-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrole_policies.tf
224 lines (221 loc) · 6.45 KB
/
role_policies.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
data "aws_iam_policy_document" "read_domino_environments" {
count = var.domino_environments_repository_arn != null ? 1 : 0
statement {
sid = "EcrRegistryReadDominoEnvironments"
effect = "Allow"
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
]
resources = [
var.domino_environments_repository_arn,
"${var.domino_environments_repository_arn}*",
]
}
}
data "aws_iam_policy_document" "role_permissions_policy" {
source_policy_documents = var.domino_environments_repository_arn != null ? [data.aws_iam_policy_document.read_domino_environments[0].json] : []
statement {
sid = "StsAllowSelfAssumeRole"
effect = "Allow"
actions = ["sts:AssumeRole"]
resources = [
"arn:${data.aws_partition.current.partition}:iam::${local.account_id}:role/${local.role_name}"
]
}
statement {
sid = "IamAllowGetRole"
effect = "Allow"
actions = [
"iam:GetRole",
]
resources = [
"arn:${data.aws_partition.current.partition}:iam::${local.account_id}:role/${local.role_name}"
]
}
statement {
sid = "IamAllowPassRole"
effect = "Allow"
actions = [
"iam:PassRole",
]
resources = [
"arn:${data.aws_partition.current.partition}:iam::${local.account_id}:role/${local.role_name}"
]
condition {
test = "StringEquals"
variable = "iam:PassedToService"
values = [
"sagemaker.amazonaws.com"
]
}
}
statement {
sid = "EcrRegistrySpecificSagemakerEnvironments"
effect = "Allow"
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:BatchGetImage",
"ecr:CreateRepository",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:TagResource",
"ecr:UploadLayerPart",
]
resources = [
"arn:${data.aws_partition.current.partition}:ecr:${var.region}:${local.account_id}:repository/${local.repository}",
"arn:${data.aws_partition.current.partition}:ecr:${var.region}:${local.account_id}:repository/${local.repository}*"
]
}
statement {
sid = "EcrGlobalSagemakerEnvironments"
effect = "Allow"
actions = [
"ecr:GetAuthorizationToken",
"ecr:DescribeRegistry"
]
resources = ["*"]
}
statement {
sid = "MetricsForSagemaker"
effect = "Allow"
actions = ["cloudwatch:PutMetricData"]
resources = ["*"]
}
statement {
sid = "LogsForSagemaker"
effect = "Allow"
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents"
]
resources = [
"arn:${data.aws_partition.current.partition}:logs:${var.region}:${local.account_id}:log-group:/aws/sagemaker/*"
]
}
statement {
sid = "SagemakerManageResources"
effect = "Allow"
actions = [
"sagemaker:AddTags",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateModel",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteModel",
"sagemaker:DeleteTags",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeModel",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointWithResponseStream",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListModels",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities"
]
resources = ["*"]
}
statement {
sid = "AutoscalingForSagemaker"
effect = "Allow"
actions = [
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"application-autoscaling:TagResource"
]
resources = ["*"]
}
statement {
sid = "CloudwatchForAutoscaling"
effect = "Allow"
actions = [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms"
]
resources = [
"*"
]
}
statement {
sid = "IamAllowCreateServiceLinkedRole"
effect = "Allow"
actions = [
"iam:CreateServiceLinkedRole"
]
resources = [
"arn:${data.aws_partition.current.partition}:iam::${local.account_id}:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/*"
]
condition {
test = "StringLike"
variable = "iam:AWSServiceName"
values = [
"sagemaker.application-autoscaling.amazonaws.com"
]
}
}
statement {
sid = "S3ManageUseTargetBucket"
effect = "Allow"
actions = [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetObjectRetention",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging",
"s3:PutObjectRetention"
]
resources = [
"arn:${data.aws_partition.current.partition}:s3:::${local.bucket}",
"arn:${data.aws_partition.current.partition}:s3:::${local.bucket}/*"
]
}
}
resource "aws_iam_policy" "role_permissions_policy" {
name = "${var.resource_identifier}-permissions"
policy = data.aws_iam_policy_document.role_permissions_policy.json
}
resource "aws_iam_role_policy_attachment" "role_permissions_policy" {
role = aws_iam_role.domino_sagemaker_role.name
policy_arn = aws_iam_policy.role_permissions_policy.arn
}