탐색 도움말
가입하기 로그인
AFS
/
xdr-terraform-modules
2
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
트리: ffc81e90b9
브랜치 태그
xdr-terraform-m...
/
submodules
/
iam
/
okta_saml_roles
/
policy-mdr_terraformer.tf

policy-mdr_terraformer.tf 1.6 KB
히스토리 Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 
  1. #------------------------------------------------------------------------------------------
    2. 

  2. # A variant on PowerUserAccess that isn't so damn generous with sts:assumeRole
    3. 

  3. #------------------------------------------------------------------------------------------
    4. 

  4. data "aws_iam_policy_document" "mdr_terraformer" {
    5. 

  5.   statement {
    6. 

  6.     sid    = "AllowEverythingButAssumeRoleAndPassRole"
    7. 

  7.     effect = "Allow"
    8. 

  8.     not_actions = [
    9. 

  9.       "sts:AssumeRole",
    10. 

  10.       "iam:PassRole",
    11. 

  11.     ]
    12. 

  12.     resources = [
    13. 

  13.       "*"
    14. 

  14.     ]
    15. 

  15.   }
    16. 

  16.   statement {
    17. 

  17.     sid     = "AllowPassRoleForSpecificRoleTypes"
    18. 

  18.     effect = "Allow"
    19. 

  19.     actions = [
    20. 

  20.       "iam:PassRole",
    21. 

  21.     ]
    22. 

  22. 

  23.     resources = [
    24. 

  24.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
    25. 

  25.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
    26. 

  26.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/aws_services/*",
    27. 

  27.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/fargate/*",
    28. 

  28.     ]
    29. 

  29.   }
    30. 

  30. 

  31.   statement {
    32. 

  32.     sid    = "AssumeThisRoleInOtherAccounts"
    33. 

  33.     effect = "Allow"
    34. 

  34.     actions = [
    35. 

  35.       "sts:AssumeRole"
    36. 

  36.     ]
    37. 

  37. 

  38.     resources = [
    39. 

  39.       "arn:${local.aws_partition}:iam::*:role/user/mdr_terraformer",
    40. 

  40. 

  41.       # These two are the legacy roles in the older AWS accounts. 
    42. 

  42.       # Adding them in the hope we'll be able to get AssumeRole from
    43. 

  43.       # one central place to everything...
    44. 

  44.       "arn:${local.aws_partition}:iam::*:role/mdr_powerusers",
    45. 

  45.       "arn:${local.aws_partition}:iam::*:role/mdr_iam_admins",
    46. 

  46.     ]
    47. 

  47.   }
    48. 

  48. }
    49. 

  49. 

  50. resource "aws_iam_policy" "mdr_terraformer" {
    51. 

  51.   name   = "mdr_terraformer"
    52. 

  52.   path   = "/user/"
    53. 

  53.   policy = data.aws_iam_policy_document.mdr_terraformer.json
    54. 

  54. }
    55. 

  55.