVpcPeeringConnection",
      "ec2:CreateVpcPeeringConnection",
      "ec2:RejectVpcPeeringConnection",
    ]
  }

  statement {
    sid       = ""
    effect    = "Allow"
    resources = ["arn:aws:ec2:*:${var.accepter_account}:vpc-peering-connection/*"]

    actions = [
      "ec2:DeleteTags",
      "ec2:CreateTags",
    ]
  }
}

resource "aws_iam_role" "vpc_peering" {
  name               = "vpc-peering-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          AWS = [
            "arn:aws:iam::${var.requester_account}:root",
          ]
        }
      },
    ]
  })
}

resource "aws_iam_role_policy" "vpc_peering" {
  name = "vpc-peering-policy"
  role = aws_iam_role.vpc_peering.id

  policy = data.aws_iam_policy_document.vpc_peering.json
}