-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathtf_iam_roles.tf
124 lines (111 loc) · 3.74 KB
/
tf_iam_roles.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# Roles assumed in CICD server (CodePipeline/CodeBuild) and also assumed when locally running the deployment
# https://aws.amazon.com/premiumsupport/knowledge-center/codebuild-temporary-credentials-docker/
resource "aws_iam_role" "automation_testing" {
name = "automation_testing"
tags = local.tags
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com",
"AWS": [ "${data.aws_caller_identity.current.account_id}", "${aws_iam_role.codebuild_assume_role.arn}" ]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
# Allow read only access to any AWS resource
data "aws_iam_policy" "automation_readonly" {
name = "SecurityAudit"
}
# Prefer aws_iam_role_policy_attachment over aws_iam_policy_attachment here, because aws_iam_policy_attachment resource creates exclusive attachments of IAM policies. Here we are using the AWS managed IAM policy, and we want to attach that policy to 2 IAM roles. Using aws_iam_policy_attachment here leads to Terraform attaching and detaching this policy on subsequent Terraform runs.
# Details: https://github.com/hashicorp/terraform/issues/6045
# and the warning at: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment
resource "aws_iam_role_policy_attachment" "automation_testing_readonly" {
role = aws_iam_role.automation_testing.name
policy_arn = data.aws_iam_policy.automation_readonly.arn
}
# Allow write access to any AWS resource, based on tags
# https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html
# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
# https://aws.amazon.com/premiumsupport/knowledge-center/iam-tag-based-restriction-policies/
resource "aws_iam_policy" "automation_testing_limit" {
name = "automation_testing_limit"
tags = local.tags
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOnlyForChosenEnvironment",
"Effect": "Allow",
"Action": [ "*" ],
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:ResourceTag/environment": [ "production" ]
}
}
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "automation_testing_limit" {
policy_arn = aws_iam_policy.automation_testing_limit.arn
role = aws_iam_role.automation_testing.name
}
resource "aws_iam_role" "automation_production" {
name = "automation_production"
tags = local.tags
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com",
"AWS": [ "${data.aws_caller_identity.current.account_id}", "${aws_iam_role.codebuild_assume_role.arn}" ]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "automation_production_readonly" {
role = aws_iam_role.automation_production.name
policy_arn = data.aws_iam_policy.automation_readonly.arn
}
resource "aws_iam_policy" "automation_production_limit" {
name = "automation_production_limit"
tags = local.tags
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOnlyForChosenEnvironment",
"Effect": "Allow",
"Action": [ "*" ],
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:ResourceTag/environment": [ "testing" ]
}
}
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "automation_production_limit" {
policy_arn = aws_iam_policy.automation_production_limit.arn
role = aws_iam_role.automation_production.name
}