resource aws_iam_role "mdr_developer" { name = "mdr_developer" path = "/user/" assume_role_policy = data.aws_iam_policy_document.non_saml_assume_role_policy_developer.json max_session_duration = 28800 } resource aws_iam_role_policy_attachment "mdr_developer-mdr_developer" { role = aws_iam_role.mdr_developer.name policy_arn = aws_iam_policy.mdr_developer.arn } # I don't _think_ developers need support access, but in case that changes: #resource aws_iam_role_policy_attachment "mdr_terraformer-AWSSupportAccess" { # role = aws_iam_role.mdr_terraformer.name # policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSSupportAccess" #} resource "aws_iam_role_policy_attachment" "mdr_developer_ViewOnlyAccess" { # no poitn in giving _less_ access for switching roles role = aws_iam_role.mdr_developer.name policy_arn = "arn:${local.aws_partition}:iam::aws:policy/job-function/ViewOnlyAccess" } data "aws_iam_policy_document" "mdr_developer" { statement { sid = "S3Access" effect = "Allow" actions = [ "s3:*" ] # These resources might not exist yet resources = [ "arn:${local.aws_partition}:s3:::afsxdr-binaries", "arn:${local.aws_partition}:s3:::afsxdr-binaries/*", "arn:${local.aws_partition}:s3:::xdr-trumpet*", "arn:${local.aws_partition}:s3:::xdr-trumpet*/*", ] } statement { sid = "AssumeThisRoleInOtherAccounts" effect = "Allow" actions = [ "sts:AssumeRole" ] resources = [ "arn:${local.aws_partition}:iam::*:role/user/mdr_developer", ] } } resource "aws_iam_policy" "mdr_developer" { name = "mdr_developer" path = "/user/" policy = data.aws_iam_policy_document.mdr_developer.json }