Skip to main content
Sponsor @cloudposse

Module: ssm-parameter-store-policy-documents

This module generates JSON documents for restricted permission sets for AWS SSM Parameter Store access. Helpful when combined with terraform-aws-ssm-parameter-store

Examples

Create a policy that allows access to write all parameters

module "ps_policy" {
  source = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.git?ref=master"
}

resource "aws_iam_policy" "ps_write" {
  name_prefix   = "write_any_parameter_store_value"
  path   = "/"
  policy = "${module.ps_policy.write_parameter_store_policy}"
}

Create a policy that allows managing all policies

module "ps_policy" {
  source = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.git?ref=master"
}

resource "aws_iam_policy" "ps_manage" {
  name_prefix   = "manage_any_parameter_store_value"
  path   = "/"
  policy = "${module.ps_policy.manage_parameter_store_policy}"
}

Create a policy that allows reading all parameters that start with a certain prefix

module "ps_policy" {
  source              = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.git?ref=master"
  parameter_root_name = "/cp/dev/app"

}

resource "aws_iam_policy" "ps_manage" {
  name_prefix   = "write_specific_parameter_store_value"
  path   = "/"
  policy = "${module.ps_policy.manage_parameter_store_policy}"
}

Create a kms policy to allow decrypting of the parameter store values

module "kms_key" {
  source                  = "git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=master"
  namespace               = "cp"
  stage                   = "prod"
  name                    = "app"
  description             = "KMS key"
  deletion_window_in_days = 10
  enable_key_rotation     = "true"
  alias                   = "alias/parameter_store_key"
}

module "ps_policy" {
  source              = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.git?ref=master"
  parameter_root_name = "/cp/dev/app"
  kms_key             = "${module.kms_key.key_arn}"

}

resource "aws_iam_policy" "ps_kms" {
  name_prefix   = "decrypt_parameter_store_value"
  path   = "/"
  policy = "${module.ps_policy.manage_kms_store_policy}"
}

Create a policy for another account, or region

module "ps_policy" {
  source              = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents.git?ref=master"
  parameter_root_name = "/cp/dev/app"
  account_id          = "783649272629220"
  region              = "ap-southeast-2"

}

resource "aws_iam_policy" "ps_manage" {
  name_prefix   = "manage_any_parameter_store_value"
  path   = "/"
  policy = "${module.ps_policy.manage_parameter_store_policy}"
}

Variables

Required Variables

Optional Variables

account_id (string) optional

The account id of the parameter store you want to allow access to. If none supplied, it uses the current account id of the provider.


Default value: ""

kms_key (string) optional

The arn of the KMS key that you want to allow access to. If empty it uses a wildcard resource (*).


Default value: ""

parameter_root_name (string) optional

The prefix or root parameter that you want to allow access to.


Default value: ""

region (string) optional

The region of the parameter store value that you want to allow access to. If none supplied, it uses the current region of the provider.


Default value: ""

Context Variables

The following variables are defined in the context.tf file of this module and part of the terraform-null-label pattern.

Outputs

manage_kms_store_policy

A JSON policy document that allows decryption access to a KMS key.

manage_parameter_store_policy

A JSON policy document that allows full access to the parameter store.

put_xray_trace_policy

A JSON policy document that allows putting data into x-ray for tracing parameter store requests.

read_parameter_store_policy

A JSON policy document that only allows read access to the parameter store.

write_parameter_store_policy

A JSON policy document that only allows write access to the parameter store.

Dependencies

Providers

  • aws

Resources

The following resources are used by this module:

Data Sources

The following data sources are used by this module: