AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930
							#------------------------------------------------------------------------------------------
# A Read Only Engineer.  Assumption is this is everyone's normal working
# role day-to-day in the AWS console.  When you need it, you then elevate
# to mdr_terraformer.
#
# Note this is NOT JUST READ ONLY ACCESS.  This should only be
# assigned to ENGINEERS who you expect will able to make changes
# as needed.  
#------------------------------------------------------------------------------------------

module "role-mdr_engineer_readonly" {
  source = "./modules/saml_linked_role"

  name                  = "mdr_engineer_readonly"
  account_friendly_name = aws_iam_account_alias.alias.account_alias
  path                  = "/user/"
  assume_role_policy    = local.assume_role_policy
  okta_app_id           = data.okta_app.awsapp.id
  max_session_duration  = 28800
}

resource "aws_iam_role_policy_attachment" "mdr_engineer_readonly_ReadOnlyAccess" {
  role       = module.role-mdr_engineer_readonly.name
  policy_arn = "arn:${local.aws_partition}:iam::aws:policy/ReadOnlyAccess"
}

resource "aws_iam_role_policy_attachment" "mdr_engineer_readonly_assumerole" {
  role       = module.role-mdr_engineer_readonly.name
  policy_arn = aws_iam_policy.mdr_engineer_readonly_assumerole.arn
}