misc: remove unnecessary IAM roles (nozaq#134)

* misc: remove unnecessary IAM roles

CIS benchmark no longer requires master & manager roles in v1.3.0.
fixes nozaq#109

* docs: update README

Author: nozaq

README.md

@@ -14,7 +14,6 @@ See [Benchmark Compliance](./compliance.md) to check which items in various benc
 ### Identity and Access Management
 
 - Set up IAM Password Policy.
-- Create separated IAM roles for defining privileges and assigning them to entities such as IAM users and groups.
 - Create an IAM role for contacting AWS support for incident handling.
 - Enable AWS Config rules to audit root account status.
 - Enable IAM Access Analyzer in each region.
@@ -201,8 +200,6 @@ This module is composed of several submodules and each of which can be used inde
 | default\_security\_group | The ID of the default security group. |
 | default\_vpc | The default VPC. |
 | guardduty\_detector | The GuardDuty detector in each region. |
-| manager\_iam\_role | The IAM role used for the manager user. |
-| master\_iam\_role | The IAM role used for the master user. |
 | support\_iam\_role | The IAM role used for the support user. |
 | vpc\_flow\_logs\_group | The CloudWatch Logs log group which stores VPC Flow Logs in each region. |
 | vpc\_flow\_logs\_iam\_role | The IAM role used for delivering VPC Flow Logs to CloudWatch Logs. |

main.tf

@@ -14,10 +14,6 @@ module "iam_baseline" {
   source = "./modules/iam-baseline"
 
   aws_account_id                  = var.aws_account_id
-  master_iam_role_name            = var.master_iam_role_name
-  master_iam_role_policy_name     = var.master_iam_role_policy_name
-  manager_iam_role_name           = var.manager_iam_role_name
-  manager_iam_role_policy_name    = var.manager_iam_role_policy_name
   support_iam_role_name           = var.support_iam_role_name
   support_iam_role_policy_name    = var.support_iam_role_policy_name
   support_iam_role_principal_arns = var.support_iam_role_principal_arns
@@ -30,8 +26,6 @@ module "iam_baseline" {
   allow_users_to_change_password  = var.allow_users_to_change_password
   max_password_age                = var.max_password_age
   create_password_policy          = var.create_password_policy
-  create_master_role              = var.create_master_role
-  create_manager_role             = var.create_manager_role
   create_support_role             = var.create_support_role
 
   tags = var.tags

modules/iam-baseline/README.md

@@ -24,14 +24,8 @@
 |------|-------------|------|---------|:--------:|
 | allow\_users\_to\_change\_password | Whether to allow users to change their own password. | `bool` | `true` | no |
 | aws\_account\_id | The AWS Account ID number of the account. | `any` | n/a | yes |
-| create\_manager\_role | Define if the manager role should be created. | `bool` | `true` | no |
-| create\_master\_role | Define if the master role should be created. | `bool` | `true` | no |
 | create\_password\_policy | Define if the password policy should be created. | `bool` | `true` | no |
 | create\_support\_role | Define if the support role should be created. | `bool` | `true` | no |
-| manager\_iam\_role\_name | The name of the IAM Manager role. | `string` | `"IAM-Manager"` | no |
-| manager\_iam\_role\_policy\_name | The name of the IAM Manager role policy. | `string` | `"IAM-Manager-Policy"` | no |
-| master\_iam\_role\_name | The name of the IAM Master role. | `string` | `"IAM-Master"` | no |
-| master\_iam\_role\_policy\_name | The name of the IAM Master role policy. | `string` | `"IAM-Master-Policy"` | no |
 | max\_password\_age | The number of days that an user password is valid. | `number` | `90` | no |
 | minimum\_password\_length | Minimum length to require for user passwords. | `number` | `14` | no |
 | password\_reuse\_prevention | The number of previous passwords that users are prevented from reusing. | `number` | `24` | no |
@@ -48,8 +42,6 @@
 
 | Name | Description |
 |------|-------------|
-| manager\_iam\_role | The IAM role used for the manager user. |
-| master\_iam\_role | The IAM role used for the master user. |
 | support\_iam\_role | The IAM role used for the support user. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/iam-baseline/main.tf

@@ -14,130 +14,6 @@ resource "aws_iam_account_password_policy" "default" {
   count                          = var.create_password_policy ? 1 : 0
 }
 
