صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
AFS
/
xdr-terraform-modules
2
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
شاخه: master
شاخه‌ها تگ‌ها
xdr-terraform-m...
/
submodules
/
iam
/
standard_iam_policies
/
policy-mdr_readonly_assumerole.tf

policy-mdr_readonly_assumerole.tf 2.2 KB
لینک دائمی تاريخچه خام

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 
  1. #------------------------------------------------------------------------------------------
    2. 

  2. # A Read Only Engineer.  Assumption is this is everyone's normal working
    3. 

  3. # role day-to-day in the AWS console.  When you need it, you then elevate
    4. 

  4. # to mdr_terraformer.
    5. 

  5. #
    6. 

  6. # Note this is NOT JUST READ ONLY ACCESS.  This should only be
    7. 

  7. # assigned to ENGINEERS who you expect will able to make changes
    8. 

  8. # as needed.  
    9. 

  9. #------------------------------------------------------------------------------------------
    10. 

  10. data "aws_iam_policy_document" "mdr_engineer_readonly_assumerole" {
    11. 

  11.   statement {
    12. 

  12.     sid    = "AllowPassRoleForSpecificRoleTypes"
    13. 

  13.     effect = "Allow"
    14. 

  14.     actions = [
    15. 

  15.       "iam:PassRole",
    16. 

  16.     ]
    17. 

  17.     # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    18. 

  18.     resources = [
    19. 

  19.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
    20. 

  20.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
    21. 

  21.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/aws_services/*",
    22. 

  22.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/fargate/*",
    23. 

  23.     ]
    24. 

  24.   }
    25. 

  25. 

  26.   statement {
    27. 

  27.     sid    = "AssumeThisRoleInOtherAccounts"
    28. 

  28.     effect = "Allow"
    29. 

  29.     actions = [
    30. 

  30.       "sts:AssumeRole"
    31. 

  31.     ]
    32. 

  32.     # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    33. 

  33.     resources = [
    34. 

  34.       "arn:${local.aws_partition}:iam::*:role/user/mdr_engineer_readonly",
    35. 

  35.       "arn:${local.aws_partition}:iam::*:role/user/mdr_developer_readonly",
    36. 

  36. 

  37.       # Give a readonly engineer the ability if needed to elevate to terraformer
    38. 

  38.       # In order to make changes when needed.  
    39. 

  39.       "arn:${local.aws_partition}:iam::*:role/user/mdr_terraformer",
    40. 

  40. 

  41.       # These two are the legacy roles in the older AWS accounts. 
    42. 

  42.       # Adding them in the hope we'll be able to get AssumeRole from
    43. 

  43.       # one central place to everything...
    44. 

  44.       "arn:${local.aws_partition}:iam::*:role/mdr_powerusers",
    45. 

  45.       "arn:${local.aws_partition}:iam::*:role/mdr_iam_admins",
    46. 

  46.     ]
    47. 

  47.   }
    48. 

  48. }
    49. 

  49. 

  50. resource "aws_iam_policy" "mdr_engineer_readonly_assumerole" {
    51. 

  51.   name   = "mdr_engineer_readonly_assumerole"
    52. 

  52.   path   = "/user/"
    53. 

  53.   policy = data.aws_iam_policy_document.mdr_engineer_readonly_assumerole.json
    54. 

  54. }
    55. 

  55.