Etusivu Tutki Apua
Rekisteröidy Kirjaudu sisään
Terraform
/
FIAMS
2
0
Haarauta 0
Tiedostot Esitykset 0 Vetopyynnöt 0 Wiki
Selaa lähdekoodia

Basic developer

Gogs 6 vuotta sitten
vanhempi
bcf7c70a01
sitoutus
fa31d746a8
8 muutettua tiedostoa jossa 175 lisäystä ja 7 poistoa
Jaettu näkymä Näytä diff tilastot
  1. 1 1
      policies/FIAM-COMMON-IAM-EC2.json
  2. 4 4
      policies/FIAM-COMMON-IAMBasics.json
  3. 2 2
      policies/FIAM-TESTING-assume_any_fiam_role.json
  4. 17 0
      policies/FIAM-TRUST-TrustPolicy-MFARequired.json
  5. 12 0
      policies/FIAM-TRUST-TrustPolicy.json
  6. 59 0
      terraform/Policies-COMMON.tf
  7. 37 0
      terraform/Role-FIAM-Developer.tf
  8. 43 0
      terraform/testuser.tf

+ 1 - 1
policies/FIAM-COMMON-IAM-EC2.json
Näytä tiedosto 

@@ -10,7 +10,7 @@
 
                 "iam:AddRoleToInstanceProfile",
 
                 "iam:RemoveRoleFromInstanceProfile"
 
             ],
 
-            "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/${aws:PrincipalTag/IAM:NamePrefix}*"
 
+            "Resource": "arn:aws:iam::${account}:instance-profile/$${aws:PrincipalTag/IAM:NamePrefix}*"
 
         }
 
     ]
 
 }

+ 4 - 4
policies/FIAM-COMMON-IAMBasics.json
Näytä tiedosto 

@@ -9,10 +9,10 @@
 
                 "iam:CreateRole",
 
                 "iam:AttachRolePolicy"
 
             ],
 
-            "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws:PrincipalTag/IAM:NamePrefix}*",
 
+            "Resource": "arn:aws:iam::${account}:role/$${aws:PrincipalTag/IAM:NamePrefix}*",
 
             "Condition": {
 
                 "StringEquals": {
 
-                    "iam:PermissionsBoundary": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${aws:PrincipalTag/IAM:PermissionsBoundary}"
 
+                    "iam:PermissionsBoundary": "arn:aws:iam::${account}:policy/$${aws:PrincipalTag/IAM:PermissionsBoundary}"
 
                 }
 
             }
 
         },
 
@@ -20,7 +20,7 @@
 
             "Sid": "DeleteAppropriatelyNamedRole",
 
             "Effect": "Allow",
 
             "Action": "iam:DeleteRole",
 
-            "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws:PrincipalTag/IAM:NamePrefix}*"
 
+            "Resource": "arn:aws:iam::${account}:role/$${aws:PrincipalTag/IAM:NamePrefix}*"
 
         },
 
         {
 
             "Sid": "ModifyAppropriatelyNamedPolicies",
 
@@ -31,7 +31,7 @@
 
                 "iam:CreatePolicyVersion",
 
                 "iam:DeletePolicyVersion"
 
             ],
 
-            "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${aws:PrincipalTag/IAM:NamePrefix}**"
 
+            "Resource": "arn:aws:iam::${account}:policy/$${aws:PrincipalTag/IAM:NamePrefix}**"
 
         },
 
         {
 
             "Sid": "AdditionalUsefulAccessTODO",

+ 2 - 2
policies/FIAM-TESTING-assume_any_fiam_role.json
Näytä tiedosto 

@@ -2,10 +2,10 @@
 
     "Version": "2012-10-17",
 
     "Statement": [
 
         {
 
-            "Sid": "VisualEditor0",
 
+            "Sid": "AssumeIntoAnyFIAM",
 
             "Effect": "Allow",
 
             "Action": "sts:AssumeRole",
 
-            "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/FIAM-*"
 
+            "Resource": "arn:aws:iam::${account}:role/FIAM-*"
 
         }
 
     ]
 
