initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,19 @@
+# Overview
+This module performs the following tasks
+
+- Create IAM roles based on job functions
+- Create IAM password policy
+- Enable IAM access analyzer
+
+## Inputs:
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| application | name of application | string | none | yes |
+| environment | capacity of environment (prd/dev/lab) | string | none | yes | 
+| customer-name | owner of aws resources | string | none | yes |
+| project | name of project | string | none | yes |
+| default-tags | tags to be added to resources | list | none | yes | 
+| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes |
+| create-cloudhealth-resources | create cloudhealth role | bool | none | yes |
+| cloudheath-ext-id1 | cloudhealth role external id for sts | string | none | no |
+| cloudheath-ext-id2 | cloudhealth role external id for sts | string | none | no |
@@ -0,0 +1,4 @@
+resource "aws_accessanalyzer_analyzer" "iam-aa" {
+  analyzer_name = "IAMAcecssAnalyzer"
+  tags = var.default-tags
+}
@@ -0,0 +1,168 @@
+resource "aws_iam_role" "cloudhealth-role" {
+  count              = var.create-cloudhealth-resources ? 1 : 0
+  name               = "CloudHealth-Role"
+  tags               = var.default-tags
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::454464851268:root"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": [
+            "${var.cloudheath-ext-id1}",
+            "${var.cloudheath-ext-id2}"
+          ]
+        }
+      }
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "CloudHealth-Policy" {
+  count = var.create-cloudhealth-resources ? 1 : 0
+  name  = "CloudHealthPolicy"
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "CloudhealthAccess",
+          "Action" : [
+            "autoscaling:Describe*",
+            "cloudformation:ListStacks",
+            "cloudformation:ListStackResources",
+            "cloudformation:DescribeStacks",
+            "cloudformation:DescribeStackEvents",
+            "cloudformation:DescribeStackResources",
+            "cloudformation:GetTemplate",
+            "cloudfront:Get*",
+            "cloudfront:List*",
+            "cloudtrail:DescribeTrails",
+            "cloudtrail:ListTags",
+            "cloudtrail:Get*",
+            "cloudwatch:Describe*",
+            "cloudwatch:Get*",
+            "cloudwatch:List*",
+            "config:Get*",
+            "config:Describe*",
+            "config:Deliver*",
+            "config:List*",
+            "cur:Describe*",
+            "dms:Describe*",
+            "dms:List*",
+            "dynamodb:DescribeTable",
+            "dynamodb:List*",
+            "ec2:Describe*",
+            "ec2:DescribeRegions",
+            "ec2:GetReservedInstancesExchangeQuote",
+            "ecs:List*",
+            "ecs:Describe*",
+            "elasticache:Describe*",
+            "elasticache:ListTagsForResource",
+            "elasticbeanstalk:Check*",
+            "elasticbeanstalk:Describe*",
+            "elasticbeanstalk:List*",
+            "elasticbeanstalk:RequestEnvironmentInfo",
+            "elasticbeanstalk:RetrieveEnvironmentInfo",
+            "elasticfilesystem:Describe*",
+            "elasticloadbalancing:Describe*",
+            "elasticmapreduce:Describe*",
+            "elasticmapreduce:List*",
+            "es:List*",
+            "es:Describe*",
+            "es:DescribeReservedElasticsearchInstances",
+            "firehose:ListDeliveryStreams",
+            "firehose:DescribeDeliveryStream",
+            "fsx:Describe*",
+            "iam:List*",
+            "iam:Get*",
+            "iam:GenerateCredentialReport",
+            "kinesis:Describe*",
+            "kinesis:List*",
+            "kms:DescribeKey",
+            "kms:GetKeyRotationStatus",
+            "kms:ListKeys",
+            "lambda:List*",
+            "logs:Describe*",
+            "logs:List*",
+            "organizations:ListAccounts",
+            "organizations:ListTagsForResource",
+            "redshift:Describe*",
+            "route53:Get*",
+            "route53:List*",
+            "rds:Describe*",
+            "rds:ListTagsForResource",
+            "s3:GetAccountPublicAccessBlock",
+            "s3:GetBucketAcl",
+            "s3:GetBucketLocation",
+            "s3:GetBucketLogging",
+            "s3:GetBucketPolicy",
+            "s3:GetBucketPolicyStatus",
+            "s3:GetBucketPublicAccessBlock",
+            "s3:GetBucketTagging",
+            "s3:GetBucketVersioning",
+            "s3:GetBucketWebsite",
+            "s3:List*",
+            "sagemaker:Describe*",
+            "sagemaker:List*",
+            "savingsplans:DescribeSavingsPlans",
+            "sdb:GetAttributes",
+            "sdb:List*",
+            "ses:Get*",
+            "ses:List*",
+            "sns:Get*",
+            "sns:List*",
+            "sqs:GetQueueAttributes",
+            "sqs:ListQueues",
+            "storagegateway:List*",
+            "storagegateway:Describe*",
+            "workspaces:Describe*"
+          ],
+          "Resource" : "*",
