| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 |
- resource "aws_iam_role" "mdr_developer" {
- name = "mdr_developer"
- path = "/user/"
- assume_role_policy = data.aws_iam_policy_document.non_saml_assume_role_policy_developer.json
- max_session_duration = 28800
- }
- resource "aws_iam_role_policy_attachment" "mdr_developer-mdr_developer" {
- role = aws_iam_role.mdr_developer.name
- policy_arn = aws_iam_policy.mdr_developer.arn
- }
- # I don't _think_ developers need support access, but in case that changes:
- #resource aws_iam_role_policy_attachment "mdr_terraformer-AWSSupportAccess" {
- # role = aws_iam_role.mdr_terraformer.name
- # policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSSupportAccess"
- #}
- resource "aws_iam_role_policy_attachment" "mdr_developer_ViewOnlyAccess" {
- # no poitn in giving _less_ access for switching roles
- role = aws_iam_role.mdr_developer.name
- policy_arn = "arn:${local.aws_partition}:iam::aws:policy/job-function/ViewOnlyAccess"
- }
- data "aws_iam_policy_document" "mdr_developer" {
- # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
- statement {
- sid = "S3Access"
- effect = "Allow"
- actions = [
- "s3:*"
- ]
- # These resources might not exist yet
- resources = [
- "arn:${local.aws_partition}:s3:::afsxdr-binaries",
- "arn:${local.aws_partition}:s3:::afsxdr-binaries/*",
- "arn:${local.aws_partition}:s3:::xdr-trumpet*",
- "arn:${local.aws_partition}:s3:::xdr-trumpet*/*",
- ]
- }
- statement {
- sid = "AssumeThisRoleInOtherAccounts"
- effect = "Allow"
- actions = [
- "sts:AssumeRole"
- ]
- resources = [
- "arn:${local.aws_partition}:iam::*:role/user/mdr_developer",
- ]
- }
- }
- resource "aws_iam_policy" "mdr_developer" {
- name = "mdr_developer"
- path = "/user/"
- policy = data.aws_iam_policy_document.mdr_developer.json
- }
|
