/* Create IAM roles based on job functions https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html - Administrator - Billing - Database admin - Network admin - Developers - Readonly and support */ data aws_caller_identity this {} data aws_iam_policy_document assume-role-policy { statement { sid = "AllowMyAccount" effect = "Allow" actions = ["sts:AssumeRole"] principals { identifiers = [data.aws_caller_identity.this.account_id] type = "AWS" } } } resource aws_iam_role administrator-role { name = "${var.customer-name}-awsadmin" description = "Provides full access to AWS services and resources." tags = var.default-tags assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json path = "/${var.customer-name}/" max_session_duration = 7200 } resource "aws_iam_role_policy_attachment" "administrator-role-policy-attach" { role = aws_iam_role.administrator-role.name policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" } resource aws_iam_role billing-role { name = "${var.customer-name}-billing" description = "Grants permissions for billing and cost management." tags = var.default-tags assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json path = "/${var.customer-name}/" max_session_duration = 3600 } resource "aws_iam_role_policy_attachment" "billing-role-policy-attach" { role = aws_iam_role.billing-role.name policy_arn = "arn:aws:iam::aws:policy/job-function/Billing" } resource aws_iam_role dba-role { name = "${var.customer-name}-dba" description = "AWS database admin role" tags = var.default-tags assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json path = "/${var.customer-name}/" max_session_duration = 7200 } resource "aws_iam_role_policy_attachment" "dba-role-policy-attach" { role = aws_iam_role.dba-role.name policy_arn = "arn:aws:iam::aws:policy/job-function/DatabaseAdministrator" } resource aws_iam_role network-admin-role { name = "${var.customer-name}-networkadmin" description = "AWS network admin role" tags = var.default-tags assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json path = "/${var.customer-name}/" max_session_duration = 7200 } resource "aws_iam_role_policy_attachment" "network-admin-role-policy-attach" { role = aws_iam_role.network-admin-role.name policy_arn = "arn:aws:iam::aws:policy/job-function/NetworkAdministrator" } resource aws_iam_role developer-role { name = "${var.customer-name}-developer" description = "Provides full access to AWS resources excluding IAM." tags = var.default-tags assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json path = "/${var.customer-name}/" max_session_duration = 7200 } resource "aws_iam_role_policy_attachment" "developer-role-policy-attach1" { role = aws_iam_role.developer-role.name policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess" } resource aws_iam_role securityaudit-role { name = "${var.customer-name}-securityaudit" description = "Role to read security configuration metadata." tags = var.default-tags assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json path = "/${var.customer-name}/" max_session_duration = 7200 } resource "aws_iam_role_policy_attachment" "securityaudit-role-policy-attach1" { role = aws_iam_role.securityaudit-role.name policy_arn = "arn:aws:iam::aws:policy/SecurityAudit" } resource aws_iam_role support-role { name = "${var.customer-name}-support" description = "Role to troubleshoot and resolve issues in AWS." tags = var.default-tags assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json path = "/${var.customer-name}/" max_session_duration = 7200 } resource "aws_iam_role_policy_attachment" "support-role-policy-attach1" { role = aws_iam_role.support-role.name policy_arn = "arn:aws:iam::aws:policy/job-function/SupportUser" } resource "aws_iam_role_policy_attachment" "support-role-policy-attach2" { role = aws_iam_role.support-role.name policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" }