feat: updated UserRole example
This commit is contained in:
@@ -0,0 +1,53 @@
|
||||
<!-- This readme file is generated with terraform-docs -->
|
||||
## Requirements
|
||||
|
||||
No requirements.
|
||||
|
||||
## Providers
|
||||
|
||||
| Name | Version |
|
||||
|------|---------|
|
||||
| aws | n/a |
|
||||
|
||||
## Modules
|
||||
|
||||
| Name | Source | Version |
|
||||
|------|--------|---------|
|
||||
| IamReadOnlyRole | ../modules/security_identity_compliance/iam-role-v2 | n/a |
|
||||
| iam-group | ../modules/security_identity_compliance/iam-group | n/a |
|
||||
| iam-group2 | ../modules/security_identity_compliance/iam-group | n/a |
|
||||
| iam-user1 | ../modules/security_identity_compliance/iam-user | n/a |
|
||||
| iam-user2 | ../modules/security_identity_compliance/iam-user | n/a |
|
||||
|
||||
## Resources
|
||||
|
||||
| Name | Type |
|
||||
|------|------|
|
||||
| [aws_iam_role_policy_attachment.IamReadOnlyRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
|
||||
| [aws_iam_policy_document.user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
|
||||
|
||||
## Inputs
|
||||
|
||||
| Name | Description | Type | Default | Required |
|
||||
|------|-------------|------|---------|:--------:|
|
||||
| DynamicAddressGroup | n/a | `any` | n/a | yes |
|
||||
| application | n/a | `any` | n/a | yes |
|
||||
| aws-region | n/a | `any` | n/a | yes |
|
||||
| costcenter | n/a | `any` | n/a | yes |
|
||||
| customer-name | n/a | `any` | n/a | yes |
|
||||
| environment | n/a | `any` | n/a | yes |
|
||||
| owner | n/a | `any` | n/a | yes |
|
||||
| project | n/a | `any` | n/a | yes |
|
||||
|
||||
## Outputs
|
||||
|
||||
| Name | Description |
|
||||
|------|-------------|
|
||||
| iam-user1-access-key | n/a |
|
||||
| iam-user1-arn | n/a |
|
||||
| iam-user1-secret-location | n/a |
|
||||
| iam-user2-arn | n/a |
|
||||
|
||||
---
|
||||
## Authorship
|
||||
This module was developed by xpk.
|
||||
@@ -0,0 +1,103 @@
|
||||
module "iam-group" {
|
||||
source = "../modules/security_identity_compliance/iam-group"
|
||||
|
||||
iam-group-name = "ViewOnlyUsers001"
|
||||
iam-group-policy = ""
|
||||
iam-group-policy-name = ""
|
||||
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
||||
}
|
||||
|
||||
module "iam-group2" {
|
||||
source = "../modules/security_identity_compliance/iam-group"
|
||||
|
||||
iam-group-name = "ViewOnlyAndS3Admin001"
|
||||
iam-group-policy = data.aws_iam_policy_document.user-policy.json
|
||||
iam-group-policy-name = "S3AdminPermissions"
|
||||
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
||||
}
|
||||
|
||||
module "iam-user1" {
|
||||
source = "../modules/security_identity_compliance/iam-user"
|
||||
|
||||
iam-user-name = "JohnNotInGroup"
|
||||
create-access-key = true
|
||||
create-password = true
|
||||
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
||||
}
|
||||
|
||||
module "iam-user2" {
|
||||
source = "../modules/security_identity_compliance/iam-user"
|
||||
|
||||
iam-user-name = "PeterInGroup"
|
||||
iam-user-policy = data.aws_iam_policy_document.user-policy.json
|
||||
iam-user-policy-name = "S3AdminPermissions"
|
||||
create-access-key = false
|
||||
create-password = false
|
||||
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
||||
add-to-groups = [module.iam-group.iam-group-name]
|
||||
}
|
||||
|
||||
module "IamReadOnlyRole" {
|
||||
source = "../modules/security_identity_compliance/iam-role-v2"
|
||||
trusted-entity = "ec2.amazonaws.com"
|
||||
description = "IAM role with read only access. Data decryption is denied"
|
||||
path = "/Management/"
|
||||
policies = {
|
||||
DenyDataAccess = {
|
||||
description = "Block data access by denying kms decryption"
|
||||
policy = jsonencode(
|
||||
{
|
||||
Version = "2012-10-17"
|
||||
Statement = [
|
||||
{
|
||||
Sid = "DenyKMSDecrypt"
|
||||
Effect = "Deny"
|
||||
Action = "kms:Decrypt"
|
||||
Resource = "*"
|
||||
Condition = {
|
||||
StringNotLike = {
|
||||
"kms:EncryptionContext:aws:cloudtrail:arn" = "arn:aws:cloudtrail:*:*:trail/*"
|
||||
"kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:*:*:log-group:*"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "IamReadOnlyRole" {
|
||||
role = module.IamReadOnlyRole.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "user-policy" {
|
||||
statement {
|
||||
sid = "s3admin"
|
||||
|
||||
actions = [
|
||||
"s3:*"
|
||||
]
|
||||
|
||||
effect = "Allow"
|
||||
resources = ["*"]
|
||||
}
|
||||
}
|
||||
|
||||
output "iam-user1-arn" {
|
||||
value = module.iam-user1.iam-user-arn
|
||||
}
|
||||
|
||||
output "iam-user2-arn" {
|
||||
value = module.iam-user2.iam-user-arn
|
||||
}
|
||||
|
||||
output "iam-user1-access-key" {
|
||||
value = module.iam-user1.iam-user-access-key
|
||||
}
|
||||
|
||||
output "iam-user1-secret-location" {
|
||||
value = module.iam-user1.iam-user-secret-arn
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
variable "aws-region" {}
|
||||
variable "customer-name" {}
|
||||
variable "environment" {}
|
||||
variable "project" {}
|
||||
variable "application" {}
|
||||
variable "owner" {}
|
||||
variable "costcenter" {}
|
||||
variable "DynamicAddressGroup" {}
|
||||
|
||||
locals {
|
||||
default-tags = {
|
||||
ServiceProvider = "RackspaceTechnology"
|
||||
Environment = var.environment
|
||||
Project = var.project
|
||||
Application = var.application
|
||||
TerraformMode = "managed"
|
||||
Owner = var.owner
|
||||
TerraformDir = join("/", reverse(slice(reverse(split("/", path.cwd)), 0, 2)))
|
||||
}
|
||||
resource-prefix = "${var.environment}-substr(${var.aws-region},0,2)-${var.customer-name}-${var.project}"
|
||||
}
|
||||
Reference in New Issue
Block a user