Merge pull request #8 from strongdm/role_grants

Role_grants
strongdm · May 16, 2022 · f27f3a6 · f27f3a6
2 parents abff026 + 7cd07b9
commit f27f3a6
Show file tree

Hide file tree

Showing 7 changed files with 8 additions and 66 deletions.
diff --git a/onboarding.tf b/onboarding.tf
@@ -22,24 +22,6 @@ module "strongdm_onboarding" {
   # If set to false the default VPC will be used instead
   # create_vpc = true
 
-
-  # List of existing users to grant resources to
-  # NOTE: These emails must exactly match existing users in strongDM or an error will occur
-  # NOTE: An error will occur if these users are already assigned to a role in strongDM
-  grant_to_existing_users = [
-    var.SDM_ADMINS_EMAILS
-  ]
-
-  # New accounts to create with access to all resources
-  admin_users = [
-    "[email protected]",
-  ]
-
-  # New accounts to create with read-only permissions
-  read_only_users = [
-    "[email protected]",
-  ]
-
   # Tags will be added to strongDM and AWS resources.
   # tags = {}
 }
diff --git a/onboarding/data.tf b/onboarding/data.tf
@@ -6,9 +6,12 @@ data "aws_vpc" "default" {
   default = true
 }
 
-data "aws_subnet_ids" "subnets" {
+data "aws_subnets" "subnets" {
   count  = var.create_vpc ? 0 : 1
-  vpc_id = data.aws_vpc.default[0].id
+  filter {
+      name   = "vpc-id"
+      values = [data.aws_vpc.default[0].id]
+    }
 }
 
 # ---------------------------------------------------------------------------- #

diff --git a/onboarding/eks_cluster/main.tf b/onboarding/eks_cluster/main.tf
@@ -121,12 +121,6 @@ resource "sdm_resource" "k8s_eks_data_eks" {
   }
 }
 
-resource "sdm_role_grant" "admin_grant_eks" {
-  count       = var.create_eks ? 1 : 0
-  role_id     = var.admins_id
-  resource_id = sdm_resource.k8s_eks_data_eks[0].id
-}
-
 module "configmap" {
   count       = var.create_eks ? 1 : 0
   source = "./configmap"

diff --git a/onboarding/http/main.tf b/onboarding/http/main.tf
@@ -79,14 +79,7 @@ resource "sdm_resource" "web_page" {
     tags = merge({ Name = "${var.prefix}-http" }, var.default_tags, var.tags)
   }
 }
-resource "sdm_role_grant" "admin_grant_web_page" {
-  role_id     = var.admins_id
-  resource_id = sdm_resource.web_page.id
-}
-resource "sdm_role_grant" "read_only_grant_web_page" {
-  role_id     = var.read_only_id
-  resource_id = sdm_resource.web_page.id
-}
+
 # ---------------------------------------------------------------------------- #
 # Access the EC2 instance with strongDM over SSH
 # ---------------------------------------------------------------------------- #
@@ -101,8 +94,3 @@ resource "sdm_resource" "ssh_ec2" {
     tags     = merge({ Name = "${var.prefix}-http" }, var.default_tags, var.tags)
   }
 }
-resource "sdm_role_grant" "admin_grant_ssh_ec2" {
-  count       = var.create_ssh ? 1 : 0
-  role_id     = var.admins_id
-  resource_id = sdm_resource.ssh_ec2[0].id
-}
diff --git a/onboarding/mysql/main.tf b/onboarding/mysql/main.tf
@@ -32,14 +32,8 @@ data "aws_ami" "ubuntu" {
 
   filter {
     name   = "name"
-    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
+    values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
   }
-
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-
 }
 
 resource "aws_security_group" "mysql" {
@@ -104,11 +98,6 @@ resource "sdm_resource" "mysql_admin" {
   }
 }
 
-resource "sdm_role_grant" "admin_grant_mysql_admin" {
-  role_id     = var.admins_id
-  resource_id = sdm_resource.mysql_admin.id
-}
-
 resource "sdm_resource" "mysql_ro" {
   mysql {
     name     = "${var.prefix}-mysql-read-only"
@@ -122,11 +111,6 @@ resource "sdm_resource" "mysql_ro" {
   }
 }
 
-resource "sdm_role_grant" "read_only_grant_mysql_ro" {
-  role_id     = var.read_only_id
-  resource_id = sdm_resource.mysql_ro.id
-}
-
 # ---------------------------------------------------------------------------- #
 # Access the EC2 instance with strongDM over SSH
 # ---------------------------------------------------------------------------- #
@@ -143,8 +127,3 @@ resource "sdm_resource" "mysql_ssh" {
   }
 }
 
-resource "sdm_role_grant" "admin_grant_mysql_ssh" {
-  count       = var.create_ssh ? 1 : 0
-  role_id     = var.admins_id
-  resource_id = sdm_resource.mysql_ssh[0].id
-}
diff --git a/onboarding/variables.tf b/onboarding/variables.tf
@@ -72,6 +72,6 @@ variable "read_only_users" {
 
 locals {
   vpc_id         = var.create_vpc ? module.network[0].vpc_id : data.aws_vpc.default[0].id
-  subnet_ids     = var.create_vpc ? module.network[0].public_subnets : sort(data.aws_subnet_ids.subnets[0].ids)
+  subnet_ids      = var.create_vpc ? module.network[0].public_subnets : sort(data.aws_subnets.subnets[0].ids)
   default_tags   = { CreatedBy = "strongDM-Onboarding" }
 }
diff --git a/onboarding/windows_server/main.tf b/onboarding/windows_server/main.tf
@@ -90,7 +90,3 @@ resource "sdm_resource" "windows_server" {
   }
 }
 
-resource "sdm_role_grant" "admin_grant_windows_server" {
-  role_id     = var.admins_id
-  resource_id = sdm_resource.windows_server.id
-}