diff --git a/modules/security_identity_compliance/aws_config/provider.tf b/modules/security_identity_compliance/aws_config/provider.tf new file mode 100644 index 0000000..2387c08 --- /dev/null +++ b/modules/security_identity_compliance/aws_config/provider.tf @@ -0,0 +1,9 @@ +terraform { + required_version = "~> 1.2.5" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.75.2" + } + } +} \ No newline at end of file diff --git a/modules/security_identity_compliance/terraform-user/main.tf b/modules/security_identity_compliance/terraform-user/main.tf new file mode 100644 index 0000000..c5ddd0b --- /dev/null +++ b/modules/security_identity_compliance/terraform-user/main.tf @@ -0,0 +1,96 @@ +module "terraform-user" { + source = "../iam-user" + + create-access-key = true + create-password = false + default-tags = var.default-tags + iam-user-name = "${var.user-name}-${formatdate("YYYYMMDD_hhmm", timestamp())}" + managed-policy-arns = lookup(local.CannedPoliciesByServiceCategory, var.service-category) + pgp-key = var.gpg-key +} + +locals { + CannedPoliciesByServiceCategory = { + NetworkingContentDelivery = [ + "arn:aws:iam::aws:policy/NetworkAdministrator", + "arn:aws:iam::aws:policy/AmazonRoute53FullAccess", + "arn:aws:iam::aws:policy/GlobalAcceleratorFullAccess" + ] + SecurityIdentityCompliance = [ + "arn:aws:iam::aws:policy/IAMFullAccess", + "arn:aws:iam::aws:policy/SecurityAudit", + "arn:aws:iam::aws:policy/AWSSecurityHubFullAccess", + "arn:aws:iam::aws:policy/AmazonGuardDutyFullAccess", + "arn:aws:iam::aws:policy/AmazonInspectorFullAccess", + "arn:aws:iam::aws:policy/AWSSSODirectoryAdministrator", + "arn:aws:iam::aws:policy/AWSOrganizationsFullAccess", + "arn:aws:iam::aws:policy/WellArchitectedConsoleFullAccess", + "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser", + "arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess" + ] + ManagementGovernance = [ + "arn:aws:iam::aws:policy/CloudWatchFullAccess", + "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess", + "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess", + "arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess", + "arn:aws:iam::aws:policy/AmazonSSMFullAccess", + "arn:aws:iam::aws:policy/AWSResourceAccessManagerFullAccess", + "arn:aws:iam::aws:policy/AWSOrganizationsFullAccess", + "arn:aws:iam::aws:policy/AmazonSQSFullAccess", + "arn:aws:iam::aws:policy/AmazonSNSFullAccess", + "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess" + ] + Compute = [ + "arn:aws:iam::aws:policy/AmazonEC2FullAccess", + "arn:aws:iam::aws:policy/AmazonWorkSpacesAdmin", + "arn:aws:iam::aws:policy/AWSMarketplaceFullAccess", + "arn:aws:iam::aws:policy/AutoScalingFullAccess", + "arn:aws:iam::aws:policy/AWSImageBuilderFullAccess", + "arn:aws:iam::aws:policy/AWSBackupFullAccess" + ] + Containers = [ + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess", + "arn:aws:iam::aws:policy/AmazonECS_FullAccess", + "arn:aws:iam::aws:policy/AmazonEC2FullAccess" + ] + Storage = [ + "arn:aws:iam::aws:policy/AmazonS3FullAccess", + "arn:aws:iam::aws:policy/AmazonEC2FullAccess", + "arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess", + "arn:aws:iam::aws:policy/AmazonFSxFullAccess", + "arn:aws:iam::aws:policy/AmazonGlacierFullAccess", + "arn:aws:iam::aws:policy/AWSBackupFullAccess" + ] + Database = [ + "arn:aws:iam::aws:policy/DatabaseAdministrator", + "arn:aws:iam::aws:policy/AWSBackupFullAccess" + ] + DeveloperTools = [ + "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess", + "arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess", + "arn:aws:iam::aws:policy/AWSCodePipeline_FullAccess" + ] + Analytics = [ + "arn:aws:iam::aws:policy/AmazonOpenSearchServiceFullAccess", + "arn:aws:iam::aws:policy/AmazonMSKFullAccess", + "arn:aws:iam::aws:policy/AmazonEMRFullAccessPolicy_v2", + "arn:aws:iam::aws:policy/AmazonRedshiftFullAccess" + ] + MachineLearning = [ + "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess", + "arn:aws:iam::aws:policy/AmazonMachineLearningFullAccess", + "arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess", + "arn:aws:iam::aws:policy/AWSStepFunctionsFullAccess" + ] + Serverless = [ + "arn:aws:iam::aws:policy/AWSLambda_FullAccess", + "arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk", + "arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator", + "arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess", + "arn:aws:iam::aws:policy/AmazonSESFullAccess", + "arn:aws:iam::aws:policy/AmazonWorkSpacesAdmin" + ] + } + + +} \ No newline at end of file diff --git a/modules/security_identity_compliance/terraform-user/outputs.tf b/modules/security_identity_compliance/terraform-user/outputs.tf new file mode 100644 index 0000000..e83d263 --- /dev/null +++ b/modules/security_identity_compliance/terraform-user/outputs.tf @@ -0,0 +1,6 @@ +output keys { + value = { + access-key = module.terraform-user.iam-user-access-key-pgp + secret-key = module.terraform-user.iam-user-secret-key-pgp + } +} diff --git a/modules/security_identity_compliance/terraform-user/provider.tf b/modules/security_identity_compliance/terraform-user/provider.tf new file mode 100644 index 0000000..6bdf7d8 --- /dev/null +++ b/modules/security_identity_compliance/terraform-user/provider.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.3.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.40" + } + } +} \ No newline at end of file diff --git a/modules/security_identity_compliance/terraform-user/variables.tf b/modules/security_identity_compliance/terraform-user/variables.tf new file mode 100644 index 0000000..65844df --- /dev/null +++ b/modules/security_identity_compliance/terraform-user/variables.tf @@ -0,0 +1,7 @@ +variable default-tags {} +variable user-name { + type = string + default = "terraform-role" +} +variable service-category {} +variable gpg-key {} \ No newline at end of file