| 1234567891011121314151617181920212223242526272829 |
- #------------------------------------------------------------------------------------------
- # A Read Only Developer. Assumption is this is everyone's normal working
- # role day-to-day in the AWS console. When you need it, you then elevate
- # to mdr_terraformer.
- #
- # This has the exact same permissions in the common services accounts as
- # mdr_engineer_readonly, except the cross-domain trusts will be different
- # so that someone with "developer" cannot assumerole into production accounts
- #------------------------------------------------------------------------------------------
- module "role-mdr_developer_readonly" {
- source = "./modules/saml_linked_role"
- name = "mdr_developer_readonly"
- account_friendly_name = aws_iam_account_alias.alias.account_alias
- path = "/user/"
- assume_role_policy = data.aws_iam_policy_document.okta_saml_assume_role_policy.json
- okta_app_id = data.okta_app.awsapp.id
- }
- resource "aws_iam_role_policy_attachment" "mdr_devloper_readonly_ViewOnlyAccess" {
- role = module.role-mdr_developer_readonly.name
- policy_arn = "arn:${local.aws_partition}:iam::aws:policy/job-function/ViewOnlyAccess"
- }
- resource "aws_iam_role_policy_attachment" "mdr_developer_readonly_assumerole" {
- role = module.role-mdr_developer_readonly.name
- policy_arn = module.standard_iam_policies.arns["mdr_readonly_assumerole"]
- }
|
