639 lines
23 KiB
Terraform
639 lines
23 KiB
Terraform
|
data "aws_default_tags" "this" {
|
||
|
lifecycle {
|
||
|
postcondition {
|
||
|
condition = length(self.tags) >= 1
|
||
|
error_message = "Validation failed: Provider default_tags not set."
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
data "aws_iam_policy_document" "assume-role-policy" {
|
||
|
statement {
|
||
|
actions = ["sts:AssumeRole"]
|
||
|
|
||
|
principals {
|
||
|
type = "AWS"
|
||
|
identifiers = [var.role-trusted-entity-arn]
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource "aws_iam_role" "SecurityDeployer" {
|
||
|
name = "SecurityDeployer"
|
||
|
description = "Admin access to IAM, KMS, SecretsManager, ec2 Key Pair"
|
||
|
max_session_duration = var.max_session_duration
|
||
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||
|
}
|
||
|
|
||
|
resource "aws_iam_role_policy" "SecurityDeployerPolicy" {
|
||
|
name = "SecurityDeployerPolicy"
|
||
|
policy = jsonencode({
|
||
|
"Version" : "2012-10-17",
|
||
|
"Statement" : [
|
||
|
{
|
||
|
"Effect" : "Allow",
|
||
|
"Action" : [
|
||
|
"iam:*",
|
||
|
"secretsmanager:*",
|
||
|
"ec2:ImportKeyPair",
|
||
|
"kms:*",
|
||
|
"ec2:CreateKeyPair",
|
||
|
"ec2:DescribeKeyPairs",
|
||
|
"ec2:DeleteKeyPair",
|
||
|
"acm:*",
|
||
|
"config:*",
|
||
|
"guardduty:*",
|
||
|
"inspector2:*",
|
||
|
"securityhub:*",
|
||
|
"shield:*",
|
||
|
"sso:*",
|
||
|
"organizations:*"
|
||
|
],
|
||
|
"Resource" : "*"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
)
|
||
|
role = aws_iam_role.SecurityDeployer.id
|
||
|
}
|
||
|
|
||
|
resource "aws_iam_role" "NetworkDeployer" {
|
||
|
name = "NetworkDeployer"
|
||
|
description = "Admin access to VPC, SecurityGroup, Route53"
|
||
|
max_session_duration = var.max_session_duration
|
||
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||
|
}
|
||
|
|
||
|
# iam:PassRole required to create flowlogs
|
||
|
resource "aws_iam_role_policy" "NetworkDeployerPolicy" {
|
||
|
name = "NetworkDeployerPolicy"
|
||
|
policy = jsonencode({
|
||
|
"Version" : "2012-10-17",
|
||
|
"Statement" : [
|
||
|
{
|
||
|
"Effect" : "Allow",
|
||
|
"Action" : [
|
||
|
"iam:PassRole",
|
||
|
"ec2:AcceptVpcEndpointConnections",
|
||
|
"ec2:AllocateAddress",
|
||
|
"ec2:AssignIpv6Addresses",
|
||
|
"ec2:AssignPrivateIpAddresses",
|
||
|
"ec2:AssociateAddress",
|
||
|
"ec2:AssociateDhcpOptions",
|
||
|
"ec2:AssociateRouteTable",
|
||
|
"ec2:AssociateSubnetCidrBlock",
|
||
|
"ec2:AssociateVpcCidrBlock",
|
||
|
"ec2:AttachInternetGateway",
|
||
|
"ec2:AttachNetworkInterface",
|
||
|
"ec2:AttachVpnGateway",
|
||
|
"ec2:CreateCarrierGateway",
|
||
|
"ec2:CreateCustomerGateway",
|
||
|
"ec2:CreateDefaultSubnet",
|
||
|
"ec2:CreateDefaultVpc",
|
||
