UPD: adding securityaudit role
This commit is contained in:
parent
c1d1149d7d
commit
4865fdcba7
GPG Key ID:
CD4FF6793F09AB86
@ -7,11 +7,13 @@ variable "application" {}
|
|||||||
|
|
||||||
locals {
|
locals {
|
||||||
default-tags = {
|
default-tags = {
|
||||||
ServiceProvider = "Rackspace"
|
ServiceProvider = "RackspaceTechnology"
|
||||||
Environment = var.environment
|
Environment = var.environment
|
||||||
Project = var.project
|
Project = var.project
|
||||||
Application = var.application
|
Application = var.application
|
||||||
TerraformMode = "managed"
|
TerraformMode = "managed"
|
||||||
|
TerraformDir = trimprefix(path.cwd, "/my/work/xpk-git/")
|
||||||
|
CreatedBy = split(":",data.aws_caller_identity.this.user_id)[1]
|
||||||
BuildDate = formatdate("YYYYMMDD", timestamp())
|
BuildDate = formatdate("YYYYMMDD", timestamp())
|
||||||
}
|
}
|
||||||
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
|
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
|
||||||
|
|||||||
@ -7,11 +7,13 @@ variable "application" {}
|
|||||||
|
|
||||||
locals {
|
locals {
|
||||||
default-tags = {
|
default-tags = {
|
||||||
ServiceProvider = "Rackspace"
|
ServiceProvider = "RackspaceTechnology"
|
||||||
Environment = var.environment
|
Environment = var.environment
|
||||||
Project = var.project
|
Project = var.project
|
||||||
Application = var.application
|
Application = var.application
|
||||||
TerraformMode = "managed"
|
TerraformMode = "managed"
|
||||||
|
TerraformDir = trimprefix(path.cwd, "/my/work/xpk-git/")
|
||||||
|
CreatedBy = split(":",data.aws_caller_identity.this.user_id)[1]
|
||||||
BuildDate = formatdate("YYYYMMDD", timestamp())
|
BuildDate = formatdate("YYYYMMDD", timestamp())
|
||||||
}
|
}
|
||||||
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
|
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
|
||||||
|
|||||||
@ -26,6 +26,7 @@ data aws_iam_policy_document assume-role-policy {
|
|||||||
|
|
||||||
resource aws_iam_role administrator-role {
|
resource aws_iam_role administrator-role {
|
||||||
name = "${var.environment}-awsadmin"
|
name = "${var.environment}-awsadmin"
|
||||||
|
description = "Provides full access to AWS services and resources."
|
||||||
tags = var.default-tags
|
tags = var.default-tags
|
||||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||||
path = "/${var.customer-name}/"
|
path = "/${var.customer-name}/"
|
||||||
@ -39,6 +40,7 @@ resource "aws_iam_role_policy_attachment" "administrator-role-policy-attach" {
|
|||||||
|
|
||||||
resource aws_iam_role billing-role {
|
resource aws_iam_role billing-role {
|
||||||
name = "${var.environment}-billing"
|
name = "${var.environment}-billing"
|
||||||
|
description = "Grants permissions for billing and cost management."
|
||||||
tags = var.default-tags
|
tags = var.default-tags
|
||||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||||
path = "/${var.customer-name}/"
|
path = "/${var.customer-name}/"
|
||||||
@ -52,6 +54,7 @@ resource "aws_iam_role_policy_attachment" "billing-role-policy-attach" {
|
|||||||
|
|
||||||
resource aws_iam_role dba-role {
|
resource aws_iam_role dba-role {
|
||||||
name = "${var.environment}-dba"
|
name = "${var.environment}-dba"
|
||||||
|
description = "AWS database admin role"
|
||||||
tags = var.default-tags
|
tags = var.default-tags
|
||||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||||
path = "/${var.customer-name}/"
|
path = "/${var.customer-name}/"
|
||||||
@ -65,6 +68,7 @@ resource "aws_iam_role_policy_attachment" "dba-role-policy-attach" {
|
|||||||
|
|
||||||
resource aws_iam_role network-admin-role {
|
resource aws_iam_role network-admin-role {
|
||||||
name = "${var.environment}-networkadmin"
|
name = "${var.environment}-networkadmin"
|
||||||
|
description = "AWS network admin role"
|
||||||
tags = var.default-tags
|
tags = var.default-tags
|
||||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||||
path = "/${var.customer-name}/"
|
path = "/${var.customer-name}/"
|
||||||
@ -78,6 +82,7 @@ resource "aws_iam_role_policy_attachment" "network-admin-role-policy-attach" {
|
|||||||
|
|
||||||
resource aws_iam_role developer-role {
|
resource aws_iam_role developer-role {
|
||||||
name = "${var.environment}-developer"
|
name = "${var.environment}-developer"
|
||||||
|
description = "Provides full access to AWS resources excluding IAM."
|
||||||
tags = var.default-tags
|
tags = var.default-tags
|
||||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||||
path = "/${var.customer-name}/"
|
path = "/${var.customer-name}/"
|
||||||
@ -89,8 +94,23 @@ resource "aws_iam_role_policy_attachment" "developer-role-policy-attach1" {
|
|||||||
policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
|
policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource aws_iam_role securityaudit-role {
|
||||||
|
name = "${var.environment}-securityaudit"
|
||||||
|
description = "Role to read security configuration metadata."
|
||||||
|
tags = var.default-tags
|
||||||
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||||
|
path = "/${var.customer-name}/"
|
||||||
|
max_session_duration = 7200
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_iam_role_policy_attachment" "securityaudit-role-policy-attach1" {
|
||||||
|
role = aws_iam_role.securityaudit-role.name
|
||||||
|
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
|
||||||
|
}
|
||||||
|
|
||||||
resource aws_iam_role support-role {
|
resource aws_iam_role support-role {
|
||||||
name = "${var.environment}-support"
|
name = "${var.environment}-support"
|
||||||
|
description = "Role to troubleshoot and resolve issues in AWS."
|
||||||
tags = var.default-tags
|
tags = var.default-tags
|
||||||
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
||||||
path = "/${var.customer-name}/"
|
path = "/${var.customer-name}/"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user