103 lines
2.8 KiB
Terraform
103 lines
2.8 KiB
Terraform
module "iam-group" {
|
|
source = "../modules/security_identity_compliance/iam-group"
|
|
|
|
iam-group-name = "ViewOnlyUsers001"
|
|
iam-group-policy = ""
|
|
iam-group-policy-name = ""
|
|
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
|
}
|
|
|
|
module "iam-group2" {
|
|
source = "../modules/security_identity_compliance/iam-group"
|
|
|
|
iam-group-name = "ViewOnlyAndS3Admin001"
|
|
iam-group-policy = data.aws_iam_policy_document.user-policy.json
|
|
iam-group-policy-name = "S3AdminPermissions"
|
|
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
|
}
|
|
|
|
module "iam-user1" {
|
|
source = "../modules/security_identity_compliance/iam-user"
|
|
|
|
iam-user-name = "JohnNotInGroup"
|
|
create-access-key = true
|
|
create-password = true
|
|
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
|
}
|
|
|
|
module "iam-user2" {
|
|
source = "../modules/security_identity_compliance/iam-user"
|
|
|
|
iam-user-name = "PeterInGroup"
|
|
iam-user-policy = data.aws_iam_policy_document.user-policy.json
|
|
iam-user-policy-name = "S3AdminPermissions"
|
|
create-access-key = false
|
|
create-password = false
|
|
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
|
add-to-groups = [module.iam-group.iam-group-name]
|
|
}
|
|
|
|
module "IamReadOnlyRole" {
|
|
source = "../modules/security_identity_compliance/iam-role-v2"
|
|
trusted-entity = "ec2.amazonaws.com"
|
|
description = "IAM role with read only access. Data decryption is denied"
|
|
path = "/Management/"
|
|
policies = {
|
|
DenyDataAccess = {
|
|
description = "Block data access by denying kms decryption"
|
|
policy = jsonencode(
|
|
{
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Sid = "DenyKMSDecrypt"
|
|
Effect = "Deny"
|
|
Action = "kms:Decrypt"
|
|
Resource = "*"
|
|
Condition = {
|
|
StringNotLike = {
|
|
"kms:EncryptionContext:aws:cloudtrail:arn" = "arn:aws:cloudtrail:*:*:trail/*"
|
|
"kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:*:*:log-group:*"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
)
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "IamReadOnlyRole" {
|
|
role = module.IamReadOnlyRole.name
|
|
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
|
|
}
|
|
|
|
data "aws_iam_policy_document" "user-policy" {
|
|
statement {
|
|
sid = "s3admin"
|
|
|
|
actions = [
|
|
"s3:*"
|
|
]
|
|
|
|
effect = "Allow"
|
|
resources = ["*"]
|
|
}
|
|
}
|
|
|
|
output "iam-user1-arn" {
|
|
value = module.iam-user1.iam-user-arn
|
|
}
|
|
|
|
output "iam-user2-arn" {
|
|
value = module.iam-user2.iam-user-arn
|
|
}
|
|
|
|
output "iam-user1-access-key" {
|
|
value = module.iam-user1.iam-user-access-key
|
|
}
|
|
|
|
output "iam-user1-secret-location" {
|
|
value = module.iam-user1.iam-user-secret-arn
|
|
} |