|
"ec2:CreateDhcpOptions",
|
||
|
"ec2:CreateEgressOnlyInternetGateway",
|
||
|
"ec2:CreateFlowLogs",
|
||
|
"ec2:CreateInternetGateway",
|
||
|
"ec2:CreateNatGateway",
|
||
|
"ec2:CreateNetworkAcl",
|
||
|
"ec2:CreateNetworkAclEntry",
|
||
|
"ec2:CreateNetworkInterface",
|
||
|
"ec2:CreateNetworkInterfacePermission",
|
||
|
"ec2:CreatePlacementGroup",
|
||
|
"ec2:CreateRoute",
|
||
|
"ec2:CreateRouteTable",
|
||
|
"ec2:CreateSecurityGroup",
|
||
|
"ec2:CreateSubnet",
|
||
|
"ec2:CreateTags",
|
||
|
"ec2:CreateVpc",
|
||
|
"ec2:CreateVpcEndpoint",
|
||
|
"ec2:CreateVpcEndpointConnectionNotification",
|
||
|
"ec2:CreateVpcEndpointServiceConfiguration",
|
||
|
"ec2:CreateVpnConnection",
|
||
|
"ec2:CreateVpnConnectionRoute",
|
||
|
"ec2:CreateVpnGateway",
|
||
|
"ec2:DeleteCarrierGateway",
|
||
|
"ec2:DeleteEgressOnlyInternetGateway",
|
||
|
"ec2:DeleteFlowLogs",
|
||
|
"ec2:DeleteNatGateway",
|
||
|
"ec2:DeleteNetworkInterface",
|
||
|
"ec2:DeleteNetworkInterfacePermission",
|
||
|
"ec2:DeletePlacementGroup",
|
||
|
"ec2:DeleteSubnet",
|
||
|
"ec2:DeleteTags",
|
||
|
"ec2:DeleteVpc",
|
||
|
"ec2:DeleteVpcEndpointConnectionNotifications",
|
||
|
"ec2:DeleteVpcEndpointServiceConfigurations",
|
||
|
"ec2:DeleteVpcEndpoints",
|
||
|
"ec2:DeleteVpnConnection",
|
||
|
"ec2:DeleteVpnConnectionRoute",
|
||
|
"ec2:DeleteVpnGateway",
|
||
|
"ec2:DescribeAccountAttributes",
|
||
|
"ec2:DescribeAddresses",
|
||
|
"ec2:DescribeAvailabilityZones",
|
||
|
"ec2:DescribeCarrierGateways",
|
||
|
"ec2:DescribeClassicLinkInstances",
|
||
|
"ec2:DescribeCustomerGateways",
|
||
|
"ec2:DescribeDhcpOptions",
|
||
|
"ec2:DescribeEgressOnlyInternetGateways",
|
||
|
"ec2:DescribeFlowLogs",
|
||
|
"ec2:DescribeInstances",
|
||
|
"ec2:DescribeInternetGateways",
|
||
|
"ec2:DescribeKeyPairs",
|
||
|
"ec2:DescribeMovingAddresses",
|
||
|
"ec2:DescribeNatGateways",
|
||
|
"ec2:DescribeNetworkAcls",
|
||
|
"ec2:DescribeNetworkInterfaceAttribute",
|
||
|
"ec2:DescribeNetworkInterfacePermissions",
|
||
|
"ec2:DescribeNetworkInterfaces",
|
||
|
"ec2:DescribePlacementGroups",
|
||
|
"ec2:DescribePrefixLists",
|
||
|
"ec2:DescribeRouteTables",
|
||
|
"ec2:DescribeSecurityGroupReferences",
|
||
|
"ec2:DescribeSecurityGroupRules",
|
||
|
"ec2:DescribeSecurityGroups",
|
||
|
"ec2:DescribeStaleSecurityGroups",
|
||
|
"ec2:DescribeSubnets",
|
||
|
"ec2:DescribeTags",
|
||
|
"ec2:DescribeVpcAttribute",
|
||
|
"ec2:DescribeVpcClassicLink",
|
||
|
"ec2:DescribeVpcClassicLinkDnsSupport",
|
||
|
"ec2:DescribeVpcEndpointConnectionNotifications",
|
||
|
"ec2:DescribeVpcEndpointConnections",
|
||
|
"ec2:DescribeVpcEndpointServiceConfigurations",
|
||
|
"ec2:DescribeVpcEndpointServicePermissions",
|
||
|
"ec2:DescribeVpcEndpointServices",
