xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: moved selfservice policy to module

Browse Source
This commit is contained in:
KF 2022-10-19 19:11:13 +08:00
parent 3ff617b388
commit bcf760b5b0
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
2 changed files with 29 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
modules/security_identity_compliance/iam-user/README.md
View File

@ -8,36 +8,16 @@ module iam-user {
default-tags = local.default-tags default-tags = local.default-tags
iam-user-name = var.iam-user-name iam-user-name = var.iam-user-name
iam-user-policy = data.aws_iam_policy_document.user-policy.json iam-user-policy = ""
iam-user-policy-name = "SelfServicePermissions" iam-user-policy-name = "SelfServicePermissions"
create-access-key = false create-access-key = false
create-password = false create-password = false
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"] managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
create-group = true create-group = true
add-to-groups = []
iam-group-name = var.iam-group-name iam-group-name = var.iam-group-name
} }
data aws_iam_policy_document user-policy {
statement {
sid = "ManageOwnCredentials"
actions = [
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKey",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFA*",
"iam:ListVirtualMFA*",
"iam:ResyncMFADevice"
]
effect = "Allow"
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
}
}
output iam-user-arn { output iam-user-arn {
value = module.iam-user.iam-user-arn value = module.iam-user.iam-user-arn
} }

27
modules/security_identity_compliance/iam-user/main.tf
View File

@ -16,6 +16,33 @@ resource "aws_iam_user_policy" "iam-user-policy" {
policy = var.iam-user-policy policy = var.iam-user-policy
} }
resource "aws_iam_user_policy" iam-user-selfservice-policy {
name = "SelfServicePermissions"
user = aws_iam_user.iam-user.name
policy = data.aws_iam_policy_document.user-policy.json
}
data aws_iam_policy_document user-policy {
statement {
sid = "ManageOwnCredentials"
actions = [
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKey",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFA*",
"iam:ListVirtualMFA*",
"iam:ResyncMFADevice"
]
effect = "Allow"
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
}
}
resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" { resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
count = var.create-group ? 0: length(var.managed-policy-arns) count = var.create-group ? 0: length(var.managed-policy-arns)
user = aws_iam_user.iam-user.name user = aws_iam_user.iam-user.name