Beginner’s Guide to IAM: IAM, Roles, Policies, Policy Attachments with Terraform

IAM is short for Identity and Access Management.

  1. What’s the difference between an IAM user and role?

An IAM user has long term credentials and directly interacts with AWS services. An IAM role does not have any credentials and don’t directly access AWS services. IAM roles are assumed by entities (such as users, applications or services like EC2).

https://aws.amazon.com/iam/faqs/

2. What’s an IAM Policy?

An IAM Policy allows access  -i.e. they define permissions. You create a policy then attach it to an IAM identity or AWS resource.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

3. what’s an IAM Role Policy Attachment?

This can be found in Terraform. e.g.

https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html

It attaches an IAM Policy to an IAM role and typically looks like this:

resource “aws_iam_role_policy_attachment” “test-attach” {
role = “${aws_iam_role.role.name}”
policy_arn = “${aws_iam_policy.policy.arn}”
}

https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html

4. Principal

The Principalelement specifies the AWS user, account, service that is allowed or denied access to a resource.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

5. assume_role_policyis very similar but slightly different than a standard IAM policy

https://www.terraform.io/docs/providers/aws/r/iam_role.html

6. Service Roles are IAM roles that can be assumed by an AWS service

e.g.

Note how there are 2 Services listed. The Service key must be unique. So it’s value must be a list.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

and a list of Services that work with IAM: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

 

Using Terraform to set up AWS Route 53 Hosted Zones

  1. What’s an AWS Route 53 Hosted Zone?

A Hosted Zone is basically a domain. i.e. a single zone file with all domain information.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/AboutHZWorkingWith.html

See also https://stackoverflow.com/questions/12664671/amazon-route-53-what-do-hosted-zones-and-queries-mean-exactly

 

2.

https://medium.com/@maxbeatty/using-terraform-to-manage-dns-records-b338f42b50dc

Monitoring your AWS Service Limits

It’s all too easy to go past your AWS Service Limits if you’re dealing with big accounts.

E.g. the default for m4.largeper Region is 20. We’re currently running 65 in our smallest Region.

https://console.aws.amazon.com/trustedadvisor/

 

Attempt 1: using AWS’ solution

This unfortunately uses Cloudformation. Moving on…

Attempt 2: using awslimitchecker

See http://awslimitchecker.readthedocs.io/ comes to the rescue. You can write your AWS Lambda scripts with it and you’d be good to go.

E.g. List Limits for a Region

awslimitchecker -r eu-west-2 -S EC2 -l

Note that these are defined manually in ./limitchecker/lib/python2.7/site-packages/awslimitchecker/services/ec2.py

and are from https://aws.amazon.com/ec2/faqs/

However, if you have an account that’s already in use these limits may differ. And may also differ per Region.

As I said, it doesn’t query TrustedAdvisor dynamically. Moving on…

Attempt 3: getting the Service Limit data by CLI

Generic TA Check ID:

aws support describe-trusted-advisor-check-result --check-id eW7HH0l7J9 --region us-east-1

and the EC2 On-Demand Check ID:

aws support describe-trusted-advisor-check-result –language en –check-id 0Xc6LMYG8P –query ‘result.sort_by(flaggedResources[?status!=ok],&metadata[2])[].metadata’ –output table

https://docs.aws.amazon.com/cli/latest/reference/support/describe-trusted-advisor-check-result.html

For Check IDs per Service see: https://aws.amazon.com/premiumsupport/ta-iam/#Information_That_Trusted_Advisor_Displays

 

Note that this only seems to work for us-east-1 so you’ll need to make sure this is your default profile (or specify a profile that uses it).

E.g. for other endpoints I got:

Could not connect to the endpoint URL: “https://support.eu-west-2.amazonaws.com/”

and

Could not connect to the endpoint URL: “https://support.us-west-2.amazonaws.com/”

This seems to imply there are no Support endpoints other than us-east-1.

UPDATE: I was right:

AWS Support has a single endpoint: support.us-east-1.amazonaws.com (HTTPS).

https://docs.aws.amazon.com/general/latest/gr/rande.html#awssupport_region

 

More info: https://aws.amazon.com/premiumsupport/ta-faqs/

 

Note 2: if you don’t have Business or Enterprise support this CLI won’t work and you’ll get something like usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters].

You can use some Python like this for running EC2 instances:

so let’s just adapt it to:

 

 

Terraform: security_groups vs vpc_security_group_ids

Basically, just use vpc_security_group_ids.

  • security_groups – (Optional, EC2-Classic and default VPC only) A list of security group names to associate with.