| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106 |
- resource "aws_iam_policy" "mdradmin_tfstate_setup" {
- name = "mdradmmin_tfstate_setup"
- path = "/bootstrap/"
- description = "Gives MDRAdmin account rights needed to set up tfstate management"
- policy = data.aws_iam_policy_document.mdradmin_tfstate_setup.json
- }
- data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
- statement {
- sid = "DynamoDBTablesAndLocking"
- actions = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
- "dynamodb:*"
- ]
- resources = [
- "arn:${local.aws_partition}:dynamodb:${local.aws_region}:${local.aws_account}:table/${var.lock_table_name}"
- ]
- condition {
- test = "BoolIfExists"
- variable = "aws:MultiFactorAuthPresent"
- values = [
- true
- ]
- }
- }
- statement {
- sid = "DynamoDBTablesAndLocking2"
- actions = [
- "dynamodb:ListTables"
- ]
- resources = [
- "arn:${local.aws_partition}:dynamodb:${local.aws_region}:${local.aws_account}:table/*"
- ]
- condition {
- test = "BoolIfExists"
- variable = "aws:MultiFactorAuthPresent"
- values = [
- true
- ]
- }
- }
- statement {
- sid = "KMSKeyCreate"
- actions = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
- "kms:CreateAlias",
- "kms:CreateKey",
- "kms:List*",
- "kms:DeleteAlias",
- "kms:DeleteKey"
- ]
- # I wish I could scope this down to just specific keys
- # But I don't think it's possible
- # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
- resources = [
- "*"
- ]
- condition {
- test = "BoolIfExists"
- variable = "aws:MultiFactorAuthPresent"
- values = [
- true
- ]
- }
- }
- statement {
- sid = "S3ManageStateBucket"
- actions = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
- "s3:CreateBucket",
- "s3:DeleteBucket",
- "s3:ListBucket",
- "s3:Get*",
- "s3:Put*"
- ]
- resources = [
- "arn:${local.aws_partition}:s3:::${var.bucket_name}"
- ]
- condition {
- test = "BoolIfExists"
- variable = "aws:MultiFactorAuthPresent"
- values = [
- true
- ]
- }
- }
- statement { # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
- sid = "S3ObjectOperations"
- actions = [
- "s3:PutObject*",
- "s3:GetObject*",
- "s3:DeleteObject*"
- ]
- # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
- resources = [
- "arn:${local.aws_partition}:s3:::${var.bucket_name}/*"
- ]
- condition {
- test = "BoolIfExists"
- variable = "aws:MultiFactorAuthPresent"
- values = [
- true
- ]
- }
- }
- }
|