+          "Effect" : "Allow"
+        },
+        {
+          "Sid" : "FineGrainedBillingAccess",
+          "Action" : [
+            "account:Get*",
+            "billing:Get*",
+            "billing:List*",
+            "ce:Describe*",
+            "ce:Get*",
+            "ce:List*",
+            "consolidatedbilling:GetAccountBillingRole",
+            "consolidatedbilling:ListLinkedAccounts",
+            "cur:Get*",
+            "cur:ValidateReportDestination",
+            "freetier:Get*",
+            "invoicing:Get*",
+            "invoicing:List*",
+            "payments:Get*",
+            "payments:List*",
+            "purchase-orders:Get*",
+            "purchase-orders:List*",
+            "tax:Get*",
+            "tax:List*"
+          ],
+          "Resource" : "*",
+          "Effect" : "Allow"
+        }
+      ]
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "cloudhealth-role-policy-attach" {
+  count      = var.create-cloudhealth-resources ? 1 : 0
+  role       = aws_iam_role.cloudhealth-role[1].name
+  policy_arn = aws_iam_policy.CloudHealth-Policy[1].arn
+}
+
@@ -0,0 +1,11 @@
+resource "aws_iam_account_password_policy" "password-policy1" {
+  minimum_password_length        = 14
+  require_lowercase_characters   = true
+  require_numbers                = true
+  require_uppercase_characters   = true
+  require_symbols                = true
+  allow_users_to_change_password = true
+  max_password_age = 90
+  password_reuse_prevention = 24
+  hard_expiry = true
+}
@@ -0,0 +1,128 @@
+/*
+ Create IAM roles based on job functions
+ https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
+
+ - Administrator
+ - Billing
+ - Database admin
+ - Network admin
+ - Developers
+ - Readonly and support
+*/
+
+data aws_caller_identity this {}
+
+data aws_iam_policy_document assume-role-policy {
+  statement {
+    sid = "AllowMyAccount"
+    effect = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      identifiers = [data.aws_caller_identity.this.account_id]
+      type = "AWS"
+    }
+  }
+}
+
+resource aws_iam_role administrator-role {
+  name = "${var.customer-name}-awsadmin"
+  description = "Provides full access to AWS services and resources."
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "administrator-role-policy-attach" {
+  role       = aws_iam_role.administrator-role.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+resource aws_iam_role billing-role {
+  name = "${var.customer-name}-billing"
+  description = "Grants permissions for billing and cost management."
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 3600
+}
+
+resource "aws_iam_role_policy_attachment" "billing-role-policy-attach" {
+  role       = aws_iam_role.billing-role.name
+  policy_arn = "arn:aws:iam::aws:policy/job-function/Billing"
+}
+
+resource aws_iam_role dba-role {
+  name = "${var.customer-name}-dba"
+  description = "AWS database admin role"
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "dba-role-policy-attach" {
+  role       = aws_iam_role.dba-role.name
+  policy_arn = "arn:aws:iam::aws:policy/job-function/DatabaseAdministrator"
+}
+
+resource aws_iam_role network-admin-role {
+  name = "${var.customer-name}-networkadmin"
+  description = "AWS network admin role"
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "network-admin-role-policy-attach" {
+  role       = aws_iam_role.network-admin-role.name
+  policy_arn = "arn:aws:iam::aws:policy/job-function/NetworkAdministrator"
+}
+
+resource aws_iam_role developer-role {
+  name = "${var.customer-name}-developer"
+  description = "Provides full access to AWS resources excluding IAM."
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "developer-role-policy-attach1" {
+  role       = aws_iam_role.developer-role.name
+  policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
+}
+
+resource aws_iam_role securityaudit-role {
+  name = "${var.customer-name}-securityaudit"
+  description = "Role to read security configuration metadata."
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "securityaudit-role-policy-attach1" {
+  role       = aws_iam_role.securityaudit-role.name
+  policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
+}
+
+resource aws_iam_role support-role {
+  name = "${var.customer-name}-support"
+  description = "Role to troubleshoot and resolve issues in AWS."
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "support-role-policy-attach1" {
+  role       = aws_iam_role.support-role.name
+  policy_arn = "arn:aws:iam::aws:policy/job-function/SupportUser"
+}
+
+resource "aws_iam_role_policy_attachment" "support-role-policy-attach2" {
+  role       = aws_iam_role.support-role.name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
@@ -0,0 +1,20 @@
+variable "customer-name" {}
+variable "default-tags" {}
+variable "cloudtrail-retain-days" {
+  type = number
+  default = 90
+}
+
+variable "create-cloudhealth-resources" {
+  type = bool
+  default = false
+}
+
+variable "cloudheath-ext-id1" {
+  type = string
+  default = ""
+}
+variable "cloudheath-ext-id2" {
+  type = string
+  default = ""
+}