UPD: fine-grained billing access

2023-07-17 21:50:41 +08:00 · 2023-07-17 21:50:41 +08:00 · 185036deeb
commit 185036deeb
parent 561904d529
1 changed files with 133 additions and 125 deletions
--- a/modules/security_identity_compliance/roles_iam_resources/cloudhealth-role.tf
+++ b/modules/security_identity_compliance/roles_iam_resources/cloudhealth-role.tf
@ -1,7 +1,7 @@
-resource aws_iam_role cloudhealth-role {
-  count = var.create-cloudhealth-resources ? 1 : 0
-  name = "CloudHealth-Role"
-  tags = var.default-tags
+resource "aws_iam_role" "cloudhealth-role" {
+  count              = var.create-cloudhealth-resources ? 1 : 0
+  name               = "CloudHealth-Role"
+  tags               = var.default-tags
  assume_role_policy = <<EOF
 {
  "Version": "2012-10-17",
@ -28,132 +28,140 @@ EOF

 resource "aws_iam_policy" "CloudHealth-Policy" {
  count = var.create-cloudhealth-resources ? 1 : 0
-  name   = "CloudHealthPolicy"
-  policy = <<-EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
+  name  = "CloudHealthPolicy"
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
        {
-            "Action": [
-                "autoscaling:Describe*",
-                "cloudformation:ListStacks",
-                "cloudformation:ListStackResources",
-                "cloudformation:DescribeStacks",
-                "cloudformation:DescribeStackEvents",
-                "cloudformation:DescribeStackResources",
-                "cloudformation:GetTemplate",
-                "cloudfront:Get*",
-                "cloudfront:List*",
-                "cloudtrail:DescribeTrails",
-                "cloudtrail:ListTags",
-                "cloudtrail:Get*",
-                "cloudwatch:Describe*",
-                "cloudwatch:Get*",
-                "cloudwatch:List*",
-                "config:Get*",
-                "config:Describe*",
-                "config:Deliver*",
-                "config:List*",
-                "cur:Describe*",
-                "dms:Describe*",
-                "dms:List*",
-                "dynamodb:DescribeTable",
-                "dynamodb:List*",
-                "ec2:Describe*",
-                "ec2:DescribeRegions",
-                "ec2:GetReservedInstancesExchangeQuote",
-                "ecs:List*",
-                "ecs:Describe*",
-                "elasticache:Describe*",
-                "elasticache:ListTagsForResource",
-                "elasticbeanstalk:Check*",
-                "elasticbeanstalk:Describe*",
-                "elasticbeanstalk:List*",
-                "elasticbeanstalk:RequestEnvironmentInfo",
-                "elasticbeanstalk:RetrieveEnvironmentInfo",
-                "elasticfilesystem:Describe*",
-                "elasticloadbalancing:Describe*",
-                "elasticmapreduce:Describe*",
-                "elasticmapreduce:List*",
-                "es:List*",
-                "es:Describe*",
-                "es:DescribeReservedElasticsearchInstances",
-                "firehose:ListDeliveryStreams",
-                "firehose:DescribeDeliveryStream",
-                "fsx:Describe*",
-                "iam:List*",
-                "iam:Get*",
-                "iam:GenerateCredentialReport",
-                "kinesis:Describe*",
-                "kinesis:List*",
-                "kms:DescribeKey",
-                "kms:GetKeyRotationStatus",
-                "kms:ListKeys",
-                "lambda:List*",
-                "logs:Describe*",
-                "logs:List*",
-                "organizations:ListAccounts",
-                "organizations:ListTagsForResource",
-                "redshift:Describe*",
-                "route53:Get*",
-                "route53:List*",
-                "rds:Describe*",
-                "rds:ListTagsForResource",
-                "s3:GetAccountPublicAccessBlock",
-                "s3:GetBucketAcl",
-                "s3:GetBucketLocation",
-                "s3:GetBucketLogging",
-                "s3:GetBucketPolicy",
-                "s3:GetBucketPolicyStatus",
-                "s3:GetBucketPublicAccessBlock",
-                "s3:GetBucketTagging",
-                "s3:GetBucketVersioning",
-                "s3:GetBucketWebsite",
-                "s3:List*",
-                "sagemaker:Describe*",
-                "sagemaker:List*",
-                "savingsplans:DescribeSavingsPlans",
-                "sdb:GetAttributes",
-                "sdb:List*",
-                "ses:Get*",
-                "ses:List*",
-                "sns:Get*",
-                "sns:List*",
-                "sqs:GetQueueAttributes",
-                "sqs:ListQueues",
-                "storagegateway:List*",
-                "storagegateway:Describe*",
-                "workspaces:Describe*",
-                "account:Get*",
-                "billing:Get*",
-                "billing:List*",
-                "ce:Describe*",
-                "ce:Get*",
-                "ce:List*",
-                "consolidatedbilling:GetAccountBillingRole",
-                "consolidatedbilling:ListLinkedAccounts",