|
||
|
"ec2:DescribeVpcEndpoints",
|
||
|
"ec2:DescribeVpcPeeringConnections",
|
||
|
"ec2:DescribeVpcs",
|
||
|
"ec2:DescribeVpnConnections",
|
||
|
"ec2:DescribeVpnGateways",
|
||
|
"ec2:DescribePublicIpv4Pools",
|
||
|
"ec2:DescribeIpv6Pools",
|
||
|
"ec2:DetachInternetGateway",
|
||
|
"ec2:DetachNetworkInterface",
|
||
|
"ec2:DetachVpnGateway",
|
||
|
"ec2:DisableVgwRoutePropagation",
|
||
|
"ec2:DisableVpcClassicLinkDnsSupport",
|
||
|
"ec2:DisassociateAddress",
|
||
|
"ec2:DisassociateRouteTable",
|
||
|
"ec2:DisassociateSubnetCidrBlock",
|
||
|
"ec2:DisassociateVpcCidrBlock",
|
||
|
"ec2:EnableVgwRoutePropagation",
|
||
|
"ec2:EnableVpcClassicLinkDnsSupport",
|
||
|
"ec2:ModifyNetworkInterfaceAttribute",
|
||
|
"ec2:ModifySecurityGroupRules",
|
||
|
"ec2:ModifySubnetAttribute",
|
||
|
"ec2:ModifyVpcAttribute",
|
||
|
"ec2:ModifyVpcEndpoint",
|
||
|
"ec2:ModifyVpcEndpointConnectionNotification",
|
||
|
"ec2:ModifyVpcEndpointServiceConfiguration",
|
||
|
"ec2:ModifyVpcEndpointServicePermissions",
|
||
|
"ec2:ModifyVpcPeeringConnectionOptions",
|
||
|
"ec2:ModifyVpcTenancy",
|
||
|
"ec2:MoveAddressToVpc",
|
||
|
"ec2:RejectVpcEndpointConnections",
|
||
|
"ec2:ReleaseAddress",
|
||
|
"ec2:ReplaceNetworkAclAssociation",
|
||
|
"ec2:ReplaceNetworkAclEntry",
|
||
|
"ec2:ReplaceRoute",
|
||
|
"ec2:ReplaceRouteTableAssociation",
|
||
|
"ec2:ResetNetworkInterfaceAttribute",
|
||
|
"ec2:RestoreAddressToClassic",
|
||
|
"ec2:UnassignIpv6Addresses",
|
||
|
"ec2:UnassignPrivateIpAddresses",
|
||
|
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
|
||
|
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
|
||
|
"ec2:AcceptVpcPeeringConnection",
|
||
|
"ec2:AttachClassicLinkVpc",
|
||
|
"ec2:AuthorizeSecurityGroupEgress",
|
||
|
"ec2:AuthorizeSecurityGroupIngress",
|
||
|
"ec2:CreateVpcPeeringConnection",
|
||
|
"ec2:DeleteCustomerGateway",
|
||
|
"ec2:DeleteDhcpOptions",
|
||
|
"ec2:DeleteInternetGateway",
|
||
|
"ec2:DeleteNetworkAcl",
|
||
|
"ec2:DeleteNetworkAclEntry",
|
||
|
"ec2:DeleteRoute",
|
||
|
"ec2:DeleteRouteTable",
|
||
|
"ec2:DeleteSecurityGroup",
|
||
|
"ec2:DeleteVolume",
|
||
|
"ec2:DeleteVpcPeeringConnection",
|
||
|
"ec2:DetachClassicLinkVpc",
|
||
|
"ec2:DisableVpcClassicLink",
|
||
|
"ec2:EnableVpcClassicLink",
|
||
|
"ec2:GetConsoleScreenshot",
|
||
|
"ec2:RejectVpcPeeringConnection",
|
||
|
"ec2:RevokeSecurityGroupEgress",
|
||
|
"ec2:RevokeSecurityGroupIngress",
|
||
|
"ec2:CreateLocalGatewayRoute",
|
||
|
"ec2:CreateLocalGatewayRouteTableVpcAssociation",
|
||
|
"ec2:DeleteLocalGatewayRoute",
|
||
|
"ec2:DeleteLocalGatewayRouteTableVpcAssociation",
|
||
|
"ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
|
||
|
"ec2:DescribeLocalGatewayRouteTableVpcAssociations",
