Basic developer

policies/FIAM-COMMON-IAM-EC2.json

@@ -10,7 +10,7 @@
                 "iam:AddRoleToInstanceProfile",
                 "iam:RemoveRoleFromInstanceProfile"
             ],
-            "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/${aws:PrincipalTag/IAM:NamePrefix}*"
+            "Resource": "arn:aws:iam::${account}:instance-profile/$${aws:PrincipalTag/IAM:NamePrefix}*"
         }
     ]
 }

policies/FIAM-COMMON-IAMBasics.json

@@ -9,10 +9,10 @@
                 "iam:CreateRole",
                 "iam:AttachRolePolicy"
             ],
-            "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws:PrincipalTag/IAM:NamePrefix}*",
+            "Resource": "arn:aws:iam::${account}:role/$${aws:PrincipalTag/IAM:NamePrefix}*",
             "Condition": {
                 "StringEquals": {
-                    "iam:PermissionsBoundary": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${aws:PrincipalTag/IAM:PermissionsBoundary}"
+                    "iam:PermissionsBoundary": "arn:aws:iam::${account}:policy/$${aws:PrincipalTag/IAM:PermissionsBoundary}"
                 }
             }
         },
@@ -20,7 +20,7 @@
             "Sid": "DeleteAppropriatelyNamedRole",
             "Effect": "Allow",
             "Action": "iam:DeleteRole",
-            "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws:PrincipalTag/IAM:NamePrefix}*"
+            "Resource": "arn:aws:iam::${account}:role/$${aws:PrincipalTag/IAM:NamePrefix}*"
         },
         {
             "Sid": "ModifyAppropriatelyNamedPolicies",
@@ -31,7 +31,7 @@
                 "iam:CreatePolicyVersion",
                 "iam:DeletePolicyVersion"
             ],
-            "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${aws:PrincipalTag/IAM:NamePrefix}**"
+            "Resource": "arn:aws:iam::${account}:policy/$${aws:PrincipalTag/IAM:NamePrefix}**"
         },
         {
             "Sid": "AdditionalUsefulAccessTODO",

policies/FIAM-TESTING-assume_any_fiam_role.json

@@ -2,10 +2,10 @@
     "Version": "2012-10-17",
     "Statement": [
         {
-            "Sid": "VisualEditor0",
+            "Sid": "AssumeIntoAnyFIAM",
             "Effect": "Allow",
             "Action": "sts:AssumeRole",
-            "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/FIAM-*"
+            "Resource": "arn:aws:iam::${account}:role/FIAM-*"
         }
     ]
 }

policies/FIAM-TRUST-TrustPolicy-MFARequired.json

@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::${account}:root"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "Bool": {
+          "aws:MultiFactorAuthPresent": "true"
+        }
+      }
+    }
+  ]
+}

policies/FIAM-TRUST-TrustPolicy.json

@@ -0,0 +1,12 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::${account}:root"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}

terraform/Policies-COMMON.tf

@@ -0,0 +1,59 @@
+resource "aws_iam_policy" "FIAM-COMMON-RestrictRegions" {
+  name = "FIAM-COMMON-RestrictRegions"
+  path = "/FIAM/"
+  description = "Basic for delegated IAM"
+  policy = "${data.template_file.FIAM-COMMON-RestrictRegions.rendered}"
+}
+
+data "template_file" "FIAM-COMMON-RestrictRegions" {
+  template = "${file("../policies/FIAM-COMMON-RestrictRegions.json")}"
+
+  vars = {
+    account = "${data.aws_caller_identity.current.account_id}"
+  }
+}
+
+resource "aws_iam_policy" "FIAM-COMMON-RestrictServices" {
+  name = "FIAM-COMMON-RestrictServices"
+  path = "/FIAM/"
+  description = "Basic for delegated IAM"
+  policy = "${data.template_file.FIAM-COMMON-RestrictServices.rendered}"
+}
+
+data "template_file" "FIAM-COMMON-RestrictServices" {
+  template = "${file("../policies/FIAM-COMMON-RestrictServices.json")}"
+
+  vars = {
+    account = "${data.aws_caller_identity.current.account_id}"
+  }
+}
+
+resource "aws_iam_policy" "FIAM-COMMON-IAMBasics" {
+  name = "FIAM-COMMON-IAMBasics"
+  path = "/FIAM/"
+  description = "Basic for delegated IAM"
+  policy = "${data.template_file.FIAM-COMMON-IAMBasics.rendered}"
+}
+
+data "template_file" "FIAM-COMMON-IAMBasics" {
+  template = "${file("../policies/FIAM-COMMON-IAMBasics.json")}"
+
+  vars = {
+    account = "${data.aws_caller_identity.current.account_id}"
+  }
+}
+
+resource "aws_iam_policy" "FIAM-COMMON-IAM-EC2" {
+  name = "FIAM-COMMON-IAM-EC2"
+  path = "/FIAM/"
+  description = "EC2 permissiosns for delegated IAM access"
+  policy = "${data.template_file.FIAM-COMMON-IAM-EC2.rendered}"
+}
+
+data "template_file" "FIAM-COMMON-IAM-EC2" {
+  template = "${file("../policies/FIAM-COMMON-IAM-EC2.json")}"
+
+  vars = {
+    account = "${data.aws_caller_identity.current.account_id}"
+  }
+}

