xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

NEW: iam roles

Browse Source
This commit is contained in:
xpk 2021-01-27 09:42:51 +08:00
parent acc6f57651
commit 51458c3d58
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
11 changed files with 182 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,4 +1,5 @@
*.tfstate.backup
*.tfstate
*.tfstate.lock
.terraform/
.DS_Store

1
layers/security_identity_compliance/cloudtrail_cloudwatchlogs/main.tf
View File

@ -8,4 +8,5 @@ module cloudtrail-cwl {
project = var.project
aws-region-short = var.aws-region-short
default-tags = local.default-tags
cloudtrail-retain-days = 90
}

11
layers/security_identity_compliance/job-function-roles/main.tf Normal file
View File

@ -0,0 +1,11 @@
data aws_caller_identity this {}
module cloudtrail-cwl {
source = "../../../modules/security_identity_compliance/job-function-roles"
application = var.application
environment = var.environment
customer-name = var.customer-name
project = var.project
aws-region-short = var.aws-region-short
default-tags = local.default-tags
}

12
layers/security_identity_compliance/job-function-roles/provider.tf Normal file
View File

@ -0,0 +1,12 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = "> 0.12, < 0.13"
required_providers {
aws = ">= 3.25.0"
}
}
data "aws_availability_zones" "current" {}

6
layers/security_identity_compliance/job-function-roles/terraform.tfvars Normal file
View File

@ -0,0 +1,6 @@
aws-region = "ap-northeast-1"
aws-region-short = "apne1"
customer-name = "kf"
environment = "lab"
project = "lime"
application = "infra"

20
layers/security_identity_compliance/job-function-roles/variables.tf Normal file
View File

@ -0,0 +1,20 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
locals {
default-tags = {
ServiceProvider = "Rackspace"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
BuildDate = formatdate("YYYYMMDD", timestamp())
}
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
}

2
modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf
View File

@ -60,7 +60,7 @@ resource "aws_s3_bucket" "ct-bucket" {
storage_class = "INTELLIGENT_TIERING"
}
expiration {
days = 90
days = var.cloudtrail-retain-days
}
}
}

2
modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
View File

@ -1,6 +1,6 @@
resource "aws_cloudwatch_log_group" "ct-cwl" {
name = "${local.resource-prefix}-cwl-001"
retention_in_days = 90
retention_in_days = var.cloudtrail-retain-days
kms_key_id = aws_kms_key.ctbucket-key.arn
tags = var.default-tags
}

5
modules/security_identity_compliance/cloudtrail_cwlogs/variables.tf
View File

@ -4,6 +4,11 @@ variable "project" {}
variable "application" {}
variable "aws-region-short" {}
variable "default-tags" {}
variable "cloudtrail-retain-days" {
type = number
default = 90
}
locals {
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"

108
modules/security_identity_compliance/job-function-roles/main.tf Normal file
View File

@ -0,0 +1,108 @@
/*
Create IAM roles based on job functions
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
- Administrator
- Billing
- Database admin
- Network admin
- Developers
- Readonly and support
*/
data aws_caller_identity this {}
data aws_iam_policy_document assume-role-policy {
statement {
sid = "AllowMyAccount"
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
identifiers = [data.aws_caller_identity.this.account_id]
type = "AWS"
}
}
}
resource aws_iam_role administrator-role {
name = "${var.environment}-awsadmin"
tags = var.default-tags
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
path = "/${var.customer-name}/"
max_session_duration = 7200
}
resource "aws_iam_role_policy_attachment" "administrator-role-policy-attach" {
role = aws_iam_role.administrator-role.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource aws_iam_role billing-role {
name = "${var.environment}-billing"
tags = var.default-tags
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
path = "/${var.customer-name}/"
max_session_duration = 3600
}
resource "aws_iam_role_policy_attachment" "billing-role-policy-attach" {
role = aws_iam_role.billing-role.name
policy_arn = "arn:aws:iam::aws:policy/job-function/Billing"
}
resource aws_iam_role dba-role {
name = "${var.environment}-dba"
tags = var.default-tags
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
path = "/${var.customer-name}/"
max_session_duration = 7200
}
resource "aws_iam_role_policy_attachment" "dba-role-policy-attach" {
role = aws_iam_role.dba-role.name
policy_arn = "arn:aws:iam::aws:policy/job-function/DatabaseAdministrator"
}
resource aws_iam_role network-admin-role {
name = "${var.environment}-networkadmin"
tags = var.default-tags
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
path = "/${var.customer-name}/"
max_session_duration = 7200
}
resource "aws_iam_role_policy_attachment" "network-admin-role-policy-attach" {
role = aws_iam_role.network-admin-role.name
policy_arn = "arn:aws:iam::aws:policy/job-function/NetworkAdministrator"
}
resource aws_iam_role developer-role {
name = "${var.environment}-developer"
tags = var.default-tags
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
path = "/${var.customer-name}/"
max_session_duration = 7200
}
resource "aws_iam_role_policy_attachment" "developer-role-policy-attach1" {
role = aws_iam_role.developer-role.name
policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
}
resource aws_iam_role support-role {
name = "${var.environment}-support"
tags = var.default-tags
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
path = "/${var.customer-name}/"
max_session_duration = 7200
}
resource "aws_iam_role_policy_attachment" "support-role-policy-attach1" {
role = aws_iam_role.support-role.name
policy_arn = "arn:aws:iam::aws:policy/job-function/SupportUser"
}
resource "aws_iam_role_policy_attachment" "support-role-policy-attach2" {
role = aws_iam_role.support-role.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

16
modules/security_identity_compliance/job-function-roles/variables.tf Normal file
View File

@ -0,0 +1,16 @@
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
variable "aws-region-short" {}
variable "default-tags" {}
variable "cloudtrail-retain-days" {
type = number
default = 90
}
locals {
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
}