UPD: fine-grained billing access

2023-07-17 21:50:41 +08:00 · 2023-07-17 21:50:41 +08:00 · 185036deeb
commit 185036deeb
parent 561904d529
1 changed files with 133 additions and 125 deletions
--- a/modules/security_identity_compliance/roles_iam_resources/cloudhealth-role.tf
+++ b/modules/security_identity_compliance/roles_iam_resources/cloudhealth-role.tf
@ -1,4 +1,4 @@
-resource aws_iam_role cloudhealth-role {
+resource "aws_iam_role" "cloudhealth-role" {
  count              = var.create-cloudhealth-resources ? 1 : 0
  name               = "CloudHealth-Role"
  tags               = var.default-tags
@ -29,11 +29,12 @@ EOF
 resource "aws_iam_policy" "CloudHealth-Policy" {
  count = var.create-cloudhealth-resources ? 1 : 0
  name  = "CloudHealthPolicy"
-  policy = <<-EOF
+  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
+          "Sid" : "CloudhealthAccess",
          "Action" : [
            "autoscaling:Describe*",
            "cloudformation:ListStacks",
@ -123,7 +124,14 @@ resource "aws_iam_policy" "CloudHealth-Policy" {
            "sqs:ListQueues",
            "storagegateway:List*",
            "storagegateway:Describe*",
-                "workspaces:Describe*",
+            "workspaces:Describe*"
+          ],
+          "Resource" : "*",
+          "Effect" : "Allow"
+        },
+        {
+          "Sid" : "FineGrainedBillingAccess",
+          "Action" : [
            "account:Get*",
            "billing:Get*",
            "billing:List*",
@ -149,7 +157,7 @@ resource "aws_iam_policy" "CloudHealth-Policy" {
        }
      ]
    }
-EOF
+  )
 }

 resource "aws_iam_role_policy_attachment" "cloudhealth-role-policy-attach" {