xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity
Files
09ce4c881a30ee61ba5a3d5946a127b1f5a0eded820019459f44c490f6df6a58
terraform.examples/modules/security_identity_compliance/roles_iam_resources/cloudhealth-role.tf
T
xpk 09ce4c881a initial commit
2026-02-13 15:44:24 +08:00

169 lines
5.1 KiB
Terraform
Raw Blame History

resource "aws_iam_role" "cloudhealth-role" {
count = var.create-cloudhealth-resources ? 1 : 0
name = "CloudHealth-Role"
tags = var.default-tags
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::454464851268:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"${var.cloudheath-ext-id1}",
"${var.cloudheath-ext-id2}"
]
}
}
}
]
}
EOF
}
resource "aws_iam_policy" "CloudHealth-Policy" {
count = var.create-cloudhealth-resources ? 1 : 0
name = "CloudHealthPolicy"
policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "CloudhealthAccess",
"Action" : [
"autoscaling:Describe*",
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudfront:Get*",
"cloudfront:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:ListTags",
"cloudtrail:Get*",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"config:Get*",
"config:Describe*",
"config:Deliver*",
"config:List*",
"cur:Describe*",
"dms:Describe*",
"dms:List*",
"dynamodb:DescribeTable",
"dynamodb:List*",
"ec2:Describe*",
"ec2:DescribeRegions",
"ec2:GetReservedInstancesExchangeQuote",
"ecs:List*",
"ecs:Describe*",
"elasticache:Describe*",
"elasticache:ListTagsForResource",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"es:List*",
"es:Describe*",
"es:DescribeReservedElasticsearchInstances",
"firehose:ListDeliveryStreams",
"firehose:DescribeDeliveryStream",
"fsx:Describe*",
"iam:List*",
"iam:Get*",
"iam:GenerateCredentialReport",
"kinesis:Describe*",
"kinesis:List*",
"kms:DescribeKey",
"kms:GetKeyRotationStatus",
"kms:ListKeys",
"lambda:List*",
"logs:Describe*",
"logs:List*",
"organizations:ListAccounts",
"organizations:ListTagsForResource",
"redshift:Describe*",
"route53:Get*",
"route53:List*",
"rds:Describe*",
"rds:ListTagsForResource",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:List*",
"sagemaker:Describe*",
"sagemaker:List*",
"savingsplans:DescribeSavingsPlans",
"sdb:GetAttributes",
"sdb:List*",
"ses:Get*",
"ses:List*",
"sns:Get*",
"sns:List*",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"storagegateway:List*",
"storagegateway:Describe*",
"workspaces:Describe*"
],
"Resource" : "*",
"Effect" : "Allow"
},
{
"Sid" : "FineGrainedBillingAccess",
"Action" : [
"account:Get*",
"billing:Get*",
"billing:List*",
"ce:Describe*",
"ce:Get*",
"ce:List*",
"consolidatedbilling:GetAccountBillingRole",
"consolidatedbilling:ListLinkedAccounts",
"cur:Get*",
"cur:ValidateReportDestination",
"freetier:Get*",
"invoicing:Get*",
"invoicing:List*",
"payments:Get*",
"payments:List*",
"purchase-orders:Get*",
"purchase-orders:List*",
"tax:Get*",
"tax:List*"
],
"Resource" : "*",
"Effect" : "Allow"
}
]
}
)
}
resource "aws_iam_role_policy_attachment" "cloudhealth-role-policy-attach" {
count = var.create-cloudhealth-resources ? 1 : 0
role = aws_iam_role.cloudhealth-role[1].name
policy_arn = aws_iam_policy.CloudHealth-Policy[1].arn
}
View Git Blame Copy Permalink