NEW: rackspace role

2021-02-23 16:10:28 +08:00 · 2021-02-23 16:10:28 +08:00 · a0de86d92e
commit a0de86d92e
parent a804af15db
2 changed files with 110 additions and 0 deletions
--- a/modules/security_identity_compliance/rackspace-role/main.tf
+++ b/modules/security_identity_compliance/rackspace-role/main.tf
@ -0,0 +1,108 @@
+data aws_caller_identity this {}
+
+data aws_iam_policy_document assume-role-policy {
+  statement {
+    sid = "RackspaceRoleTrustPolicy"
+    effect = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      identifiers = ["507897595701"]
+      type = "AWS"
+    }
+
+    condition {
+      test = "StringEquals"
+      values = [var.rackspace-role-external-id]
+      variable = "sts:ExternalId"
+    }
+
+    // IP addresses from 210218-ord-0000704
+    condition {
+      test = "IpAddress"
+      values = [
+        "103.251.196.229/32",
+        "104.130.34.10/31",
+        "108.166.30.184/29",
+        "119.9.33.76/31",
+        "119.9.34.76/32",
+        "119.9.63.37/31",
+        "120.136.32.96/28",
+        "161.47.149.40/31",
+        "173.203.4.160/29",
+        "180.150.145.101/32",
+        "184.106.36.113/32",
+        "198.247.174.254/32",
+        "198.54.240.38/31",
+        "202.168.209.40/32",
+        "202.168.209.55/31",
+        "206.188.29.84/30",
+        "212.100.225.41/32",
+        "212.64.133.101/31",
+        "212.64.133.96/29",
+        "216.252.194.205/32",
+        "217.72.240.100/32",
+        "217.72.241.224/27",
+        "217.72.241.40/30",
+        "4.15.234.50/30",
+        "50.56.228.101/31",
+        "50.56.228.64/26",
+        "50.56.229.0/24",
+        "50.56.230.0/26",
+        "50.56.230.140/32",
+        "50.56.230.87/31",
+        "52.10.115.132/32",
+        "52.40.141.99/32",
+        "63.131.143.173/32",
+        "64.106.130.93/32",
+        "64.106.131.0/27",
+        "64.106.131.248/29",
+        "64.27.120.64/28",
+        "66.151.187.234/31",
+        "66.70.118.224/27",
+        "66.70.123.0/26",
+        "66.70.65.182/32",
+        "69.20.46.238/31",
+        "72.3.128.198/32",
+        "72.3.161.16/28",
+        "72.32.180.176/29",
+        "72.36.238.244/32",
+        "72.4.120.192/28",
+        "78.136.22.232/32",
+        "78.136.22.238/31",
+        "83.138.138.214/32",
+        "85.133.14.26/31",
+        "85.133.30.136/30",
+        "89.234.23.52/32",
+        "92.52.76.135/32",
+        "92.52.76.140/32",
+        "94.236.3.80/29",
+        "94.236.7.176/28"
+      ]
+      variable = "aws:SourceIp"
+    }
+
+  }
+}
+
+resource aws_iam_role rackspace-role {
+  name = "Rackspace"
+  description = "Read access for Rackspace role"
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  max_session_duration = 7200
+}
+
+# Attach managed policies
+locals {
+  managed_policies = [
+    "arn:aws:iam::aws:policy/SecurityAudit",
+    "arn:aws:iam::aws:policy/job-function/SupportUser",
+    "arn:aws:iam::aws:policy/ReadOnlyAccess"
+  ]
+}
+
+resource "aws_iam_role_policy_attachment" "attach-managed-policies" {
+  count      = length(local.managed_policies)
+  role       = aws_iam_role.rackspace-role.name
+  policy_arn = local.managed_policies[count.index]
+}
--- a/modules/security_identity_compliance/rackspace-role/variables.tf
+++ b/modules/security_identity_compliance/rackspace-role/variables.tf
@ -0,0 +1,2 @@
+variable default-tags {}
+variable rackspace-role-external-id {}