From a0de86d92e21ed6a3a7b94ed3be35fb29f865ced Mon Sep 17 00:00:00 2001 From: xpk Date: Tue, 23 Feb 2021 16:10:28 +0800 Subject: [PATCH] NEW: rackspace role --- .../rackspace-role/main.tf | 108 ++++++++++++++++++ .../rackspace-role/variables.tf | 2 + 2 files changed, 110 insertions(+) create mode 100644 modules/security_identity_compliance/rackspace-role/main.tf create mode 100644 modules/security_identity_compliance/rackspace-role/variables.tf diff --git a/modules/security_identity_compliance/rackspace-role/main.tf b/modules/security_identity_compliance/rackspace-role/main.tf new file mode 100644 index 0000000..dee40fc --- /dev/null +++ b/modules/security_identity_compliance/rackspace-role/main.tf @@ -0,0 +1,108 @@ +data aws_caller_identity this {} + +data aws_iam_policy_document assume-role-policy { + statement { + sid = "RackspaceRoleTrustPolicy" + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + identifiers = ["507897595701"] + type = "AWS" + } + + condition { + test = "StringEquals" + values = [var.rackspace-role-external-id] + variable = "sts:ExternalId" + } + + // IP addresses from 210218-ord-0000704 + condition { + test = "IpAddress" + values = [ + "103.251.196.229/32", + "104.130.34.10/31", + "108.166.30.184/29", + "119.9.33.76/31", + "119.9.34.76/32", + "119.9.63.37/31", + "120.136.32.96/28", + "161.47.149.40/31", + "173.203.4.160/29", + "180.150.145.101/32", + "184.106.36.113/32", + "198.247.174.254/32", + "198.54.240.38/31", + "202.168.209.40/32", + "202.168.209.55/31", + "206.188.29.84/30", + "212.100.225.41/32", + "212.64.133.101/31", + "212.64.133.96/29", + "216.252.194.205/32", + "217.72.240.100/32", + "217.72.241.224/27", + "217.72.241.40/30", + "4.15.234.50/30", + "50.56.228.101/31", + "50.56.228.64/26", + "50.56.229.0/24", + "50.56.230.0/26", + "50.56.230.140/32", + "50.56.230.87/31", + "52.10.115.132/32", + "52.40.141.99/32", + "63.131.143.173/32", + "64.106.130.93/32", + "64.106.131.0/27", + "64.106.131.248/29", + "64.27.120.64/28", + "66.151.187.234/31", + "66.70.118.224/27", + "66.70.123.0/26", + "66.70.65.182/32", + "69.20.46.238/31", + "72.3.128.198/32", + "72.3.161.16/28", + "72.32.180.176/29", + "72.36.238.244/32", + "72.4.120.192/28", + "78.136.22.232/32", + "78.136.22.238/31", + "83.138.138.214/32", + "85.133.14.26/31", + "85.133.30.136/30", + "89.234.23.52/32", + "92.52.76.135/32", + "92.52.76.140/32", + "94.236.3.80/29", + "94.236.7.176/28" + ] + variable = "aws:SourceIp" + } + + } +} + +resource aws_iam_role rackspace-role { + name = "Rackspace" + description = "Read access for Rackspace role" + tags = var.default-tags + assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json + max_session_duration = 7200 +} + +# Attach managed policies +locals { + managed_policies = [ + "arn:aws:iam::aws:policy/SecurityAudit", + "arn:aws:iam::aws:policy/job-function/SupportUser", + "arn:aws:iam::aws:policy/ReadOnlyAccess" + ] +} + +resource "aws_iam_role_policy_attachment" "attach-managed-policies" { + count = length(local.managed_policies) + role = aws_iam_role.rackspace-role.name + policy_arn = local.managed_policies[count.index] +} \ No newline at end of file diff --git a/modules/security_identity_compliance/rackspace-role/variables.tf b/modules/security_identity_compliance/rackspace-role/variables.tf new file mode 100644 index 0000000..6174de0 --- /dev/null +++ b/modules/security_identity_compliance/rackspace-role/variables.tf @@ -0,0 +1,2 @@ +variable default-tags {} +variable rackspace-role-external-id {} \ No newline at end of file