Home Explore Help
Register Sign In
AFS
/
xdr-terraform-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: e5aad51271
Branches Tags
xdr-terraform-m...
/
submodules
/
iam
/
common_services_roles
/
role-mdr_developer.tf

role-mdr_developer.tf 2.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. resource "aws_iam_role" "mdr_developer" {
    2. 

  2.   name                 = "mdr_developer"
    3. 

  3.   path                 = "/user/"
    4. 

  4.   assume_role_policy   = data.aws_iam_policy_document.non_saml_assume_role_policy_developer.json
    5. 

  5.   max_session_duration = 28800
    6. 

  6. }
    7. 

  7. 

  8. resource "aws_iam_role_policy_attachment" "mdr_developer-mdr_developer" {
    9. 

  9.   role       = aws_iam_role.mdr_developer.name
    10. 

  10.   policy_arn = aws_iam_policy.mdr_developer.arn
    11. 

  11. }
    12. 

  12. 

  13. # I don't _think_ developers need support access, but in case that changes:
    14. 

  14. #resource aws_iam_role_policy_attachment "mdr_terraformer-AWSSupportAccess" {
    15. 

  15. #  role       = aws_iam_role.mdr_terraformer.name 
    16. 

  16. #  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSSupportAccess"
    17. 

  17. #}
    18. 

  18. 

  19. resource "aws_iam_role_policy_attachment" "mdr_developer_ViewOnlyAccess" {
    20. 

  20.   # no poitn in giving _less_ access for switching roles
    21. 

  21.   role       = aws_iam_role.mdr_developer.name
    22. 

  22.   policy_arn = "arn:${local.aws_partition}:iam::aws:policy/job-function/ViewOnlyAccess"
    23. 

  23. }
    24. 

  24. 

  25. data "aws_iam_policy_document" "mdr_developer" {
    26. 

  26.   statement {
    27. 

  27.     sid    = "S3Access"
    28. 

  28.     effect = "Allow"
    29. 

  29.     actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    30. 

  30.       "s3:*"
    31. 

  31.     ]
    32. 

  32. 

  33.     # These resources might not exist yet
    34. 

  34.     #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    35. 

  35.     resources = [
    36. 

  36.       "arn:${local.aws_partition}:s3:::afsxdr-binaries",
    37. 

  37.       "arn:${local.aws_partition}:s3:::afsxdr-binaries/*",
    38. 

  38.       "arn:${local.aws_partition}:s3:::xdr-trumpet*",
    39. 

  39.       "arn:${local.aws_partition}:s3:::xdr-trumpet*/*",
    40. 

  40.     ]
    41. 

  41.   }
    42. 

  42. 

  43.   statement {
    44. 

  44.     sid    = "AssumeThisRoleInOtherAccounts"
    45. 

  45.     effect = "Allow"
    46. 

  46.     actions = [
    47. 

  47.       "sts:AssumeRole"
    48. 

  48.     ]
    49. 

  49.     #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    50. 

  50.     resources = [
    51. 

  51.       "arn:${local.aws_partition}:iam::*:role/user/mdr_developer",
    52. 

  52.     ]
    53. 

  53.   }
    54. 

  54. }
    55. 

  55. 

  56. resource "aws_iam_policy" "mdr_developer" {
    57. 

  57.   name   = "mdr_developer"
    58. 

  58.   path   = "/user/"
    59. 

  59.   policy = data.aws_iam_policy_document.mdr_developer.json
    60. 

  60. }
    61.