Home Explore Help
Sign In
bat9go
/
Ycsecurity
mirror of https://github.com/yandex-cloud/yc-solution-library-for-security
Watch 1
Star 0
Fork 0
Files Issues 0 Wiki
Branch: add-english
Branches Tags
Ycsecurity
/
auth_and_access
/
iam
Roman Timofeev ec2310c0b3 adding option to use IAM and federated account names + example 2 years ago
..
examples ec2310c0b3 adding option to use IAM and federated account names + example 2 years ago
.gitignore ddefab91d6 add iam module(update) 3 years ago
.pre-commit-config.yaml e2287a9b9a add iam module 3 years ago
README.md ec2310c0b3 adding option to use IAM and federated account names + example 2 years ago
main.tf ec2310c0b3 adding option to use IAM and federated account names + example 2 years ago
outputs.tf ec2310c0b3 adding option to use IAM and federated account names + example 2 years ago
variables.tf ec2310c0b3 adding option to use IAM and federated account names + example 2 years ago
versions.tf ec2310c0b3 adding option to use IAM and federated account names + example 2 years ago

README.md

Identity and Access Management (IAM) Terraform module for Yandex.Cloud

Full review of module usage on youtube:

image

Features

  • Create Service accounts and assign them roles in your folder.
  • Assign roles to IAM users in organization and/or cloud and/or folder.
  • You can control authoritatively all permissions for organization, cloud and folder in one terraform manifest if needed. See Authoritative flags.
  • Replaces IAM groups (aka JOB TITLE) while they are in development.

Use org_user_role_mapping variable to add permissions to existing IAM users (Yandex.Passport and Federated users) for organization level.

Use cloud_user_role_mapping variable to add permissions to existing IAM users (Yandex.Passport and Federated users) for cloud level.

Use folder_user_role_mapping variable to add permissions to existing IAM users (Yandex.Passport and Federated users) for folder level.

To use IAM usernames(YandexID accounts) and Federated accounts as input variables 'iam_users_names' and 'fed_users_names' put usernames_to_ids = true. You can also use 'users_with_ids' with IDs and all of them together. See example in variables' descriptions

Use sa_role_mapping variable to create service accounts with permissions for folder level.

Configure Terraform for Yandex.Cloud

  • Install YC cli
  • Add environment variables for terraform auth in Yandex.Cloud 
export YC_TOKEN=$(yc iam create-token)
export YC_CLOUD_ID=$(yc config get cloud-id)
export YC_FOLDER_ID=$(yc config get folder-id)

Troubleshooting

Remember that service accounts in cloud must have unique names

You can use following yc cli commands for diagnostic:

yc resource-manager folder list-operations --id XXXXXXXXXXXXXX

yc resource-manager folder list-access-bindings --id XXXXXXXXXXXXXX

To import existing service accounts use:

terraform import 'module.<module name>.yandex_iam_service_account.sa["<SA-name>"]' <SA id>

or

terraform import 'module.iam.yandex_iam_service_account.sa["sa-robot"]' aje0am0b06tj6v8mXXXX

Then add SA-name to your variables and try terraform plan

Correct resource path can be found with terraform state list

Requirements

Name Version
terraform >= 1.0
yandex ~> 0.68

Providers

Name Version
yandex 0.68.0

Modules

No modules.

Resources

Name Type
yandex_iam_service_account.sa resource
yandex_organizationmanager_organization_iam_binding.org_binding resource
yandex_organizationmanager_organization_iam_member.org_member resource
yandex_resourcemanager_cloud_iam_binding.cloud_binding resource
yandex_resourcemanager_cloud_iam_member.cloud_member resource
yandex_resourcemanager_folder_iam_member.folder_sa_member resource
yandex_resourcemanager_folder_iam_member.folder_user_member resource
yandex_resourcemanager_folder_iam_policy.folder_bindings_policy resource
yandex_client_config.client data source
yandex_iam_policy.bindings data source
yandex_iam_user.cloud_account data source
yandex_iam_user.folder_account data source
yandex_iam_user.org_account data source
yandex_organizationmanager_saml_federation_user_account.cloud_account data source
yandex_organizationmanager_saml_federation_user_account.folder_account data source
yandex_organizationmanager_saml_federation_user_account.org_account data source

