generated from GSA/grace-template
-
Notifications
You must be signed in to change notification settings - Fork 9
/
iam.tf
112 lines (105 loc) · 2.63 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
resource "aws_iam_role" "iam_role" {
name = local.app_name
description = "Role for GRACE Inventory Lambda function"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
#tfsec:ignore:aws-iam-no-policy-wildcards
resource "aws_iam_policy" "iam_policy" {
name = local.app_name
description = "Policy to allow creating GRACE service inventory report"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:DescribeStacks",
"cloudwatch:DescribeAlarms",
"config:DescribeConfigRules",
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeLoadBalancers",
"glacier:ListVaults",
"iam:GetUser",
"iam:ListAccountAliases",
"iam:ListGroups",
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListUsers",
"kms:ListKeys",
"kms:DescribeKey",
"kms:ListAliases",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"rds:DescribeDBInstances",
"rds:DescribeDBSnapshots",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:HeadBucket",
"secretsmanager:ListSecrets",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListTopics",
"ssm:DescribeParameters",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"${aws_iam_role.iam_role.arn}",
"arn:aws:iam::${var.master_account_id}:role/${var.master_role_name}",
"arn:aws:iam::*:role/${var.tenant_role_name}"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "${aws_s3_bucket.bucket.arn}/*"
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt"
],
"Resource": "${aws_kms_key.kms_key.arn}"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "iam_role_policy_attachment" {
role = aws_iam_role.iam_role.name
policy_arn = aws_iam_policy.iam_policy.arn
}