-                "cur:Get*",
-                "cur:ValidateReportDestination",
-                "freetier:Get*",
-                "invoicing:Get*",
-                "invoicing:List*",
-                "payments:Get*",
-                "payments:List*",
-                "purchase-orders:Get*",
-                "purchase-orders:List*",
-                "tax:Get*",
-                "tax:List*"
-            ],
-            "Resource": "*",
-            "Effect": "Allow"
+          "Sid" : "CloudhealthAccess",
+          "Action" : [
+            "autoscaling:Describe*",
+            "cloudformation:ListStacks",
+            "cloudformation:ListStackResources",
+            "cloudformation:DescribeStacks",
+            "cloudformation:DescribeStackEvents",
+            "cloudformation:DescribeStackResources",
+            "cloudformation:GetTemplate",
+            "cloudfront:Get*",
+            "cloudfront:List*",
+            "cloudtrail:DescribeTrails",
+            "cloudtrail:ListTags",
+            "cloudtrail:Get*",
+            "cloudwatch:Describe*",
+            "cloudwatch:Get*",
+            "cloudwatch:List*",
+            "config:Get*",
+            "config:Describe*",
+            "config:Deliver*",
+            "config:List*",
+            "cur:Describe*",
+            "dms:Describe*",
+            "dms:List*",
+            "dynamodb:DescribeTable",
+            "dynamodb:List*",
+            "ec2:Describe*",
+            "ec2:DescribeRegions",
+            "ec2:GetReservedInstancesExchangeQuote",
+            "ecs:List*",
+            "ecs:Describe*",
+            "elasticache:Describe*",
+            "elasticache:ListTagsForResource",
+            "elasticbeanstalk:Check*",
+            "elasticbeanstalk:Describe*",
+            "elasticbeanstalk:List*",
+            "elasticbeanstalk:RequestEnvironmentInfo",
+            "elasticbeanstalk:RetrieveEnvironmentInfo",
+            "elasticfilesystem:Describe*",
+            "elasticloadbalancing:Describe*",
+            "elasticmapreduce:Describe*",
+            "elasticmapreduce:List*",
+            "es:List*",
+            "es:Describe*",
+            "es:DescribeReservedElasticsearchInstances",
+            "firehose:ListDeliveryStreams",
+            "firehose:DescribeDeliveryStream",
+            "fsx:Describe*",
+            "iam:List*",
+            "iam:Get*",
+            "iam:GenerateCredentialReport",
+            "kinesis:Describe*",
+            "kinesis:List*",
+            "kms:DescribeKey",
+            "kms:GetKeyRotationStatus",
+            "kms:ListKeys",
+            "lambda:List*",
+            "logs:Describe*",
+            "logs:List*",
+            "organizations:ListAccounts",
+            "organizations:ListTagsForResource",
+            "redshift:Describe*",
+            "route53:Get*",
+            "route53:List*",
+            "rds:Describe*",
+            "rds:ListTagsForResource",
+            "s3:GetAccountPublicAccessBlock",
+            "s3:GetBucketAcl",
+            "s3:GetBucketLocation",
+            "s3:GetBucketLogging",
+            "s3:GetBucketPolicy",
+            "s3:GetBucketPolicyStatus",
+            "s3:GetBucketPublicAccessBlock",
+            "s3:GetBucketTagging",
+            "s3:GetBucketVersioning",
+            "s3:GetBucketWebsite",
+            "s3:List*",
+            "sagemaker:Describe*",
+            "sagemaker:List*",
+            "savingsplans:DescribeSavingsPlans",
+            "sdb:GetAttributes",
+            "sdb:List*",
+            "ses:Get*",
+            "ses:List*",
+            "sns:Get*",
+            "sns:List*",
+            "sqs:GetQueueAttributes",
+            "sqs:ListQueues",
+            "storagegateway:List*",
+            "storagegateway:Describe*",
+            "workspaces:Describe*"
+          ],
+          "Resource" : "*",
+          "Effect" : "Allow"
+        },
+        {
+          "Sid" : "FineGrainedBillingAccess",
+          "Action" : [
+            "account:Get*",
+            "billing:Get*",
+            "billing:List*",
+            "ce:Describe*",
+            "ce:Get*",
+            "ce:List*",
+            "consolidatedbilling:GetAccountBillingRole",
+            "consolidatedbilling:ListLinkedAccounts",
+            "cur:Get*",
+            "cur:ValidateReportDestination",
+            "freetier:Get*",
+            "invoicing:Get*",
+            "invoicing:List*",
+            "payments:Get*",
+            "payments:List*",
+            "purchase-orders:Get*",
+            "purchase-orders:List*",
+            "tax:Get*",
+            "tax:List*"
+          ],
+          "Resource" : "*",
+          "Effect" : "Allow"
        }
-    ]
-}
-EOF
+      ]
+    }
+  )
 }

 resource "aws_iam_role_policy_attachment" "cloudhealth-role-policy-attach" {
-  count = var.create-cloudhealth-resources ? 1 : 0
+  count      = var.create-cloudhealth-resources ? 1 : 0
  role       = aws_iam_role.cloudhealth-role[1].name
  policy_arn = aws_iam_policy.CloudHealth-Policy[1].arn
 }