IAM simply with terrafam

AWS Identity and Access Management is a powerful tool for isolating AWS resources and enforcing a least privilege architecture. Like many other powerful tools, there’s a steep learning curve that can make getting started tough.

Terrafam allows you to define IAM users, groups, roles and the access policies associated with them in an incredibly terse declarative yml syntax. With a simple python script, you can generate terraform configuration and create the IAM resources in your AWS account.

To use, create any or all of three files (users.yml, roles.yml, and groups.yml) and define the access policies. Here’s some examples of how those access policies can look:

users.yml

example-user:
managed: [“AdministratorAccess”]

You can specify AWS managed policies to grant common groups of permissions. For instance, this configuration creates the example-user IAM user and then grants theAdministratorAccess managed policy.

roles.yml

example-role:
s3:
read-and-write: [“some-bucket”]
read: [“another-bucket”]
dynamodb:
read: [“some-table”]

You can give read, write, or read-and-write access to S3, DynamoDB, or SNS resources. This set of resources is based on what we use most frequently at Clever and is only a start — it should be straightforward to add new AWS resources. The action set used for read and write access for each resource are based on what we have commonly seen services need for each resource type.

groups.yml

example-group:
custom: true

Finally, you can define a custom policy for any IAM resource if the existing templates are insufficiently granular. You define the policy as standard IAM policy JSON in {principal-type}/{resource-name}.policy file.

After you’ve defined the policy and run the script, you’ll have json terraform configuration files. With the correct terraform environment definition (e.g. region and profile/credentials defined), you should be able to plan and apply.

The goal of terrafam is not to completely define your IAM resources, but to make the most common IAM policy grants easy to define and review. While we’ve found this useful at Clever, please let me know here, on the Github project, or on Twitter what you think.