.._.._modules_iam_policies_main.tf

data "aws_region" "current" {}

data "aws_dynamodb_table" "table" {
  for_each = toset(var.tables)

  name = each.key
}

data "aws_iam_policy_document" "dynamodb_table_actions" {
  statement {
    actions = [
      "dynamodb:DescribeLimits",
      "dynamodb:DescribeReservedCapacity",
      "dynamodb:DescribeReservedCapacityOfferings",
      "dynamodb:DescribeTimeToLive",
      "dynamodb:ListStreams",
      "dynamodb:ListTables",
      "dynamodb:ListTagsOfResource",
      "dynamodb:TagResource",
      "dynamodb:UntagResource"
    ]
    resources = ["*"]
  }

  statement {
    actions = [
      "dynamodb:BatchGetItem",
      "dynamodb:BatchWriteItem",
      "dynamodb:CreateBackup",
      "dynamodb:DeleteItem",
      "dynamodb:DeleteTable",
      "dynamodb:DescribeContinuousBackups",
      "dynamodb:DescribeTable",
      "dynamodb:GetItem",
      "dynamodb:PutItem",
      "dynamodb:Query",
      "dynamodb:Scan",
      "dynamodb:UpdateItem",
      "dynamodb:UpdateTable"
    ]
    resources = concat(
      [for t in var.tables : data.aws_dynamodb_table.table[t].arn],
      [
        "${data.aws_dynamodb_table.table["table_name"].arn}/index/region-expiry-index",
        "${data.aws_dynamodb_table.table["table_name"].arn}/index/user-index"
      ]
    )
  }

  statement {
    actions = [
      "dynamodb:DescribeStream",
      "dynamodb:GetShardIterator",
      "dynamodb:GetRecords"
    ]
    resources = [for t in var.tables : data.aws_dynamodb_table.table[t].arn]
  }
}

resource "aws_iam_policy" "dynamodb" {
  name = "dynamodb-${data.aws_region.current.name}"
  path = "/"

  policy = data.aws_iam_policy_document.dynamodb_table_actions.json

  lifecycle {
    // These policies are referenced by arn in other places. Make sure these other places point
    // to new policies before deleting these.
    prevent_destroy = true
  }
}

data "aws_s3_bucket" "config_bucket" {
  bucket = "infra2-${var.environment}-${data.aws_region.current.name}-config"
}

data "aws_iam_policy_document" "config_bucket" {
  statement {
    actions = [
      "s3:HeadBucket",
      "s3:ListBucket"
    ]
    resources = [data.aws_s3_bucket.config_bucket.arn]
  }

  statement {
    actions = [
      "s3:Get*",
      "s3:List*"
    ]
    resources = ["${data.aws_s3_bucket.config_bucket.arn}/*"]
  }
}


resource "aws_iam_policy" "config_bucket" {
  name = "config-${data.aws_region.current.name}"
  path = "/"

  policy = data.aws_iam_policy_document.config_bucket.json

  lifecycle {
    // These policies are referenced by arn in other places. Make sure these other places point
    // to new policies before deleting these.
    prevent_destroy = true
  }
}

resource "aws_iam_policy" "secrets" {
  name = "secrets-${data.aws_region.current.name}"
  path = "/"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:ListSecrets",
        "secretsmanager:DescribeSecret"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

.._.._modules_iam_policies_variables.tf

variable "tags" {
  type    = map(string)
  default = {}
}

variable "tables" {
  type = list(string)
}

variable "environment" {
  type = string
}

conf.tf

terraform {
  required_version = "= 0.14.2"

  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }

  backend "s3" {
    region = "us-east-2"
    bucket         = "app-infrastructure-terraform-state"
    key            = "preprod/iam_policies.tfstate"
    encrypt        = "true"
    dynamodb_table = "app-infrastructure-terraform-lock"
  }
}

main.tf

provider "aws" {
  region = "us-east-2"
}

provider "aws" {
  alias  = "us-east-2"
  region = "us-east-2"

  assume_role {
    role_arn = "arn:aws:iam::${var.account}:role/${var.terraform_role}"
  }
}

module "east_2_policies" {
  source = "../../modules/iam_policies"

  providers = {
    aws = aws.us-east-2
  }

  tables = var.tables
  environment = var.environment

  tags = var.global_tags
}

output.log

terraform14 init -upgrade=true -get-plugins
TF_LOG="DEBUG" TF_LOG_PATH=/tmp/tf_logs/$(date +%s)_terraform.log TF_IN_AUTOMATION=true TF_VAR_app_hash=$CIRCLE_SHA1 terraform14 plan -lock-timeout=300s -out=../../../terraform_preprod_iam_policies.plan


+ mkdir -p /tmp/tf_logs
+ cd /home/circleci/app/terraform/iam_policies/preprod/
+ terraform14 init -upgrade=true -get-plugins
Upgrading modules...
- east_2_policies in ../../modules/iam_policies
- west_2_policies in ../../modules/iam_policies

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v3.37.0...
- Installed hashicorp/aws v3.37.0 (signed by HashiCorp)

Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
+ TF_LOG=DEBUG
++ date +%s
+ TF_LOG_PATH=/tmp/tf_logs/1618605905_terraform.log
+ TF_IN_AUTOMATION=true
+ TF_VAR_astra_hash=a746f12aa24afa69c78699966297d54fa7a8b0fe
+ terraform14 plan -lock-timeout=300s -out=../../../terraform_preprod_iam_policies.plan
2021/04/16 20:45:05 [WARN] Log levels other than TRACE are currently unreliable, and are supported only for backward compatibility.
  Use TF_LOG=TRACE to see Terraform's internal logs.
  ----
module.east_2_policies.aws_iam_policy.astra_secrets: Refreshing state... [id=arn:aws:iam::789226301580:policy/astra-secrets-us-east-2]
module.east_2_policies.aws_iam_policy.config_bucket: Refreshing state... [id=arn:aws:iam::789226301580:policy/astra-config-us-east-2]
module.west_2_policies.aws_iam_policy.astra_secrets: Refreshing state... [id=arn:aws:iam::789226301580:policy/astra-secrets-us-west-2]
module.west_2_policies.aws_iam_policy.config_bucket: Refreshing state... [id=arn:aws:iam::789226301580:policy/astra-config-us-west-2]

Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Error: error setting replica: Invalid address to set: []string{"replica", "0", "kms_key_arn"}

  on ../../modules/iam_policies/main.tf line 3, in data "aws_dynamodb_table" "table":
   3: data "aws_dynamodb_table" "table" {



Exited with code exit status 1

CircleCI received exit code 1

variables.tf

variable "account" {
  type    = string
  default = "1234567890"
}

variable "terraform_role" {
  type    = string
  default = "root"
}

variable "environment" {
  type    = string
  default = "preprod"
}

variable "global_tags" {
  type = map(string)

  default = {
    Terraform       = "managed"
  }
}

variable tables {
  type = list(string)
  default = [
    "list",
    "of",
    "table",
    "names",
    "here"
  ]
}