terraform/Role-FIAM-Developer.tf

@@ -0,0 +1,37 @@
+resource "aws_iam_role" "FIAM-Developer" {
+  name = "FIAM-Developer"
+  assume_role_policy = "${data.template_file.trust_policy.rendered}"
+  tags = {
+    "IAM:PermissionsBoundary" = "FIAM-BOUNDARY-Developer"
+    "IAM:NamePrefix" = "FIAM-DEV"
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "FIAM-Developer-FIAM-COMMON-RestrictRegions" {
+  role       = "${aws_iam_role.FIAM-Developer.name}"
+  policy_arn = "${aws_iam_policy.FIAM-COMMON-RestrictRegions.arn}"
+}
+
+resource "aws_iam_role_policy_attachment" "FIAM-Developer-FIAM-COMMON-RestrictServices" {
+  role       = "${aws_iam_role.FIAM-Developer.name}"
+  policy_arn = "${aws_iam_policy.FIAM-COMMON-RestrictServices.arn}"
+}
+
+resource "aws_iam_role_policy_attachment" "FIAM-Developer-FIAM-COMMON-IAMBasics" {
+  role       = "${aws_iam_role.FIAM-Developer.name}"
+  policy_arn = "${aws_iam_policy.FIAM-COMMON-IAMBasics.arn}"
+}
+
+resource "aws_iam_role_policy_attachment" "FIAM-Developer-FIAM-COMMON-IAM-EC2" {
+  role       = "${aws_iam_role.FIAM-Developer.name}"
+  policy_arn = "${aws_iam_policy.FIAM-COMMON-IAM-EC2.arn}"
+}
+
+data "template_file" "trust_policy" {
+  template = "${file("../policies/FIAM-TRUST-TrustPolicy.json")}"
+  #template = "${file("../policies/FIAM-TRUST-TrustPolicy-MFARequired.json")}"
+
+  vars = {
+    account = "${data.aws_caller_identity.current.account_id}"
+  }
+}

terraform/testuser.tf

@@ -0,0 +1,43 @@
+resource "aws_iam_user" "testuser" {
+  name = "testuser"
+  path = "/FIAMS/"
+
+  tags = {
+    project = "FIAMS"
+  }
+
+  force_destroy = true
+}
+
+data "template_file" "FIAM-TESTING-assume_any_fiam_role" {
+  template = "${file("../policies/FIAM-TESTING-assume_any_fiam_role.json")}"
+
+  vars = {
+    account = "${data.aws_caller_identity.current.account_id}"
+  }
+}
+
+resource "aws_iam_policy" "FIAM-TESTING-assume_any_fiam_role" {
+  name        = "FIAM-TESTING-assume_any_fiam_role"
+  description = "Assume any FIAM role"
+  policy      = "${data.template_file.FIAM-TESTING-assume_any_fiam_role.rendered}"
+}
+
+resource "aws_iam_user_policy_attachment" "FIAM-TESTING-assume_any_fiam_role" {
+  user       = "${aws_iam_user.testuser.name}"
+  policy_arn = "${aws_iam_policy.FIAM-TESTING-assume_any_fiam_role.arn}"
+}
+
+resource "aws_iam_user_login_profile" "testuser" {
+  user    = "${aws_iam_user.testuser.name}"
+  pgp_key = "keybase:fdamstra"
+}
+
+output "testuser_password" {
+  # to decrypt, run: terraform output testuser_password | base64 --decode | keybase --standalone pgp decrypt
+  value = "${aws_iam_user_login_profile.testuser.encrypted_password}"
+}
+
+output "testuser_password_instructions" {
+  value = "Execute:  terraform output testuser_password | base64 --decode | keybase pgp decrypt"
+}