|
||
|
"ec2:DescribeLocalGatewayRouteTables",
|
||
|
"ec2:DescribeLocalGatewayVirtualInterfaceGroups",
|
||
|
"ec2:DescribeLocalGatewayVirtualInterfaces",
|
||
|
"ec2:DescribeLocalGateways",
|
||
|
"ec2:SearchLocalGatewayRoutes",
|
||
|
"ec2:AcceptTransitGatewayVpcAttachment",
|
||
|
"ec2:AssociateTransitGatewayRouteTable",
|
||
|
"ec2:CreateTransitGateway",
|
||
|
"ec2:CreateTransitGatewayRoute",
|
||
|
"ec2:CreateTransitGatewayRouteTable",
|
||
|
"ec2:CreateTransitGatewayVpcAttachment",
|
||
|
"ec2:DeleteTransitGateway",
|
||
|
"ec2:DeleteTransitGatewayRoute",
|
||
|
"ec2:DeleteTransitGatewayRouteTable",
|
||
|
"ec2:DeleteTransitGatewayVpcAttachment",
|
||
|
"ec2:DescribeTransitGatewayAttachments",
|
||
|
"ec2:DescribeTransitGatewayRouteTables",
|
||
|
"ec2:DescribeTransitGatewayVpcAttachments",
|
||
|
"ec2:DescribeTransitGateways",
|
||
|
"ec2:DisableTransitGatewayRouteTablePropagation",
|
||
|
"ec2:DisassociateTransitGatewayRouteTable",
|
||
|
"ec2:EnableTransitGatewayRouteTablePropagation",
|
||
|
"ec2:ExportTransitGatewayRoutes",
|
||
|
"ec2:GetTransitGatewayAttachmentPropagations",
|
||
|
"ec2:GetTransitGatewayRouteTableAssociations",
|
||
|
"ec2:GetTransitGatewayRouteTablePropagations",
|
||
|
"ec2:ModifyTransitGateway",
|
||
|
"ec2:ModifyTransitGatewayVpcAttachment",
|
||
|
"ec2:RejectTransitGatewayVpcAttachment",
|
||
|
"ec2:ReplaceTransitGatewayRoute",
|
||
|
"ec2:SearchTransitGatewayRoutes",
|
||
|
"route53domains:*",
|
||
|
"route53resolver:*",
|
||
|
"route53:*",
|
||
|
"directconnect:*"
|
||
|
],
|
||
|
"Resource" : "*"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
)
|
||
|
role = aws_iam_role.NetworkDeployer.id
|
||
|
}
|
||
|
|
||
|
resource "aws_iam_role" "DatabaseDeployer" {
|
||
|
name = "DatabaseDeployer"
|
||
|
description = "Admin access to databases"
|
||
|
max_session_duration = var.max_session_duration
|
||
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||
|
}
|
||
|
|
||
|
resource "aws_iam_role_policy" "DatabaseDeployerPolicy" {
|
||
|
name = "DatabaseDeployerPolicy"
|
||
|
policy = jsonencode(
|
||
|
{
|
||
|
"Version" : "2012-10-17",
|
||
|
"Statement" : [
|
||
|
{
|
||
|
"Effect" : "Allow",
|
||
|
"Action" : [
|
||
|
"rds:*",
|
||
|
"redshift:*",
|
||
|
"elasticache:*",
|
||
|
"kms:Get*",
|
||
|
"kms:List*",
|
||
|
"kms:Describe*"
|
||
|
],
|
||
|
"Resource" : "*"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
)
|
||
|
role = aws_iam_role.DatabaseDeployer.id
|
||
|
}
|
||
|
|
||
|
resource "aws_iam_role" "StorageDeployer" {
|
||
|
name = "StorageDeployer"
|
||
|
description = "Admin access to S3, RDS, ElastiCache, ECR"
|
||
|
max_session_duration = var.max_session_duration
|
||
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||
|
