initial commit
This commit is contained in:
@@ -0,0 +1,128 @@
|
||||
/*
|
||||
Create IAM roles based on job functions
|
||||
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
|
||||
|
||||
- Administrator
|
||||
- Billing
|
||||
- Database admin
|
||||
- Network admin
|
||||
- Developers
|
||||
- Readonly and support
|
||||
*/
|
||||
|
||||
data aws_caller_identity this {}
|
||||
|
||||
data aws_iam_policy_document assume-role-policy {
|
||||
statement {
|
||||
sid = "AllowMyAccount"
|
||||
effect = "Allow"
|
||||
actions = ["sts:AssumeRole"]
|
||||
principals {
|
||||
identifiers = [data.aws_caller_identity.this.account_id]
|
||||
type = "AWS"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource aws_iam_role administrator-role {
|
||||
name = "${var.customer-name}-awsadmin"
|
||||
description = "Provides full access to AWS services and resources."
|
||||
tags = var.default-tags
|
||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||
path = "/${var.customer-name}/"
|
||||
max_session_duration = 7200
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "administrator-role-policy-attach" {
|
||||
role = aws_iam_role.administrator-role.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
|
||||
}
|
||||
|
||||
resource aws_iam_role billing-role {
|
||||
name = "${var.customer-name}-billing"
|
||||
description = "Grants permissions for billing and cost management."
|
||||
tags = var.default-tags
|
||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||
path = "/${var.customer-name}/"
|
||||
max_session_duration = 3600
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "billing-role-policy-attach" {
|
||||
role = aws_iam_role.billing-role.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/job-function/Billing"
|
||||
}
|
||||
|
||||
resource aws_iam_role dba-role {
|
||||
name = "${var.customer-name}-dba"
|
||||
description = "AWS database admin role"
|
||||
tags = var.default-tags
|
||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||
path = "/${var.customer-name}/"
|
||||
max_session_duration = 7200
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "dba-role-policy-attach" {
|
||||
role = aws_iam_role.dba-role.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/job-function/DatabaseAdministrator"
|
||||
}
|
||||
|
||||
resource aws_iam_role network-admin-role {
|
||||
name = "${var.customer-name}-networkadmin"
|
||||
description = "AWS network admin role"
|
||||
tags = var.default-tags
|
||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||
path = "/${var.customer-name}/"
|
||||
max_session_duration = 7200
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "network-admin-role-policy-attach" {
|
||||
role = aws_iam_role.network-admin-role.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/job-function/NetworkAdministrator"
|
||||
}
|
||||
|
||||
resource aws_iam_role developer-role {
|
||||
name = "${var.customer-name}-developer"
|
||||
description = "Provides full access to AWS resources excluding IAM."
|
||||
tags = var.default-tags
|
||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||
path = "/${var.customer-name}/"
|
||||
max_session_duration = 7200
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "developer-role-policy-attach1" {
|
||||
role = aws_iam_role.developer-role.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
|
||||
}
|
||||
|
||||
resource aws_iam_role securityaudit-role {
|
||||
name = "${var.customer-name}-securityaudit"
|
||||
description = "Role to read security configuration metadata."
|
||||
tags = var.default-tags
|
||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||
path = "/${var.customer-name}/"
|
||||
max_session_duration = 7200
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "securityaudit-role-policy-attach1" {
|
||||
role = aws_iam_role.securityaudit-role.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
|
||||
}
|
||||
|
||||
resource aws_iam_role support-role {
|
||||
name = "${var.customer-name}-support"
|
||||
description = "Role to troubleshoot and resolve issues in AWS."
|
||||
tags = var.default-tags
|
||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||
path = "/${var.customer-name}/"
|
||||
max_session_duration = 7200
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "support-role-policy-attach1" {
|
||||
role = aws_iam_role.support-role.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/job-function/SupportUser"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "support-role-policy-attach2" {
|
||||
role = aws_iam_role.support-role.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
|
||||
}
|
||||
Reference in New Issue
Block a user