 }

+ 17 - 0
policies/FIAM-TRUST-TrustPolicy-MFARequired.json
Näytä tiedosto 

@@ -0,0 +1,17 @@
 
+{
 
+  "Version": "2012-10-17",
 
+  "Statement": [
 
+    {
 
+      "Effect": "Allow",
 
+      "Principal": {
 
+        "AWS": "arn:aws:iam::${account}:root"
 
+      },
 
+      "Action": "sts:AssumeRole",
 
+      "Condition": {
 
+        "Bool": {
 
+          "aws:MultiFactorAuthPresent": "true"
 
+        }
 
+      }
 
+    }
 
+  ]
 
+}

+ 12 - 0
policies/FIAM-TRUST-TrustPolicy.json
Näytä tiedosto 

@@ -0,0 +1,12 @@
 
+{
 
+  "Version": "2012-10-17",
 
+  "Statement": [
 
+    {
 
+      "Effect": "Allow",
 
+      "Principal": {
 
+        "AWS": "arn:aws:iam::${account}:root"
 
+      },
 
+      "Action": "sts:AssumeRole"
 
+    }
 
+  ]
 
+}

+ 59 - 0
terraform/Policies-COMMON.tf
Näytä tiedosto 

@@ -0,0 +1,59 @@
 
+resource "aws_iam_policy" "FIAM-COMMON-RestrictRegions" {
 
+  name = "FIAM-COMMON-RestrictRegions"
 
+  path = "/FIAM/"
 
+  description = "Basic for delegated IAM"
 
+  policy = "${data.template_file.FIAM-COMMON-RestrictRegions.rendered}"
 
+}
 
+
 
+data "template_file" "FIAM-COMMON-RestrictRegions" {
 
+  template = "${file("../policies/FIAM-COMMON-RestrictRegions.json")}"
 
+
 
+  vars = {
 
+    account = "${data.aws_caller_identity.current.account_id}"
 
+  }
 
+}
 
+
 
+resource "aws_iam_policy" "FIAM-COMMON-RestrictServices" {
 
+  name = "FIAM-COMMON-RestrictServices"
 
+  path = "/FIAM/"
 
+  description = "Basic for delegated IAM"
 
+  policy = "${data.template_file.FIAM-COMMON-RestrictServices.rendered}"
 
+}
 
+
 
+data "template_file" "FIAM-COMMON-RestrictServices" {
 
+  template = "${file("../policies/FIAM-COMMON-RestrictServices.json")}"
 
+
 
+  vars = {
 
+    account = "${data.aws_caller_identity.current.account_id}"
 
+  }
 
+}
 
+
 
+resource "aws_iam_policy" "FIAM-COMMON-IAMBasics" {
 
+  name = "FIAM-COMMON-IAMBasics"
 
+  path = "/FIAM/"
 
+  description = "Basic for delegated IAM"
 
+  policy = "${data.template_file.FIAM-COMMON-IAMBasics.rendered}"
 
+}
 
+
 
+data "template_file" "FIAM-COMMON-IAMBasics" {
 
+  template = "${file("../policies/FIAM-COMMON-IAMBasics.json")}"
 
+
 
+  vars = {
 
+    account = "${data.aws_caller_identity.current.account_id}"
 
+  }
 
+}
 
+
 
+resource "aws_iam_policy" "FIAM-COMMON-IAM-EC2" {
 
+  name = "FIAM-COMMON-IAM-EC2"
 
+  path = "/FIAM/"
 
+  description = "EC2 permissiosns for delegated IAM access"
 
+  policy = "${data.template_file.FIAM-COMMON-IAM-EC2.rendered}"
 
+}
 
+
 
+data "template_file" "FIAM-COMMON-IAM-EC2" {
 
+  template = "${file("../policies/FIAM-COMMON-IAM-EC2.json")}"
 
+
 
+  vars = {
 
+    account = "${data.aws_caller_identity.current.account_id}"
 
+  }
 
+}

+ 37 - 0
terraform/Role-FIAM-Developer.tf
Näytä tiedosto 

@@ -0,0 +1,37 @@
 
+resource "aws_iam_role" "FIAM-Developer" {
 
+  name = "FIAM-Developer"
 