}
|
||
|
|
||
|
resource "aws_iam_role_policy" "StorageDeployerPolicy" {
|
||
|
name = "StorageDeployerPolicy"
|
||
|
policy = jsonencode(
|
||
|
{
|
||
|
"Version" : "2012-10-17",
|
||
|
"Statement" : [
|
||
|
{
|
||
|
"Effect" : "Allow",
|
||
|
"Action" : [
|
||
|
"s3:*",
|
||
|
"ecr:*",
|
||
|
"elasticfilesystem:*",
|
||
|
"fsx:*",
|
||
|
"kms:Get*",
|
||
|
"kms:List*",
|
||
|
"kms:Describe*"
|
||
|
],
|
||
|
"Resource" : "*"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
)
|
||
|
role = aws_iam_role.StorageDeployer.id
|
||
|
}
|
||
|
|
||
|
resource "aws_iam_role" "CommonDeployer" {
|
||
|
name = "CommonDeployer"
|
||
|
description = "Admin access to all services except those allowed in other deployer roles"
|
||
|
max_session_duration = var.max_session_duration
|
||
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||
|
}
|
||
|
|
||
|
resource "aws_iam_role_policy" "CommonDeployerPolicy" {
|
||
|
name = "CommonDeployerPolicy"
|
||
|
policy = jsonencode(
|
||
|
{
|
||
|
"Version" : "2012-10-17",
|
||
|
"Statement" : [
|
||
|
{
|
||
|
"Sid" : "NegateSecurityDeployerPermissions",
|
||
|
"Effect" : "Allow",
|
||
|
"NotAction" : [
|
||
|
"iam:*",
|
||
|
"secretsmanager:*",
|
||
|
"ec2:ImportKeyPair",
|
||
|
"kms:EnableKey",
|
||
|
"kms:ImportKeyMaterial",
|
||
|
"kms:Decrypt",
|
||
|
"kms:GenerateRandom",
|
||
|
"kms:PutKeyPolicy",
|
||
|
"kms:GenerateDataKeyWithoutPlaintext",
|
||
|
"kms:Verify",
|
||
|
"kms:CancelKeyDeletion",
|
||
|
"kms:ReplicateKey",
|
||
|
"kms:GenerateDataKeyPair",
|
||
|
"kms:SynchronizeMultiRegionKey",
|
||
|
"kms:DeleteCustomKeyStore",
|
||
|
"kms:GenerateMac",
|
||
|
"kms:UpdatePrimaryRegion",
|
||
|
"kms:UpdateCustomKeyStore",
|
||
|
"kms:Encrypt",
|
||
|
"kms:ScheduleKeyDeletion",
|
||
|
"kms:ReEncryptTo",
|
||
|
"kms:CreateKey",
|
||
|
"kms:ConnectCustomKeyStore",
|
||
|
"kms:Sign",
|
||
|
"kms:CreateGrant",
|
||
|
"kms:EnableKeyRotation",
|
||
|
"kms:UpdateKeyDescription",
|
||
|
"kms:DeleteImportedKeyMaterial",
|
||
|
"kms:GenerateDataKeyPairWithoutPlaintext",
|
||
|
"kms:DisableKey",
|
||
|
"kms:ReEncryptFrom",
|
||
|
"kms:DisableKeyRotation",
|
||
|
"kms:RetireGrant",
|
||
|
"kms:VerifyMac",
|
||
|
"kms:UpdateAlias",
|
||
|
"kms:CreateCustomKeyStore",
|
||
|
"kms:RevokeGrant",
|
||
|
"kms:GenerateDataKey",
|
||
|
"kms:CreateAlias",
|
||
|
"kms:DisconnectCustomKeyStore",
|
||
|
"kms:DeleteAlias",
|
||
|
"ec2:CreateKeyPair",
|
||
|
"ec2:DescribeKeyPairs",
|
||
|
"ec2:DeleteKeyPair",
|
||
|
"acm:*",
|
||
|
"config:*",
|
||
|
"guardduty:*",
|
||
|
"inspector2:*",
|
||
|
"securityhub:*",
|
||
|
"shield:*",
|
||
|
"sso:*",
|
||
|
"organizations:*"
|
||
|
],
|
||
|
"Resource" : "*"
|
||
|
},
|
||
|
{
|
||
|
"Sid" : "NegateNetworkDeployerPermissions",