-# --------------------------------------------------------------------------------------------------
-# Manager & Master Role Separation
-# --------------------------------------------------------------------------------------------------
-data "aws_iam_policy_document" "master_assume_policy" {
-  statement {
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.aws_account_id}:root"]
-    }
-    actions = ["sts:AssumeRole"]
-  }
-}
-
-resource "aws_iam_role" "master" {
-  name               = var.master_iam_role_name
-  assume_role_policy = data.aws_iam_policy_document.master_assume_policy.json
-  count              = var.create_master_role ? 1 : 0
-
-  tags = var.tags
-}
-
-data "aws_iam_policy_document" "master_policy" {
-  statement {
-    actions = [
-      "iam:CreateGroup", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateUser",
-      "iam:DeleteGroup", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DeleteUser",
-      "iam:PutRolePolicy",
-      "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy",
-      "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListGroupsForUser",
-      "iam:ListPolicies", "iam:ListPoliciesGrantingServiceAccess", "iam:ListPolicyVersions",
-      "iam:ListRolePolicies", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies",
-      "iam:ListAttachedUserPolicies", "iam:ListRoles", "iam:ListUsers"
-    ]
-    resources = ["*"]
-    condition {
-      test     = "Bool"
-      variable = "aws:MultiFactorAuthPresent"
-      values   = ["true"]
-    }
-  }
-
-  statement {
-    effect = "Deny"
-    actions = [
-      "iam:AddUserToGroup",
-      "iam:AttachGroupPolicy",
-      "iam:DeleteGroupPolicy", "iam:DeleteUserPolicy",
-      "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy",
-      "iam:PutGroupPolicy", "iam:PutUserPolicy",
-      "iam:RemoveUserFromGroup",
-      "iam:UpdateGroup", "iam:UpdateAssumeRolePolicy", "iam:UpdateUser"
-    ]
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_role_policy" "master_policy" {
-  name  = var.master_iam_role_policy_name
-  role  = aws_iam_role.master[0].id
-  count = var.create_master_role ? 1 : 0
-
-  policy = data.aws_iam_policy_document.master_policy.json
-}
-
-data "aws_iam_policy_document" "manager_assume_policy" {
-  statement {
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.aws_account_id}:root"]
-    }
-    actions = ["sts:AssumeRole"]
-  }
-}
-
-resource "aws_iam_role" "manager" {
-  name               = var.manager_iam_role_name
-  assume_role_policy = data.aws_iam_policy_document.manager_assume_policy.json
-  count              = var.create_manager_role ? 1 : 0
-
-  tags = var.tags
-}
-
-data "aws_iam_policy_document" "manager_policy" {
-  statement {
-    actions = [
-      "iam:AddUserToGroup",
-      "iam:AttachGroupPolicy",
-      "iam:DeleteGroupPolicy", "iam:DeleteUserPolicy",
-      "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy",
-      "iam:PutGroupPolicy", "iam:PutUserPolicy",
-      "iam:RemoveUserFromGroup",
-      "iam:UpdateGroup", "iam:UpdateAssumeRolePolicy", "iam:UpdateUser",
-      "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy",
-      "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListGroupsForUser",
-      "iam:ListPolicies", "iam:ListPoliciesGrantingServiceAccess", "iam:ListPolicyVersions",
-      "iam:ListRolePolicies", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies",
-      "iam:ListAttachedUserPolicies", "iam:ListRoles", "iam:ListUsers"
-    ]
-    resources = ["*"]
-    condition {
-      test     = "Bool"
-      variable = "aws:MultiFactorAuthPresent"
-      values   = ["true"]
-    }
-  }
-
-  statement {
-    effect = "Deny"
-    actions = [
-      "iam:CreateGroup", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateUser",
-      "iam:DeleteGroup", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DeleteUser",
-      "iam:PutRolePolicy"
-    ]
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_role_policy" "manager_policy" {
-  name   = var.manager_iam_role_policy_name
-  role   = aws_iam_role.manager[0].id
-  policy = data.aws_iam_policy_document.manager_policy.json
-  count  = var.create_manager_role ? 1 : 0
-}
-
 # --------------------------------------------------------------------------------------------------
 # Support Role
 # --------------------------------------------------------------------------------------------------

modules/iam-baseline/outputs.tf

@@ -1,13 +1,3 @@
-output "master_iam_role" {
-  description = "The IAM role used for the master user."
-  value       = aws_iam_role.master
-}
-
-output "manager_iam_role" {
-  description = "The IAM role used for the manager user."
-  value       = aws_iam_role.manager
-}
-
 output "support_iam_role" {
   description = "The IAM role used for the support user."
   value       = aws_iam_role.support

modules/iam-baseline/variables.tf

@@ -2,26 +2,6 @@ variable "aws_account_id" {
   description = "The AWS Account ID number of the account."
 }
 
-variable "master_iam_role_name" {
-  description = "The name of the IAM Master role."
-  default     = "IAM-Master"
-}
-
-variable "master_iam_role_policy_name" {
-  description = "The name of the IAM Master role policy."
-  default     = "IAM-Master-Policy"
-}
-
-variable "manager_iam_role_name" {
-  description = "The name of the IAM Manager role."
-  default     = "IAM-Manager"
-}
-
-variable "manager_iam_role_policy_name" {
-  description = "The name of the IAM Manager role policy."
-  default     = "IAM-Manager-Policy"
-}
-
 variable "support_iam_role_name" {
   description = "The name of the the support role."
   default     = "IAM-Support"
@@ -83,25 +63,12 @@ variable "create_password_policy" {
   default     = true
 }
 
-variable "create_master_role" {
-  type        = bool
-  description = "Define if the master role should be created."
-  default     = true
-}
-
-variable "create_manager_role" {
-  type        = bool
-  description = "Define if the manager role should be created."
-  default     = true
-}
-
 variable "create_support_role" {
   type        = bool
   description = "Define if the support role should be created."
   default     = true
 }
 
-
 variable "tags" {
   description = "Specifies object tags key and value. This applies to all resources created by this module."
   default = {

outputs.tf

@@ -129,16 +129,6 @@ output "guardduty_detector" {
 # Outputs from iam-baseline module.
 # --------------------------------------------------------------------------------------------------
 
-output "master_iam_role" {
-  description = "The IAM role used for the master user."
-  value       = module.iam_baseline.master_iam_role
-}
-
-output "manager_iam_role" {
-  description = "The IAM role used for the manager user."
-  value       = module.iam_baseline.manager_iam_role
-}
-
 output "support_iam_role" {
   description = "The IAM role used for the support user."
   value       = module.iam_baseline.support_iam_role