Home Explore Help
Register Sign In
AFS
/
xdr-terraform-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Removes path restrictions for mdr_terraformer role

To be tagged v5.4.0
Fred Damstra [afs macbook] 2 years ago
parent
c408394049
commit
5713a943b8
2 changed files with 4 additions and 31 deletions
Split View Show Diff Stats
  1. 2 5
      submodules/iam/okta_saml_roles/policy-mdr_terraformer.tf
  2. 2 26
      submodules/iam/standard_iam_policies/policy-mdr_terraformer.tf

+ 2 - 5
submodules/iam/okta_saml_roles/policy-mdr_terraformer.tf
View File 

@@ -19,17 +19,14 @@ data "aws_iam_policy_document" "mdr_terraformer" {
 
     ]
 
   }
 
   statement {
 
-    sid    = "AllowPassRoleForSpecificRoleTypes"
 
+    sid    = "AllowPassRole"
 
     effect = "Allow"
 
     actions = [
 
       "iam:PassRole",
 
     ]
 
     # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
 
     resources = [
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/aws_services/*",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/fargate/*",
 
+      "arn:${local.aws_partition}:iam::${local.aws_account}:role/*"
 
     ]
 
   }

+ 2 - 26
submodules/iam/standard_iam_policies/policy-mdr_terraformer.tf
View File 

@@ -19,37 +19,14 @@ data "aws_iam_policy_document" "mdr_terraformer" {
 
     ]
 
   }
 
   statement {
 
-    sid    = "AllowPassRoleForSpecificRoleTypes"
 
+    sid    = "AllowPassRole"
 
     effect = "Allow"
 
     actions = [
 
       "iam:PassRole",
 
     ]
 
     # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
 
     resources = [
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/aws_services/*",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/fargate/*",
 
-    ]
 
-  }
 
-
 
-  statement {
 
-    sid    = "AllowPassRoleForLegacyAccountRoles"
 
-    effect = "Allow"
 
-    actions = [
 
-      "iam:PassRole",
 
-    ]
 
-
 
-    resources = [
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/vault-instance-role",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/splunk-aws-instance-role",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/salt-master-instance-role",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/portal-instance-role",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/portal-data-sync-lambda-role",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/msoc-default-instance-role",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/ecsFargateTaskExecutionRole",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/dlm-lifecycle-role",
 
-      "arn:${local.aws_partition}:iam::${local.aws_account}:role/codebuild_role",
 
+      "arn:${local.aws_partition}:iam::${local.aws_account}:role/*"
 
     ]
 
   }
 
 
@@ -77,4 +54,3 @@ resource "aws_iam_policy" "mdr_terraformer" {
 
   path   = "/user/"
 
   policy = data.aws_iam_policy_document.mdr_terraformer.json
 
 }
 
-