|
||
|
"Effect" : "Allow",
|
||
|
"NotAction" : [
|
||
|
"ec2:AcceptVpcEndpointConnections",
|
||
|
"ec2:AllocateAddress",
|
||
|
"ec2:AssignIpv6Addresses",
|
||
|
"ec2:AssignPrivateIpAddresses",
|
||
|
"ec2:AssociateAddress",
|
||
|
"ec2:AssociateDhcpOptions",
|
||
|
"ec2:AssociateRouteTable",
|
||
|
"ec2:AssociateSubnetCidrBlock",
|
||
|
"ec2:AssociateVpcCidrBlock",
|
||
|
"ec2:AttachInternetGateway",
|
||
|
"ec2:AttachNetworkInterface",
|
||
|
"ec2:AttachVpnGateway",
|
||
|
"ec2:CreateCarrierGateway",
|
||
|
"ec2:CreateCustomerGateway",
|
||
|
"ec2:CreateDefaultSubnet",
|
||
|
"ec2:CreateDefaultVpc",
|
||
|
"ec2:CreateDhcpOptions",
|
||
|
"ec2:CreateEgressOnlyInternetGateway",
|
||
|
"ec2:CreateFlowLogs",
|
||
|
"ec2:CreateInternetGateway",
|
||
|
"ec2:CreateNatGateway",
|
||
|
"ec2:CreateNetworkAcl",
|
||
|
"ec2:CreateNetworkAclEntry",
|
||
|
"ec2:CreateNetworkInterface",
|
||
|
"ec2:CreateNetworkInterfacePermission",
|
||
|
"ec2:CreatePlacementGroup",
|
||
|
"ec2:CreateRoute",
|
||
|
"ec2:CreateRouteTable",
|
||
|
"ec2:CreateSecurityGroup",
|
||
|
"ec2:CreateSubnet",
|
||
|
"ec2:CreateTags",
|
||
|
"ec2:CreateVpc",
|
||
|
"ec2:CreateVpcEndpoint",
|
||
|
"ec2:CreateVpcEndpointConnectionNotification",
|
||
|
"ec2:CreateVpcEndpointServiceConfiguration",
|
||
|
"ec2:CreateVpnConnection",
|
||
|
"ec2:CreateVpnConnectionRoute",
|
||
|
"ec2:CreateVpnGateway",
|
||
|
"ec2:DeleteCarrierGateway",
|
||
|
"ec2:DeleteEgressOnlyInternetGateway",
|
||
|
"ec2:DeleteFlowLogs",
|
||
|
"ec2:DeleteNatGateway",
|
||
|
"ec2:DeleteNetworkInterface",
|
||
|
"ec2:DeleteNetworkInterfacePermission",
|
||
|
"ec2:DeletePlacementGroup",
|
||
|
"ec2:DeleteSubnet",
|
||
|
"ec2:DeleteTags",
|
||
|
"ec2:DeleteVpc",
|
||
|
"ec2:DeleteVpcEndpointConnectionNotifications",
|
||
|
"ec2:DeleteVpcEndpointServiceConfigurations",
|
||
|
"ec2:DeleteVpcEndpoints",
|
||
|
"ec2:DeleteVpnConnection",
|
||
|
"ec2:DeleteVpnConnectionRoute",
|
||
|
"ec2:DeleteVpnGateway",
|
||
|
"ec2:DescribeAccountAttributes",
|
||
|
"ec2:DescribeAddresses",
|
||
|
"ec2:DescribeAvailabilityZones",
|
||
|
"ec2:DescribeCarrierGateways",
|
||
|
"ec2:DescribeClassicLinkInstances",
|
||
|
"ec2:DescribeCustomerGateways",
|
||
|
"ec2:DescribeDhcpOptions",
|
||
|
"ec2:DescribeEgressOnlyInternetGateways",
|
||
|
"ec2:DescribeFlowLogs",
|
||
|
"ec2:DescribeInstances",
|
||
|
"ec2:DescribeInternetGateways",
|
||
|
"ec2:DescribeKeyPairs",
|
||
|
"ec2:DescribeMovingAddresses",
|
||
|
"ec2:DescribeNatGateways",
|
||
|
"ec2:DescribeNetworkAcls",
|
||
|
"ec2:DescribeNetworkInterfaceAttribute",
|
||
|
"ec2:DescribeNetworkInterfacePermissions",
|
||
|
"ec2:DescribeNetworkInterfaces",
|
||
|
"ec2:DescribePlacementGroups",
|
||
|
"ec2:DescribePrefixLists",
|
||
|
