xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity

feat: updated UserRole example

Browse Source
This commit is contained in:
xpk
2026-03-20 07:48:36 +08:00
parent c0c08b1584
commit 8ee5379e44
4 changed files with 94 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
UserRole/README.md
+53
View File
@@ -0,0 +1,53 @@
<!-- This readme file is generated with terraform-docs -->
## Requirements
No requirements.
## Providers
| Name | Version |
|------|---------|
| aws | n/a |
## Modules
| Name | Source | Version |
|------|--------|---------|
| IamReadOnlyRole | ../modules/security_identity_compliance/iam-role-v2 | n/a |
| iam-group | ../modules/security_identity_compliance/iam-group | n/a |
| iam-group2 | ../modules/security_identity_compliance/iam-group | n/a |
| iam-user1 | ../modules/security_identity_compliance/iam-user | n/a |
| iam-user2 | ../modules/security_identity_compliance/iam-user | n/a |
## Resources
| Name | Type |
|------|------|
| [aws_iam_role_policy_attachment.IamReadOnlyRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_policy_document.user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| DynamicAddressGroup | n/a | `any` | n/a | yes |
| application | n/a | `any` | n/a | yes |
| aws-region | n/a | `any` | n/a | yes |
| costcenter | n/a | `any` | n/a | yes |
| customer-name | n/a | `any` | n/a | yes |
| environment | n/a | `any` | n/a | yes |
| owner | n/a | `any` | n/a | yes |
| project | n/a | `any` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| iam-user1-access-key | n/a |
| iam-user1-arn | n/a |
| iam-user1-secret-location | n/a |
| iam-user2-arn | n/a |
---
## Authorship
This module was developed by xpk.
iam.user/main.tf → UserRole/main.tf
+41 -5
View File
@@ -1,5 +1,5 @@
module "iam-group" { module "iam-group" {
source = "../../modules/security_identity_compliance/iam-group" source = "../modules/security_identity_compliance/iam-group"
iam-group-name = "ViewOnlyUsers001" iam-group-name = "ViewOnlyUsers001"
iam-group-policy = "" iam-group-policy = ""
@@ -8,7 +8,7 @@ module "iam-group" {
} }
module "iam-group2" { module "iam-group2" {
source = "../../modules/security_identity_compliance/iam-group" source = "../modules/security_identity_compliance/iam-group"
iam-group-name = "ViewOnlyAndS3Admin001" iam-group-name = "ViewOnlyAndS3Admin001"
iam-group-policy = data.aws_iam_policy_document.user-policy.json iam-group-policy = data.aws_iam_policy_document.user-policy.json
@@ -17,7 +17,7 @@ module "iam-group2" {
} }
module "iam-user1" { module "iam-user1" {
source = "../../modules/security_identity_compliance/iam-user" source = "../modules/security_identity_compliance/iam-user"
iam-user-name = "JohnNotInGroup" iam-user-name = "JohnNotInGroup"
create-access-key = true create-access-key = true
@@ -26,7 +26,7 @@ module "iam-user1" {
} }
module "iam-user2" { module "iam-user2" {
source = "../../modules/security_identity_compliance/iam-user" source = "../modules/security_identity_compliance/iam-user"
iam-user-name = "PeterInGroup" iam-user-name = "PeterInGroup"
iam-user-policy = data.aws_iam_policy_document.user-policy.json iam-user-policy = data.aws_iam_policy_document.user-policy.json
@@ -37,6 +37,42 @@ module "iam-user2" {
add-to-groups = [module.iam-group.iam-group-name] add-to-groups = [module.iam-group.iam-group-name]
} }
module "IamReadOnlyRole" {
source = "../modules/security_identity_compliance/iam-role-v2"
trusted-entity = "ec2.amazonaws.com"
description = "IAM role with read only access. Data decryption is denied"
path = "/Management/"
policies = {
DenyDataAccess = {
description = "Block data access by denying kms decryption"
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
{
Sid = "DenyKMSDecrypt"
Effect = "Deny"
Action = "kms:Decrypt"
Resource = "*"
Condition = {
StringNotLike = {
"kms:EncryptionContext:aws:cloudtrail:arn" = "arn:aws:cloudtrail:*:*:trail/*"
"kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:*:*:log-group:*"
}
}
}
]
}
)
}
}
}
resource "aws_iam_role_policy_attachment" "IamReadOnlyRole" {
role = module.IamReadOnlyRole.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
data "aws_iam_policy_document" "user-policy" { data "aws_iam_policy_document" "user-policy" {
statement { statement {
sid = "s3admin" sid = "s3admin"
@@ -62,6 +98,6 @@ output "iam-user1-access-key" {
value = module.iam-user1.iam-user-access-key value = module.iam-user1.iam-user-access-key
} }
output iam-user1-secret-location { output "iam-user1-secret-location" {
value = module.iam-user1.iam-user-secret-arn value = module.iam-user1.iam-user-secret-arn
} }
iam.user/variables.tf → UserRole/variables.tf
View File
iam.user/terraform.tfvars
-8
View File
@@ -1,8 +0,0 @@
aws-region = "ap-southeast-1"
customer-name = "ken2026"
environment = "dev"
project = "iac"
application = "terraform"
costcenter = "none"
DynamicAddressGroup = ""
owner = "Rackspace"