feat: create private Route 53 hosted zone and update IAM policy actions (#95)

* feat: create private Route 53 hosted zone and update IAM policy actions

* feat: enhance S3 permissions in IAM policy for lifecycle management

Author: Gezi-lzq

cloudservice-setup/aws/ec2-custom/iam.tf

@@ -39,10 +39,10 @@ resource "aws_iam_policy" "automq_console_policy" {
           "autoscaling:ResumeProcesses",
           "autoscaling:SuspendProcesses",
           "autoscaling:UpdateAutoScalingGroup",
+          # "ec2:DeleteKeyPair",
           "ec2:AttachVolume",
           "ec2:AuthorizeSecurityGroupEgress",
           "ec2:AuthorizeSecurityGroupIngress",
-          "ec2:DeleteKeyPair",
           "ec2:DeleteSecurityGroup",
           "ec2:DeleteVolume",
           "ec2:DetachVolume",
@@ -65,6 +65,20 @@ resource "aws_iam_policy" "automq_console_policy" {
       {
         Effect = "Allow"
         Action = [
+          "s3:ListBucket",
+          "s3:ListBucketMultipartUploads",
+          "s3:GetLifecycleConfiguration",
+          "s3:PutLifecycleConfiguration"
+        ]
+        Resource = [
+          "arn:aws:s3:::${local.data_bucket_name}",
+          "arn:aws:s3:::${local.ops_bucket_name}"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:AbortMultipartUpload",
           "s3:DeleteObject",
           "s3:GetObject",
           "s3:PutObject",
@@ -92,7 +106,8 @@ resource "aws_iam_policy" "automq_console_policy" {
         Action = [
           "autoscaling:CreateAutoScalingGroup",
           "autoscaling:DescribeAutoScalingGroups",
-          "ec2:CreateKeyPair",
+          # "ec2:CreateKeyPair",
+          # "ec2:DescribeKeyPairs",
           "ec2:CreateLaunchTemplate",
           "ec2:CreateLaunchTemplateVersion",
           "ec2:CreateSecurityGroup",
@@ -104,7 +119,6 @@ resource "aws_iam_policy" "automq_console_policy" {
           "ec2:DescribeInstanceAttribute",
           "ec2:DescribeInstanceTypeOfferings",
           "ec2:DescribeInstances",
-          "ec2:DescribeKeyPairs",
           "ec2:DescribeLaunchTemplateVersions",
           "ec2:DescribeLaunchTemplates",
           "ec2:DescribeRouteTables",
@@ -117,10 +131,6 @@ resource "aws_iam_policy" "automq_console_policy" {
           "ec2:DescribeVpcs",
           "ec2:ModifyLaunchTemplate",
           "ec2:RunInstances",
-          "eks:DescribeCluster",
-          "eks:DescribeNodegroup",
-          "eks:ListClusters",
-          "eks:ListNodegroups",
           "elasticloadbalancing:DescribeTargetGroups",
           "fsx:CreateFileSystem",
           "fsx:CreateStorageVirtualMachine",
@@ -132,32 +142,22 @@ resource "aws_iam_policy" "automq_console_policy" {
           "pricing:DescribeServices",
           "pricing:GetAttributeValues",
           "pricing:GetProducts",
-          "route53:ChangeResourceRecordSets",
-          "route53:GetHostedZone",
-          "route53:ListHostedZones",
-          "route53:ListHostedZonesByName",
-          "route53:ListHostedZonesByVpc",
-          "route53:ListResourceRecordSets",
-          "s3:AbortMultipartUpload",
-          "s3:CreateBucket",
-          "s3:DeleteObject",
-          "s3:ListAllMyBuckets",
-          "s3:ListBucket",
-          "s3:ListBucketMultipartUploads",
-          "ssm:GetParameters"
+          "ssm:GetParameters",
+          # "eks:DescribeCluster",
+          # "eks:DescribeNodegroup",
+          # "eks:ListClusters",
+          # "eks:ListNodegroups"
         ]
         Resource = "*"
       },
       {
         Effect = "Allow"
         Action = [
-          "s3:GetLifecycleConfiguration",
-          "s3:ListBucket",
-          "s3:PutLifecycleConfiguration"
-        ]
-        Resource = [
-          "arn:aws:s3:::${local.ops_bucket_name}"
+          "route53:ChangeResourceRecordSets",
+          "route53:GetHostedZone",
+          "route53:ListResourceRecordSets"
         ]
+        Resource = "arn:aws:route53:::hostedzone/${local.route53_hosted_zone_id}"
       }
     ]
   })

cloudservice-setup/aws/ec2-custom/main.tf

@@ -144,7 +144,7 @@ resource "aws_instance" "automq_byoc_console" {
     automq_data_bucket                   = local.data_bucket_name,
     automq_ops_bucket                    = local.ops_bucket_name,
     instance_security_group_id           = aws_security_group.automq_byoc_console_sg.id,
-    instance_dns                         = aws_route53_zone.private_r53.zone_id,
+    instance_dns                         = local.route53_hosted_zone_id,
     instance_profile_arn                 = aws_iam_instance_profile.automq_byoc_instance_profile.arn,
     environment_id                       = local.env_id
   })
@@ -169,19 +169,3 @@ resource "aws_volume_attachment" "data_volume_attachment" {
   volume_id   = aws_ebs_volume.data_volume.id
   instance_id = aws_instance.automq_byoc_console.id
 }
-
-resource "aws_route53_zone" "private_r53" {
-  name = "${local.name_suffix}.automq.private"
-
-  vpc {
-    vpc_id = var.vpc_id
-  }
-
-  lifecycle {
-    create_before_destroy = true
-  }
-
-  tags = merge(local.common_tags, {
-    Name = "automq-private-zone-${local.env_id}"
-  })
-}

cloudservice-setup/aws/ec2-custom/route53.tf

@@ -0,0 +1,20 @@
+# Create a private Route 53 hosted zone or you can use an existing one
+resource "aws_route53_zone" "private_r53" {
+  name = "${local.name_suffix}.automq.private"
+
+  vpc {
+    vpc_id = var.vpc_id
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = merge(local.common_tags, {
+    Name = "automq-private-zone-${local.env_id}"
+  })
+}
+
+locals {
+  route53_hosted_zone_id = aws_route53_zone.private_r53.zone_id
+}