Главная Обзор Помощь
Регистрация Вход
AFS
/
xdr-terraform-modules
2
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Дерево: 42219a4ea9
Ветки Метки
xdr-terraform-m...
/
thirdparty
/
terraform-aws-github-runner
/
modules
/
setup-iam-permissions
/
policies
/
deploy-boundary.json

deploy-boundary.json 2.6 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101 
  1. {
    2. 

  2.   "Version": "2012-10-17",
    3. 

  3.   "Statement": [
    4. 

  4.     {
    5. 

  5.       "Sid": "CreateOrChangeOnlyWithBoundary",
    6. 

  6.       "Effect": "Allow",
    7. 

  7.       "Action": [
    8. 

  8.         "iam:CreateRole",
    9. 

  9.         "iam:AttachRolePolicy",
    10. 

  10.         "iam:PutRolePermissionsBoundary",
    11. 

  11.         "iam:PutRolePolicy"
    12. 

  12.       ],
    13. 

  13.       "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*",
    14. 

  14.       "Condition": {
    15. 

  15.         "StringEquals": {
    16. 

  16.           "iam:PermissionsBoundary": "${permission_boundary}"
    17. 

  17.         }
    18. 

  18.       }
    19. 

  19.     },
    20. 

  20.     {
    21. 

  21.       "Sid": "RoleInNamespace",
    22. 

  22.       "Effect": "Allow",
    23. 

  23.       "Action": [
    24. 

  24.         "iam:TagRole",
    25. 

  25.         "iam:GetRolePolicy",
    26. 

  26.         "iam:GetRole",
    27. 

  27.         "iam:DeleteRole",
    28. 

  28.         "iam:PassRole",
    29. 

  29.         "iam:DetachRolePolicy",
    30. 

  30.         "iam:DeleteRolePolicy"
    31. 

  31.       ],
    32. 

  32.       "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*"
    33. 

  33.     },
    34. 

  34.     {
    35. 

  35.       "Sid": "PolicyInNamespace",
    36. 

  36.       "Effect": "Allow",
    37. 

  37.       "Action": [
    38. 

  38.         "iam:CreatePolicy",
    39. 

  39.         "iam:DeletePolicy",
    40. 

  40.         "iam:DeletePolicyVersion",
    41. 

  41.         "iam:GetPolicy",
    42. 

  42.         "iam:GetPolicyVersion",
    43. 

  43.         "iam:SetDefaultPolicyVersion"
    44. 

  44.       ],
    45. 

  45.       "Resource": "arn:${aws_partition}:iam::${account_id}:policy/${policy_namespace}/*"
    46. 

  46.     },
    47. 

  47.     {
    48. 

  48.       "Sid": "InstanceProfileInNamespace",
    49. 

  49.       "Effect": "Allow",
    50. 

  50.       "Action": [
    51. 

  51.         "iam:CreateInstanceProfile",
    52. 

  52.         "iam:RemoveRoleFromInstanceProfile",
    53. 

  53.         "iam:DeleteInstanceProfile",
    54. 

  54.         "iam:AddRoleToInstanceProfile",
    55. 

  55.         "iam:GetInstanceProfile"
    56. 

  56.       ],
    57. 

  57.       "Resource": "arn:${aws_partition}:iam::${account_id}:instance-profile/${instance_profile_namespace}/*"
    58. 

  58.     },
    59. 

  59.     {
    60. 

  60.       "Sid": "IamListActions",
    61. 

  61.       "Effect": "Allow",
    62. 

  62.       "Action": [
    63. 

  63.         "iam:ListInstanceProfilesForRole",
    64. 

  64.         "iam:ListPolicies",
    65. 

  65.         "iam:ListPolicyVersions",
    66. 

  66.         "iam:ListEntitiesForPolicy",
    67. 

  67.         "iam:ListRolePolicies",
    68. 

  68.         "iam:ListAttachedRolePolicies"
    69. 

  69.       ],
    70. 

  70.       "Resource": "*"
    71. 

  71.     },
    72. 

  72.     {
    73. 

  73.       "Sid": "NoBoundaryPolicyEdit",
    74. 

  74.       "Effect": "Deny",
    75. 

  75.       "Action": [
    76. 

  76.         "iam:CreatePolicyVersion",
    77. 

  77.         "iam:DeletePolicy",
    78. 

  78.         "iam:DeletePolicyVersion",
    79. 

  79.         "iam:SetDefaultPolicyVersion"
    80. 

  80.       ],
    81. 

  81.       "Resource": "arn:${aws_partition}:iam::${account_id}:policy/${boundary_namespace}/*"
    82. 

  82.     },
    83. 

  83.     {
    84. 

  84.       "Sid": "Services",
    85. 

  85.       "Effect": "Allow",
    86. 

  86.       "Action": [
    87. 

  87.         "s3:*",
    88. 

  88.         "ec2:*",
    89. 

  89.         "events:*",
    90. 

  90.         "logs:*",
    91. 

  91.         "lambda:*",
    92. 

  92.         "sqs:*",
    93. 

  93.         "ssm:*",
    94. 

  94.         "apigateway:*",
    95. 

  95.         "resource-groups:*",
    96. 

  96.         "kms:*"
    97. 

  97.       ],
    98. 

  98.       "Resource": "*"
    99. 

  99.     }
    100. 

  100.   ]
    101. 

  101. }
    102.