+  assume_role_policy = "${data.template_file.trust_policy.rendered}"
 
+  tags = {
 
+    "IAM:PermissionsBoundary" = "FIAM-BOUNDARY-Developer"
 
+    "IAM:NamePrefix" = "FIAM-DEV"
 
+  }
 
+}
 
+
 
+resource "aws_iam_role_policy_attachment" "FIAM-Developer-FIAM-COMMON-RestrictRegions" {
 
+  role       = "${aws_iam_role.FIAM-Developer.name}"
 
+  policy_arn = "${aws_iam_policy.FIAM-COMMON-RestrictRegions.arn}"
 
+}
 
+
 
+resource "aws_iam_role_policy_attachment" "FIAM-Developer-FIAM-COMMON-RestrictServices" {
 
+  role       = "${aws_iam_role.FIAM-Developer.name}"
 
+  policy_arn = "${aws_iam_policy.FIAM-COMMON-RestrictServices.arn}"
 
+}
 
+
 
+resource "aws_iam_role_policy_attachment" "FIAM-Developer-FIAM-COMMON-IAMBasics" {
 
+  role       = "${aws_iam_role.FIAM-Developer.name}"
 
+  policy_arn = "${aws_iam_policy.FIAM-COMMON-IAMBasics.arn}"
 
+}
 
+
 
+resource "aws_iam_role_policy_attachment" "FIAM-Developer-FIAM-COMMON-IAM-EC2" {
 
+  role       = "${aws_iam_role.FIAM-Developer.name}"
 
+  policy_arn = "${aws_iam_policy.FIAM-COMMON-IAM-EC2.arn}"
 
+}
 
+
 
+data "template_file" "trust_policy" {
 
+  template = "${file("../policies/FIAM-TRUST-TrustPolicy.json")}"
 
+  #template = "${file("../policies/FIAM-TRUST-TrustPolicy-MFARequired.json")}"
 
+
 
+  vars = {
 
+    account = "${data.aws_caller_identity.current.account_id}"
 
+  }
 
+}

+ 43 - 0
terraform/testuser.tf
Näytä tiedosto 

@@ -0,0 +1,43 @@
 
+resource "aws_iam_user" "testuser" {
 
+  name = "testuser"
 
+  path = "/FIAMS/"
 
+
 
+  tags = {
 
+    project = "FIAMS"
 
+  }
 
+
 
+  force_destroy = true
 
+}
 
+
 
+data "template_file" "FIAM-TESTING-assume_any_fiam_role" {
 
+  template = "${file("../policies/FIAM-TESTING-assume_any_fiam_role.json")}"
 
+
 
+  vars = {
 
+    account = "${data.aws_caller_identity.current.account_id}"
 
+  }
 
+}
 
+
 
+resource "aws_iam_policy" "FIAM-TESTING-assume_any_fiam_role" {
 
+  name        = "FIAM-TESTING-assume_any_fiam_role"
 
+  description = "Assume any FIAM role"
 
+  policy      = "${data.template_file.FIAM-TESTING-assume_any_fiam_role.rendered}"
 
+}
 
+
 
+resource "aws_iam_user_policy_attachment" "FIAM-TESTING-assume_any_fiam_role" {
 
+  user       = "${aws_iam_user.testuser.name}"
 
+  policy_arn = "${aws_iam_policy.FIAM-TESTING-assume_any_fiam_role.arn}"
 
+}
 
+
 
+resource "aws_iam_user_login_profile" "testuser" {
 
+  user    = "${aws_iam_user.testuser.name}"
 
+  pgp_key = "keybase:fdamstra"
 
+}
 
+
 
+output "testuser_password" {
 
+  # to decrypt, run: terraform output testuser_password | base64 --decode | keybase --standalone pgp decrypt
 
+  value = "${aws_iam_user_login_profile.testuser.encrypted_password}"
 
+}
 
+
 
+output "testuser_password_instructions" {
 
+  value = "Execute:  terraform output testuser_password | base64 --decode | keybase pgp decrypt"
 
+}