xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: changed to for_each

Browse Source
This commit is contained in:
KF 2022-10-19 20:01:04 +08:00
parent 9002bbed80
commit c866a877b6
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
2 changed files with 45 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
modules/security_identity_compliance/iam-user-gpg/main.tf
View File

@ -10,11 +10,38 @@ resource "aws_iam_access_key" "iam-user-access-key" {
pgp_key = var.pgp-key pgp_key = var.pgp-key
} }
resource "aws_iam_user_policy" "iam-user-policy" { #resource "aws_iam_user_policy" "iam-user-policy" {
count = var.create-group ? 0 : 1 # count = var.create-group ? 0 : 1
name = var.iam-user-policy-name # name = var.iam-user-policy-name
# user = aws_iam_user.iam-user.name
# policy = var.iam-user-policy
#}
resource "aws_iam_user_policy" iam-user-selfservice-policy {
name = "SelfServicePermissions"
user = aws_iam_user.iam-user.name user = aws_iam_user.iam-user.name
policy = var.iam-user-policy policy = data.aws_iam_policy_document.user-policy.json
}
data aws_iam_policy_document user-policy {
statement {
sid = "ManageOwnCredentials"
actions = [
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKey",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFA*",
"iam:ListVirtualMFA*",
"iam:ResyncMFADevice"
]
effect = "Allow"
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
}
} }
resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" { resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
@ -41,25 +68,25 @@ resource aws_iam_group iam-group {
} }
resource aws_iam_group_membership new-group-membership { resource aws_iam_group_membership new-group-membership {
count = length(aws_iam_group.iam-group) for_each = aws_iam_group.iam-group
name = aws_iam_group.iam-group[0].name name = "MembershipToNewGroups"
group = aws_iam_group.iam-group[0].name group = each.value
users = [aws_iam_user.iam-user.name] users = [aws_iam_user.iam-user.name]
} }
resource aws_iam_group_membership existing-group-membership { resource aws_iam_group_membership existing-group-membership {
count = length(var.add-to-groups) for_each = var.add-to-groups
name = var.add-to-groups[count.index] name = "MembershipToExistingGroups"
group = var.add-to-groups[count.index] group = each.value
users = [aws_iam_user.iam-user.name] users = [aws_iam_user.iam-user.name]
} }
resource "aws_iam_group_policy" "iam-group-policy" { #resource "aws_iam_group_policy" "iam-group-policy" {
count = var.create-group ? 1 : 0 # count = var.create-group ? 1 : 0
name = "SelfServiceAccess" # name = "SelfServiceAccess"
group = aws_iam_group.iam-group[0].name # group = aws_iam_group.iam-group[0].name
policy = var.iam-user-policy # policy = var.iam-user-policy
} #}
resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" { resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
count = var.create-group ? length(var.managed-policy-arns) : 0 count = var.create-group ? length(var.managed-policy-arns) : 0

4
modules/security_identity_compliance/iam-user/main.tf
View File

@ -84,9 +84,9 @@ resource aws_iam_group iam-group {
} }
resource aws_iam_group_membership new-group-membership { resource aws_iam_group_membership new-group-membership {
count = length(aws_iam_group.iam-group) for_each = aws_iam_group.iam-group
name = "MembershipToNewGroups" name = "MembershipToNewGroups"
group = aws_iam_group.iam-group[0].name group = each.value
users = [aws_iam_user.iam-user.name] users = [aws_iam_user.iam-user.name]
} }