Skip to content

T
tf_mod_aws_iam_assume_role
Commit b59857df authored by A-Gordon's avatar A-Gordon
Browse files
Options

Initial commit

parents
Hide whitespace changes
Inline Side-by-side
Showing with 188 additions and 0 deletions
README.md 0 → 100644
View file @ b59857df
#############################################################################################################
# IAM
#############################################################################################################
module "iam_role" {
source = "../../../steamhaus/tf_mod_aws_iam_assume_role/"
name = "${var.name}"
source_account_id = "${var.source_account_id}"
steamhaus_apn = "0"
admin = "1"
}
\ No newline at end of file
assume_role.json 0 → 100644
View file @ b59857df
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${source_account_id}:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
\ No newline at end of file
main.tf 0 → 100644
View file @ b59857df
#############################################################################################################
# Variables
#############################################################################################################
variable "name" {
description = "Name of the role that will be assumed"
}
variable "source_account_id" {
description = "ID of the source AWS account to be allowed accesss"
}
variable "steamhaus_apn" {
description = ""
default = "1"
}
variable "admin" {
description = ""
default = "0"
}
#############################################################################################################
# IAM Role, Policy and Attachment
#############################################################################################################
data "template_file" "assume_role" {
template = "${file("${path.module}/assume_role.json")}"
vars {
source_account_id = "${var.source_account_id}"
}
}
resource "aws_iam_role" "role" {
name = "${var.name}"
assume_role_policy = "${data.template_file.assume_role.rendered}"
lifecycle { create_before_destroy = true }
}
resource "aws_iam_policy" "steamhaus_apn" {
name = "SteamhausAPN"
description = "Steamhaus APN policy"
policy = "${file("${path.module}/steamhaus_apn_policy.json")}"
count = "${var.steamhaus_apn}"
lifecycle { create_before_destroy = true }
}
resource "aws_iam_role_policy_attachment" "steamhaus_apn" {
role = "${aws_iam_role.role.name}"
policy_arn = "${aws_iam_policy.steamhaus_apn.arn}"
count = "${var.steamhaus_apn}"
}
resource "aws_iam_role_policy_attachment" "admin" {
role = "${aws_iam_role.role.name}"
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
count = "${var.admin}"
}
\ No newline at end of file
steamhaus_apn_policy.json 0 → 100644
View file @ b59857df
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AddClientIDToOpenIDConnectProvider",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateAccountAlias",
"iam:CreateGroup",
"iam:CreateInstanceProfile",
"iam:CreateLoginProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateSAMLProvider",
"iam:CreateUser",
"iam:DeleteAccountAlias",
"iam:DeleteAccountPasswordPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteInstanceProfile",
"iam:DeleteLoginProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteSAMLProvider",
"iam:DeleteSSHPublicKey",
"iam:DeleteServerCertificate",
"iam:DeleteSigningCertificate",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DeleteVirtualMFADevice",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetContextKeysForCustomPolicy",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetCredentialReport",
"iam:GetInstanceProfile",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetSSHPublicKey",
"iam:GetServerCertificate",
"iam:GetServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:RemoveClientIDFromOpenIDConnectProvider",
"iam:RemoveRoleFromInstanceProfile",
"iam:RemoveUserFromGroup",
"iam:SetDefaultPolicyVersion",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateGroup",
"iam:UpdateLoginProfile",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:UpdateSAMLProvider",
"iam:UpdateSSHPublicKey",
"iam:UpdateServerCertificate",
"iam:UpdateSigningCertificate",
"iam:UpdateUser",
"iam:UploadSSHPublicKey",
"iam:UploadServerCertificate",
"iam:UploadSigningCertificate",
"support:*",
"aws-portal:*"
],
"Effect": "Deny",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment