xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: fine-grained billing access

Browse Source
This commit is contained in:
xpk 2023-07-17 21:50:41 +08:00
parent 561904d529
commit 185036deeb
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
1 changed files with 133 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

258
modules/security_identity_compliance/roles_iam_resources/cloudhealth-role.tf
View File

@ -1,7 +1,7 @@
resource aws_iam_role cloudhealth-role { resource "aws_iam_role" "cloudhealth-role" {
count = var.create-cloudhealth-resources ? 1 : 0 count = var.create-cloudhealth-resources ? 1 : 0
name = "CloudHealth-Role" name = "CloudHealth-Role"
tags = var.default-tags tags = var.default-tags
assume_role_policy = <<EOF assume_role_policy = <<EOF
{ {
"Version": "2012-10-17", "Version": "2012-10-17",
@ -28,132 +28,140 @@ EOF
resource "aws_iam_policy" "CloudHealth-Policy" { resource "aws_iam_policy" "CloudHealth-Policy" {
count = var.create-cloudhealth-resources ? 1 : 0 count = var.create-cloudhealth-resources ? 1 : 0
name = "CloudHealthPolicy" name = "CloudHealthPolicy"
policy = <<-EOF policy = jsonencode(
{ {
"Version": "2012-10-17", "Version" : "2012-10-17",
"Statement": [ "Statement" : [
{ {
"Action": [ "Sid" : "CloudhealthAccess",
"autoscaling:Describe*", "Action" : [
"cloudformation:ListStacks", "autoscaling:Describe*",
"cloudformation:ListStackResources", "cloudformation:ListStacks",
"cloudformation:DescribeStacks", "cloudformation:ListStackResources",
"cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources", "cloudformation:DescribeStackEvents",
"cloudformation:GetTemplate", "cloudformation:DescribeStackResources",
"cloudfront:Get*", "cloudformation:GetTemplate",
"cloudfront:List*", "cloudfront:Get*",
"cloudtrail:DescribeTrails", "cloudfront:List*",
"cloudtrail:ListTags", "cloudtrail:DescribeTrails",
"cloudtrail:Get*", "cloudtrail:ListTags",
"cloudwatch:Describe*", "cloudtrail:Get*",
"cloudwatch:Get*", "cloudwatch:Describe*",
"cloudwatch:List*", "cloudwatch:Get*",
"config:Get*", "cloudwatch:List*",
"config:Describe*", "config:Get*",
"config:Deliver*", "config:Describe*",
"config:List*", "config:Deliver*",
"cur:Describe*", "config:List*",
"dms:Describe*", "cur:Describe*",
"dms:List*", "dms:Describe*",
"dynamodb:DescribeTable", "dms:List*",
"dynamodb:List*", "dynamodb:DescribeTable",
"ec2:Describe*", "dynamodb:List*",
"ec2:DescribeRegions", "ec2:Describe*",
"ec2:GetReservedInstancesExchangeQuote", "ec2:DescribeRegions",
"ecs:List*", "ec2:GetReservedInstancesExchangeQuote",
"ecs:Describe*", "ecs:List*",
"elasticache:Describe*", "ecs:Describe*",
"elasticache:ListTagsForResource", "elasticache:Describe*",
"elasticbeanstalk:Check*", "elasticache:ListTagsForResource",
"elasticbeanstalk:Describe*", "elasticbeanstalk:Check*",
"elasticbeanstalk:List*", "elasticbeanstalk:Describe*",
"elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:List*",
"elasticbeanstalk:RetrieveEnvironmentInfo", "elasticbeanstalk:RequestEnvironmentInfo",
"elasticfilesystem:Describe*", "elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticloadbalancing:Describe*", "elasticfilesystem:Describe*",
"elasticmapreduce:Describe*", "elasticloadbalancing:Describe*",
"elasticmapreduce:List*", "elasticmapreduce:Describe*",
"es:List*", "elasticmapreduce:List*",
"es:Describe*", "es:List*",
"es:DescribeReservedElasticsearchInstances", "es:Describe*",