Inputs

Name Description Type Default Required
cloud_binding_authoritative "Authoritative. Sets the IAM policy for the CLOUD and replaces any existing policy already attached.
If Authoritative = true : take roles from all objects in variable "cloud_user_role_mapping" and make unique role as a new key of map with members"		 bool false no
cloud_id Cloud-ID where where need to add permissions. Mandatory variable for CLOUD, if omited default CLOUD_ID will be used string null no
cloud_user_role_mapping Group of IAM User-IDs and it's permissions in CLOUD, where name = JOB Tille(aka IAM Group). Use usernames or user-ids or both
### Example
#cloud_user_role_mapping = [
{
job_title_name = "devops"
iam_users_names = ["name.surname", ]
fed_users_names = ["name.surname@yantoso.ru", ]
roles = ["editor", ]
},
{
job_title_name = "developers"
users_with_ids = ["userAccount:idxxxxxx1", "federatedUser:idxxxxxx2"]
iam_users_names = ["name.surname", ]
roles = ["viewer","k8s.editor",]
},
]		 any [] no
federation_id Federation ID, mandatory for 'fed_users_names' string null no
folder_binding_authoritative Authoritative. Sets the IAM policy for the FOLDER and replaces any existing policy already attached. bool false no
folder_id Folder-ID where need to add permissions. Mandatory variable for FOLDER, if omited default FOLDER_ID will be used string null no
folder_user_role_mapping Group of IAM User-IDs and it's permissions in FOLDER, where name = JOB Tille(aka IAM Group). Use usernames or user-ids or both
### Example
#folder_user_role_mapping = [
{
job_title_name = "devops"
iam_users_names = ["name.surname", ]
fed_users_names = ["name.surname@yantoso.ru", ]
roles = ["iam.serviceAccounts.user", "k8s.editor", "k8s.cluster-api.cluster-admin", "container-registry.admin"]
},
{
job_title_name = "developers"
users_with_ids = ["userAccount:idxxxxxx1", "federatedUser:idxxxxxx2"]
roles = ["k8s.viewer",]
},
]		 any [] no
org_binding_authoritative "Authoritative. Sets the IAM policy for the ORGANIZATION and replaces any existing policy already attached.
If Authoritative = true : take roles from all objects in variable "org_user_role_mapping" and make unique role as a new key of map with members"		 bool false no
org_id ORGANIZATION-ID where where need to add permissions. Mandatory variable for ORGANIZATION, if omited default ORGANIZATION_ID will be used string null no
org_user_role_mapping Group of IAM User-IDs and it's permissions in ORGANIZATION, where name = JOB Tille(aka IAM Group). Use usernames or user-ids or both
### Example
#org_user_role_mapping = [
{
job_title_name = "admins"
iam_users_names = ["name.surname", ]
fed_users_names = ["name.surname@yantoso.ru", ]
roles = ["admin",]
},
{
job_title_name = "network_admins"
sers_with_ids = ["userAccount:idxxxxxx1", "federatedUser:idxxxxxx2"]
roles = ["vpc.admin",]
},
]		 any [] no
sa_role_mapping List of SA and it's permissions
### Example
sa_role_mapping = [
{
name = "sa-cluster"
roles = ["editor",]
},
{
name = "sa-nodes"
roles = ["container-registry.images.puller",]
},
]		 any [] no
usernames_to_ids If true Usernames from IAM and Federation will be used as input variables 'iam_users_names' and 'fed_users_names' bool true no

Outputs

Name Description
sa_ids List IDs of created service accounts
sa_names List Names of created service accounts
sa_object Map with service accounts info , key = service account name