"ec2:DescribeRouteTables",
|
||
|
"ec2:DescribeSecurityGroupReferences",
|
||
|
"ec2:DescribeSecurityGroupRules",
|
||
|
"ec2:DescribeSecurityGroups",
|
||
|
"ec2:DescribeStaleSecurityGroups",
|
||
|
"ec2:DescribeSubnets",
|
||
|
"ec2:DescribeTags",
|
||
|
"ec2:DescribeVpcAttribute",
|
||
|
"ec2:DescribeVpcClassicLink",
|
||
|
"ec2:DescribeVpcClassicLinkDnsSupport",
|
||
|
"ec2:DescribeVpcEndpointConnectionNotifications",
|
||
|
"ec2:DescribeVpcEndpointConnections",
|
||
|
"ec2:DescribeVpcEndpointServiceConfigurations",
|
||
|
"ec2:DescribeVpcEndpointServicePermissions",
|
||
|
"ec2:DescribeVpcEndpointServices",
|
||
|
"ec2:DescribeVpcEndpoints",
|
||
|
"ec2:DescribeVpcPeeringConnections",
|
||
|
"ec2:DescribeVpcs",
|
||
|
"ec2:DescribeVpnConnections",
|
||
|
"ec2:DescribeVpnGateways",
|
||
|
"ec2:DescribePublicIpv4Pools",
|
||
|
"ec2:DescribeIpv6Pools",
|
||
|
"ec2:DetachInternetGateway",
|
||
|
"ec2:DetachNetworkInterface",
|
||
|
"ec2:DetachVpnGateway",
|
||
|
"ec2:DisableVgwRoutePropagation",
|
||
|
"ec2:DisableVpcClassicLinkDnsSupport",
|
||
|
"ec2:DisassociateAddress",
|
||
|
"ec2:DisassociateRouteTable",
|
||
|
"ec2:DisassociateSubnetCidrBlock",
|
||
|
"ec2:DisassociateVpcCidrBlock",
|
||
|
"ec2:EnableVgwRoutePropagation",
|
||
|
"ec2:EnableVpcClassicLinkDnsSupport",
|
||
|
"ec2:ModifyNetworkInterfaceAttribute",
|
||
|
"ec2:ModifySecurityGroupRules",
|
||
|
"ec2:ModifySubnetAttribute",
|
||
|
"ec2:ModifyVpcAttribute",
|
||
|
"ec2:ModifyVpcEndpoint",
|
||
|
"ec2:ModifyVpcEndpointConnectionNotification",
|
||
|
"ec2:ModifyVpcEndpointServiceConfiguration",
|
||
|
"ec2:ModifyVpcEndpointServicePermissions",
|
||
|
"ec2:ModifyVpcPeeringConnectionOptions",
|
||
|
"ec2:ModifyVpcTenancy",
|
||
|
"ec2:MoveAddressToVpc",
|
||
|
"ec2:RejectVpcEndpointConnections",
|
||
|
"ec2:ReleaseAddress",
|
||
|
"ec2:ReplaceNetworkAclAssociation",
|
||
|
"ec2:ReplaceNetworkAclEntry",
|
||
|
"ec2:ReplaceRoute",
|
||
|
"ec2:ReplaceRouteTableAssociation",
|
||
|
"ec2:ResetNetworkInterfaceAttribute",
|
||
|
"ec2:RestoreAddressToClassic",
|
||
|
"ec2:UnassignIpv6Addresses",
|
||
|
"ec2:UnassignPrivateIpAddresses",
|
||
|
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
|
||
|
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
|
||
|
"ec2:AcceptVpcPeeringConnection",
|
||
|
"ec2:AttachClassicLinkVpc",
|
||
|
"ec2:AuthorizeSecurityGroupEgress",
|
||
|
"ec2:AuthorizeSecurityGroupIngress",
|
||
|
"ec2:CreateVpcPeeringConnection",
|
||
|
"ec2:DeleteCustomerGateway",
|
||
|
"ec2:DeleteDhcpOptions",
|
||
|
"ec2:DeleteInternetGateway",
|
||
|
"ec2:DeleteNetworkAcl",
|
||
|
"ec2:DeleteNetworkAclEntry",
|
||
|
"ec2:DeleteRoute",
|
||
|
"ec2:DeleteRouteTable",
|
||
|
"ec2:DeleteSecurityGroup",
|
||
|
"ec2:DeleteVolume",