"firehose:ListDeliveryStreams", "es:DescribeReservedElasticsearchInstances",
"firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams",
"fsx:Describe*", "firehose:DescribeDeliveryStream",
"iam:List*", "fsx:Describe*",
"iam:Get*", "iam:List*",
"iam:GenerateCredentialReport", "iam:Get*",
"kinesis:Describe*", "iam:GenerateCredentialReport",
"kinesis:List*", "kinesis:Describe*",
"kms:DescribeKey", "kinesis:List*",
"kms:GetKeyRotationStatus", "kms:DescribeKey",
"kms:ListKeys", "kms:GetKeyRotationStatus",
"lambda:List*", "kms:ListKeys",
"logs:Describe*", "lambda:List*",
"logs:List*", "logs:Describe*",
"organizations:ListAccounts", "logs:List*",
"organizations:ListTagsForResource", "organizations:ListAccounts",
"redshift:Describe*", "organizations:ListTagsForResource",
"route53:Get*", "redshift:Describe*",
"route53:List*", "route53:Get*",
"rds:Describe*", "route53:List*",
"rds:ListTagsForResource", "rds:Describe*",
"s3:GetAccountPublicAccessBlock", "rds:ListTagsForResource",
"s3:GetBucketAcl", "s3:GetAccountPublicAccessBlock",
"s3:GetBucketLocation", "s3:GetBucketAcl",
"s3:GetBucketLogging", "s3:GetBucketLocation",
"s3:GetBucketPolicy", "s3:GetBucketLogging",
"s3:GetBucketPolicyStatus", "s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock", "s3:GetBucketPolicyStatus",
"s3:GetBucketTagging", "s3:GetBucketPublicAccessBlock",
"s3:GetBucketVersioning", "s3:GetBucketTagging",
"s3:GetBucketWebsite", "s3:GetBucketVersioning",
"s3:List*", "s3:GetBucketWebsite",
"sagemaker:Describe*", "s3:List*",
"sagemaker:List*", "sagemaker:Describe*",
"savingsplans:DescribeSavingsPlans", "sagemaker:List*",
"sdb:GetAttributes", "savingsplans:DescribeSavingsPlans",
"sdb:List*", "sdb:GetAttributes",
"ses:Get*", "sdb:List*",
"ses:List*", "ses:Get*",
"sns:Get*", "ses:List*",
"sns:List*", "sns:Get*",
"sqs:GetQueueAttributes", "sns:List*",
"sqs:ListQueues", "sqs:GetQueueAttributes",
"storagegateway:List*", "sqs:ListQueues",
"storagegateway:Describe*", "storagegateway:List*",
"workspaces:Describe*", "storagegateway:Describe*",
"account:Get*", "workspaces:Describe*"
"billing:Get*", ],
"billing:List*", "Resource" : "*",
"ce:Describe*", "Effect" : "Allow"
"ce:Get*", },
"ce:List*", {
"consolidatedbilling:GetAccountBillingRole", "Sid" : "FineGrainedBillingAccess",
"consolidatedbilling:ListLinkedAccounts", "Action" : [
"cur:Get*", "account:Get*",
"cur:ValidateReportDestination", "billing:Get*",
"freetier:Get*", "billing:List*",
"invoicing:Get*", "ce:Describe*",
"invoicing:List*", "ce:Get*",
"payments:Get*", "ce:List*",
"payments:List*", "consolidatedbilling:GetAccountBillingRole",
"purchase-orders:Get*", "consolidatedbilling:ListLinkedAccounts",
"purchase-orders:List*", "cur:Get*",
"tax:Get*", "cur:ValidateReportDestination",
"tax:List*" "freetier:Get*",
], "invoicing:Get*",
"Resource": "*", "invoicing:List*",
"Effect": "Allow" "payments:Get*",
"payments:List*",
"purchase-orders:Get*",
"purchase-orders:List*",
"tax:Get*",
"tax:List*"
],
"Resource" : "*",
"Effect" : "Allow"
} }
] ]
} }
EOF )
} }
resource "aws_iam_role_policy_attachment" "cloudhealth-role-policy-attach" { resource "aws_iam_role_policy_attachment" "cloudhealth-role-policy-attach" {
count = var.create-cloudhealth-resources ? 1 : 0 count = var.create-cloudhealth-resources ? 1 : 0
role = aws_iam_role.cloudhealth-role[1].name role = aws_iam_role.cloudhealth-role[1].name
policy_arn = aws_iam_policy.CloudHealth-Policy[1].arn policy_arn = aws_iam_policy.CloudHealth-Policy[1].arn
} }