New IAM_policies to prevent users causing huge costs

New IAM_policies to prevent users causing huge costs; created changelog.md
zoitech · May 2, 2018 · cea7c66 · cea7c66
2 parents 12d3752 + 93acfec
commit cea7c66
Show file tree

Hide file tree

Showing 8 changed files with 165 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ Terraform module which setup the most generic aws-accounts settings.
 * Set password policy
 * Add a logging bucket
 * Enable CloudTail
-
+* Create IAM_Policy
 
 ## Usage
 ```hcl

diff --git a/aws_iam_policy_EC2_limit.tf b/aws_iam_policy_EC2_limit.tf
@@ -0,0 +1,26 @@
+resource "aws_iam_policy" "deny_expensive_ec2_instances" {
+  name        = "${var.create_ec2_limit_policy_name}"
+  count       = "${var.create_ec2_limit_policy}"
+  description = "Policy to limit creation of expensive EC2 Instances"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+                {
+            "Sid": "DenyLargeEC2",
+            "Effect": "Deny",
+            "Action": "ec2:RunInstances",
+            "Resource": "*",
+            "Condition": {
+                "StringLike": {
+                    "ec2:InstanceType": [
+                        "${var.create_ec2_limit_policy_type}"
+                    ]
+                }
+            }
+        }
+    ]
+}
+EOF
+}
diff --git a/aws_iam_policy_RDS_limit.tf b/aws_iam_policy_RDS_limit.tf
@@ -0,0 +1,26 @@
+resource "aws_iam_policy" "deny_expensive_RDS_instances" {
+  name        = "${var.create_rds_limit_policy_name}"
+  count       = "${var.create_rds_limit_policy}"
+  description = "Policy to limit creation of expensive RDS Instances"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "DenyXlargeRDS",
+            "Effect": "Deny",
+            "Action": "rds:CreateDBInstance",
+            "Resource": "*",
+            "Condition": {
+                "StringLike": {
+                    "rds:DatabaseClass": [
+                        "${var.create_rds_limit_policy_type}"
+                    ]
+                }
+            }
+        }
+    ]
+}
+EOF
+}
diff --git a/aws_iam_policy_ReservedInstance_limit.tf b/aws_iam_policy_ReservedInstance_limit.tf
@@ -0,0 +1,18 @@
+resource "aws_iam_policy" "deny_expensive_RI_instances" {
+  name        = "${var.create_reserved_instances_limit_policy_name}"
+  count       = "${var.create_reserved_instances_limit_policy}"
+  description = "Policy to limit Reserved Instances"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+          {
+            "Effect": "Deny",
+            "Action": ["ec2:ModifyReservedInstances", "ec2:PurchaseReservedInstancesOffering"],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
diff --git a/aws_iam_policy_marketplace_disable.tf b/aws_iam_policy_marketplace_disable.tf
@@ -0,0 +1,21 @@
+resource "aws_iam_policy" "disable_marketplace" {
+  name        = "${var.create_marketplace_disable_policy_name}"
+  count       = "${var.create_marketplace_disable_policy}"
+  description = "Policy to deny installing software from the marketplace"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Action": [
+          "aws-marketplace:Subscribe",
+          "aws-marketplace:Unsubscribe"
+        ],
+        "Effect": "Deny",
+        "Resource": "*"
+      }
+    ]
+  }
+EOF
+}
diff --git a/changelog.md b/changelog.md
@@ -0,0 +1,22 @@
+## 0.0.5 (Unreleased)
+
+NEW FEATURES:
+
+* Added new policies to prevent users causing huge costs
+* Created Changelog.md
+
+
+BACKWARDS INCOMPATIBILITIES / NOTES:
+
+* n.a.
+
+
+IMPROVEMENTS:
+
+* formatted tf-files
+
+
+BUG FIXES:
+
+* n.a.
+
diff --git a/provider.tf b/provider.tf
@@ -1,4 +1,4 @@
 provider "aws" {
-  region = "${var.aws_region}"
+  region  = "${var.aws_region}"
   version = "~> 1.6"
 }
diff --git a/variables.tf b/variables.tf
@@ -65,3 +65,53 @@ variable "name_tag_name" {
   description = "Name of the 'name' tag that is added to, for example, the S3 resources"
   default     = "Name"
 }
+
+variable "create_ec2_limit_policy_name" {
+  description = "Name of the IAM_Policy for EC2 Limit"
+  default     = "AmazonEC2LimitInstanceCreation"
+}
+
+variable "create_ec2_limit_policy" {
+  description = "Activate (1) or deactivate (0) this policy"
+  default     = "0"
+}
+
+variable "create_ec2_limit_policy_type" {
+  description = "Type of EC2 Instances, for example, xlarge; wildcards can be used"
+  default     = "*xlarge"
+}
+
+variable "create_rds_limit_policy_name" {
+  description = "Name of the IAM_Policy for RDS Limit"
+  default     = "AmazonRDSLimitInstanceCreation"
+}
+
+variable "create_rds_limit_policy" {
+  description = "Activate (1) or deactivate (0) this policy"
+  default     = "0"
+}
+
+variable "create_rds_limit_policy_type" {
+  description = "Type of RDS Instances, for example, xlarge; wildcards can be used"
+  default     = "*xlarge"
+}
+
+variable "create_reserved_instances_limit_policy_name" {
+  description = "Name of the IAM_Policy for Reserved Instances Limit"
+  default     = "AmazonRILimitInstanceCreation"
+}
+
+variable "create_reserved_instances_limit_policy" {
+  description = "Activate (1) or deactivate (0) this policy"
+  default     = "0"
+}
+
+variable "create_marketplace_disable_policy_name" {
+  description = "Disables Access to marketplace software"
+  default     = "deny_marketplace"
+}
+
+variable "create_marketplace_disable_policy" {
+  description = "Activate (1) or deactivate (0) this policy"
+  default     = "0"
+}