|
||
|
"ec2:DeleteVpcPeeringConnection",
|
||
|
"ec2:DetachClassicLinkVpc",
|
||
|
"ec2:DisableVpcClassicLink",
|
||
|
"ec2:EnableVpcClassicLink",
|
||
|
"ec2:GetConsoleScreenshot",
|
||
|
"ec2:RejectVpcPeeringConnection",
|
||
|
"ec2:RevokeSecurityGroupEgress",
|
||
|
"ec2:RevokeSecurityGroupIngress",
|
||
|
"ec2:CreateLocalGatewayRoute",
|
||
|
"ec2:CreateLocalGatewayRouteTableVpcAssociation",
|
||
|
"ec2:DeleteLocalGatewayRoute",
|
||
|
"ec2:DeleteLocalGatewayRouteTableVpcAssociation",
|
||
|
"ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
|
||
|
"ec2:DescribeLocalGatewayRouteTableVpcAssociations",
|
||
|
"ec2:DescribeLocalGatewayRouteTables",
|
||
|
"ec2:DescribeLocalGatewayVirtualInterfaceGroups",
|
||
|
"ec2:DescribeLocalGatewayVirtualInterfaces",
|
||
|
"ec2:DescribeLocalGateways",
|
||
|
"ec2:SearchLocalGatewayRoutes",
|
||
|
"ec2:AcceptTransitGatewayVpcAttachment",
|
||
|
"ec2:AssociateTransitGatewayRouteTable",
|
||
|
"ec2:CreateTransitGateway",
|
||
|
"ec2:CreateTransitGatewayRoute",
|
||
|
"ec2:CreateTransitGatewayRouteTable",
|
||
|
"ec2:CreateTransitGatewayVpcAttachment",
|
||
|
"ec2:DeleteTransitGateway",
|
||
|
"ec2:DeleteTransitGatewayRoute",
|
||
|
"ec2:DeleteTransitGatewayRouteTable",
|
||
|
"ec2:DeleteTransitGatewayVpcAttachment",
|
||
|
"ec2:DescribeTransitGatewayAttachments",
|
||
|
"ec2:DescribeTransitGatewayRouteTables",
|
||
|
"ec2:DescribeTransitGatewayVpcAttachments",
|
||
|
"ec2:DescribeTransitGateways",
|
||
|
"ec2:DisableTransitGatewayRouteTablePropagation",
|
||
|
"ec2:DisassociateTransitGatewayRouteTable",
|
||
|
"ec2:EnableTransitGatewayRouteTablePropagation",
|
||
|
"ec2:ExportTransitGatewayRoutes",
|
||
|
"ec2:GetTransitGatewayAttachmentPropagations",
|
||
|
"ec2:GetTransitGatewayRouteTableAssociations",
|
||
|
"ec2:GetTransitGatewayRouteTablePropagations",
|
||
|
"ec2:ModifyTransitGateway",
|
||
|
"ec2:ModifyTransitGatewayVpcAttachment",
|
||
|
"ec2:RejectTransitGatewayVpcAttachment",
|
||
|
"ec2:ReplaceTransitGatewayRoute",
|
||
|
"ec2:SearchTransitGatewayRoutes",
|
||
|
"route53domains:*",
|
||
|
"route53resolver:*",
|
||
|
"route53:*",
|
||
|
"directconnect:*"
|
||
|
],
|
||
|
"Resource" : "*"
|
||
|
},
|
||
|
{
|
||
|
"Sid" : "NegateDatabaseDeployerPermissions",
|
||
|
"Effect" : "Allow",
|
||
|
"NotAction" : [
|
||
|
"rds:*",
|
||
|
"redshift:*",
|
||
|
"elasticache:*"
|
||
|
],
|
||
|
"Resource" : "*"
|
||
|
},
|
||
|
{
|
||
|
"Sid" : "NegateStorageDeployerPermissions",
|
||
|
"Effect" : "Allow",
|
||
|
"NotAction" : [
|
||
|
"s3:*",
|
||
|
"ecr:*",
|
||
|
"elasticfilesystem:*",
|
||
|
"fsx:*"
|
||
|
],
|
||
|
"Resource" : "*"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
)
|
||
|
role = aws_iam_role.CommonDeployer.id
|
||
|
}
|