cloud engineer
How to add Snapshot Schedules to disks in Terraform. Add this to your existing VM.
resource "google_compute_disk_resource_policy_attachment" "hourly_attachment" { name = "hourly-snapshots" disk = google_compute_instance.test.name zone = "us-central1-c" } resource "google_compute_disk_resource_policy_attachment" "daily_attachment" { name = "daily-snapshots" disk = google_compute_instance.test.name zone = "us-central1-c" } |
resource "google_compute_disk_resource_policy_attachment" "hourly_attachment" { name = "hourly-snapshots" disk = google_compute_instance.test.name zone = "us-central1-c" } resource "google_compute_disk_resource_policy_attachment" "daily_attachment" { name = "daily-snapshots" disk = google_compute_instance.test.name zone = "us-central1-c" }
How to display the policy binding.
gcloud compute instances get-iam-policy SERVER --project=PROJECT_ID --zone=ZONE |
gcloud compute instances get-iam-policy SERVER --project=PROJECT_ID --zone=ZONE
Result
# There is no binding policy etag: ACAB # There is a binding policy bindings: - members: - serviceAccount:SERVICEACCOUNT role: organizations/xxxxxxxxxxxx/roles/ROLE etag: xxxxxxxxxxx= version: 1 |
# There is no binding policy etag: ACAB # There is a binding policy bindings: - members: - serviceAccount:SERVICEACCOUNT role: organizations/xxxxxxxxxxxx/roles/ROLE etag: xxxxxxxxxxx= version: 1
Add a role binding policy
gcloud compute instances add-iam-policy-binding SERVER \ --project=PROJECT_ID \ --zone=ZONE \ --member=serviceAccount:SERVICEACCOUNT \ --role="organizations/xxxxxxxxxxxx/roles/ROLE" |
gcloud compute instances add-iam-policy-binding SERVER \ --project=PROJECT_ID \ --zone=ZONE \ --member=serviceAccount:SERVICEACCOUNT \ --role="organizations/xxxxxxxxxxxx/roles/ROLE"
Remove a role binding policy
gcloud compute instances remove-iam-policy-binding SERVER \ --project=PROJECT_ID \ --zone=ZONE \ --member=serviceAccount:SERVICEACCOUNT \ --role="organizations/xxxxxxxxxxxx/roles/ROLE" |
gcloud compute instances remove-iam-policy-binding SERVER \ --project=PROJECT_ID \ --zone=ZONE \ --member=serviceAccount:SERVICEACCOUNT \ --role="organizations/xxxxxxxxxxxx/roles/ROLE"
Here’s a standard S3 policy to grant an IAM user access to a bucket within an AWS account. User is allowed to add, update, and delete objects. These 3 actions s3:ListAllMyBuckets, s3:GetBucketLocation, and s3:ListBucket are the additional permissions required to access the console. Also, the s3:PutObjectAcl and the s3:GetObjectAcl actions are required to be able to copy, cut, and paste objects within the console.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:ListAllMyBuckets" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::examplebucket" }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:DeleteObject" ], "Resource":"arn:aws:s3:::examplebucket/*" } ] } |
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:ListAllMyBuckets" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::examplebucket" }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:DeleteObject" ], "Resource":"arn:aws:s3:::examplebucket/*" } ] }
Here’s the IAM policy to allow RDS Backup or create a snapshot on AWS.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "rds:RestoreDBClusterFromSnapshot", "rds:DescribeDBSnapshots", "rds:CopyDBSnapshot", "rds:CopyDBClusterSnapshot", "rds:DeleteDBSnapshot", "rds:DeleteDBClusterSnapshot", "rds:CreateDBSnapshot", "rds:RestoreDBInstanceFromDBSnapshot", "rds:CreateDBInstance", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBInstances", "rds:DescribeDBClusters", "rds:DeleteDBInstance", "rds:CreateDBClusterSnapshot", "rds:ModifyDBSnapshotAttribute", "rds:ModifyDBClusterSnapshotAttribute", "rds:ListTagsForResource", "rds:DeleteDBCluster", "ec2:DescribeSecurityGroups", "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "iam:GetUser", "iam:GetAccountAuthorizationDetails", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey*", "kms:ListKeys", "kms:ListAliases", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:ListKeys", "kms:ListAliases", "kms:ListResourceTags" ], "Resource": "*" } ] } |
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "rds:RestoreDBClusterFromSnapshot", "rds:DescribeDBSnapshots", "rds:CopyDBSnapshot", "rds:CopyDBClusterSnapshot", "rds:DeleteDBSnapshot", "rds:DeleteDBClusterSnapshot", "rds:CreateDBSnapshot", "rds:RestoreDBInstanceFromDBSnapshot", "rds:CreateDBInstance", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBInstances", "rds:DescribeDBClusters", "rds:DeleteDBInstance", "rds:CreateDBClusterSnapshot", "rds:ModifyDBSnapshotAttribute", "rds:ModifyDBClusterSnapshotAttribute", "rds:ListTagsForResource", "rds:DeleteDBCluster", "ec2:DescribeSecurityGroups", "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "iam:GetUser", "iam:GetAccountAuthorizationDetails", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey*", "kms:ListKeys", "kms:ListAliases", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:ListKeys", "kms:ListAliases", "kms:ListResourceTags" ], "Resource": "*" } ] }
Here’s the policy for S3 replication between regions.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::source-bucket-name",
"arn:aws:s3:::source-bucket-name/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetObjectVersionTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::destination-bucket-name/*"
}
]
} |
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:Get*", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::source-bucket-name", "arn:aws:s3:::source-bucket-name/*" ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags", "s3:GetObjectVersionTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::destination-bucket-name/*" } ] }