feat: updated UserRole example
This commit is contained in:
@@ -0,0 +1,53 @@
|
||||
<!-- This readme file is generated with terraform-docs -->
|
||||
## Requirements
|
||||
|
||||
No requirements.
|
||||
|
||||
## Providers
|
||||
|
||||
| Name | Version |
|
||||
|------|---------|
|
||||
| aws | n/a |
|
||||
|
||||
## Modules
|
||||
|
||||
| Name | Source | Version |
|
||||
|------|--------|---------|
|
||||
| IamReadOnlyRole | ../modules/security_identity_compliance/iam-role-v2 | n/a |
|
||||
| iam-group | ../modules/security_identity_compliance/iam-group | n/a |
|
||||
| iam-group2 | ../modules/security_identity_compliance/iam-group | n/a |
|
||||
| iam-user1 | ../modules/security_identity_compliance/iam-user | n/a |
|
||||
| iam-user2 | ../modules/security_identity_compliance/iam-user | n/a |
|
||||
|
||||
## Resources
|
||||
|
||||
| Name | Type |
|
||||
|------|------|
|
||||
| [aws_iam_role_policy_attachment.IamReadOnlyRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
|
||||
| [aws_iam_policy_document.user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
|
||||
|
||||
## Inputs
|
||||
|
||||
| Name | Description | Type | Default | Required |
|
||||
|------|-------------|------|---------|:--------:|
|
||||
| DynamicAddressGroup | n/a | `any` | n/a | yes |
|
||||
| application | n/a | `any` | n/a | yes |
|
||||
| aws-region | n/a | `any` | n/a | yes |
|
||||
| costcenter | n/a | `any` | n/a | yes |
|
||||
| customer-name | n/a | `any` | n/a | yes |
|
||||
| environment | n/a | `any` | n/a | yes |
|
||||
| owner | n/a | `any` | n/a | yes |
|
||||
| project | n/a | `any` | n/a | yes |
|
||||
|
||||
## Outputs
|
||||
|
||||
| Name | Description |
|
||||
|------|-------------|
|
||||
| iam-user1-access-key | n/a |
|
||||
| iam-user1-arn | n/a |
|
||||
| iam-user1-secret-location | n/a |
|
||||
| iam-user2-arn | n/a |
|
||||
|
||||
---
|
||||
## Authorship
|
||||
This module was developed by xpk.
|
||||
@@ -1,5 +1,5 @@
|
||||
module "iam-group" {
|
||||
source = "../../modules/security_identity_compliance/iam-group"
|
||||
source = "../modules/security_identity_compliance/iam-group"
|
||||
|
||||
iam-group-name = "ViewOnlyUsers001"
|
||||
iam-group-policy = ""
|
||||
@@ -8,7 +8,7 @@ module "iam-group" {
|
||||
}
|
||||
|
||||
module "iam-group2" {
|
||||
source = "../../modules/security_identity_compliance/iam-group"
|
||||
source = "../modules/security_identity_compliance/iam-group"
|
||||
|
||||
iam-group-name = "ViewOnlyAndS3Admin001"
|
||||
iam-group-policy = data.aws_iam_policy_document.user-policy.json
|
||||
@@ -17,7 +17,7 @@ module "iam-group2" {
|
||||
}
|
||||
|
||||
module "iam-user1" {
|
||||
source = "../../modules/security_identity_compliance/iam-user"
|
||||
source = "../modules/security_identity_compliance/iam-user"
|
||||
|
||||
iam-user-name = "JohnNotInGroup"
|
||||
create-access-key = true
|
||||
@@ -26,7 +26,7 @@ module "iam-user1" {
|
||||
}
|
||||
|
||||
module "iam-user2" {
|
||||
source = "../../modules/security_identity_compliance/iam-user"
|
||||
source = "../modules/security_identity_compliance/iam-user"
|
||||
|
||||
iam-user-name = "PeterInGroup"
|
||||
iam-user-policy = data.aws_iam_policy_document.user-policy.json
|
||||
@@ -37,6 +37,42 @@ module "iam-user2" {
|
||||
add-to-groups = [module.iam-group.iam-group-name]
|
||||
}
|
||||
|
||||
module "IamReadOnlyRole" {
|
||||
source = "../modules/security_identity_compliance/iam-role-v2"
|
||||
trusted-entity = "ec2.amazonaws.com"
|
||||
description = "IAM role with read only access. Data decryption is denied"
|
||||
path = "/Management/"
|
||||
policies = {
|
||||
DenyDataAccess = {
|
||||
description = "Block data access by denying kms decryption"
|
||||
policy = jsonencode(
|
||||
{
|
||||
Version = "2012-10-17"
|
||||
Statement = [
|
||||
{
|
||||
Sid = "DenyKMSDecrypt"
|
||||
Effect = "Deny"
|
||||
Action = "kms:Decrypt"
|
||||
Resource = "*"
|
||||
Condition = {
|
||||
StringNotLike = {
|
||||
"kms:EncryptionContext:aws:cloudtrail:arn" = "arn:aws:cloudtrail:*:*:trail/*"
|
||||
"kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:*:*:log-group:*"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "IamReadOnlyRole" {
|
||||
role = module.IamReadOnlyRole.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "user-policy" {
|
||||
statement {
|
||||
sid = "s3admin"
|
||||
@@ -62,6 +98,6 @@ output "iam-user1-access-key" {
|
||||
value = module.iam-user1.iam-user-access-key
|
||||
}
|
||||
|
||||
output iam-user1-secret-location {
|
||||
output "iam-user1-secret-location" {
|
||||
value = module.iam-user1.iam-user-secret-arn
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
aws-region = "ap-southeast-1"
|
||||
customer-name = "ken2026"
|
||||
environment = "dev"
|
||||
project = "iac"
|
||||
application = "terraform"
|
||||
costcenter = "none"
|
||||
DynamicAddressGroup = ""
|
||||
owner = "Rackspace"
|
||||
Reference in New Issue
Block a user