NEW: pushing in some old stuff

2024-02-09 10:20:29 +08:00 · 2024-02-09 10:20:29 +08:00 · eb01ee1c4f
commit eb01ee1c4f
parent 8096205acf
5 changed files with 127 additions and 0 deletions
--- a/modules/security_identity_compliance/aws_config/provider.tf
+++ b/modules/security_identity_compliance/aws_config/provider.tf
@ -0,0 +1,9 @@
+terraform {
+  required_version = "~> 1.2.5"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.75.2"
+    }
+  }
+}
--- a/modules/security_identity_compliance/terraform-user/main.tf
+++ b/modules/security_identity_compliance/terraform-user/main.tf
@ -0,0 +1,96 @@
+module "terraform-user" {
+  source = "../iam-user"
+
+  create-access-key   = true
+  create-password     = false
+  default-tags        = var.default-tags
+  iam-user-name       = "${var.user-name}-${formatdate("YYYYMMDD_hhmm", timestamp())}"
+  managed-policy-arns = lookup(local.CannedPoliciesByServiceCategory, var.service-category)
+  pgp-key             = var.gpg-key
+}
+
+locals {
+  CannedPoliciesByServiceCategory = {
+    NetworkingContentDelivery = [
+      "arn:aws:iam::aws:policy/NetworkAdministrator",
+      "arn:aws:iam::aws:policy/AmazonRoute53FullAccess",
+      "arn:aws:iam::aws:policy/GlobalAcceleratorFullAccess"
+    ]
+    SecurityIdentityCompliance = [
+      "arn:aws:iam::aws:policy/IAMFullAccess",
+      "arn:aws:iam::aws:policy/SecurityAudit",
+      "arn:aws:iam::aws:policy/AWSSecurityHubFullAccess",
+      "arn:aws:iam::aws:policy/AmazonGuardDutyFullAccess",
+      "arn:aws:iam::aws:policy/AmazonInspectorFullAccess",
+      "arn:aws:iam::aws:policy/AWSSSODirectoryAdministrator",
+      "arn:aws:iam::aws:policy/AWSOrganizationsFullAccess",
+      "arn:aws:iam::aws:policy/WellArchitectedConsoleFullAccess",
+      "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser",
+      "arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess"
+    ]
+    ManagementGovernance = [
+      "arn:aws:iam::aws:policy/CloudWatchFullAccess",
+      "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess",
+      "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess",
+      "arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess",
+      "arn:aws:iam::aws:policy/AmazonSSMFullAccess",
+      "arn:aws:iam::aws:policy/AWSResourceAccessManagerFullAccess",
+      "arn:aws:iam::aws:policy/AWSOrganizationsFullAccess",
+      "arn:aws:iam::aws:policy/AmazonSQSFullAccess",
+      "arn:aws:iam::aws:policy/AmazonSNSFullAccess",
+      "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
+    ]
+    Compute = [
+      "arn:aws:iam::aws:policy/AmazonEC2FullAccess",
+      "arn:aws:iam::aws:policy/AmazonWorkSpacesAdmin",
+      "arn:aws:iam::aws:policy/AWSMarketplaceFullAccess",
+      "arn:aws:iam::aws:policy/AutoScalingFullAccess",
+      "arn:aws:iam::aws:policy/AWSImageBuilderFullAccess",
+      "arn:aws:iam::aws:policy/AWSBackupFullAccess"
+    ]
+    Containers = [
+      "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
+      "arn:aws:iam::aws:policy/AmazonECS_FullAccess",
+      "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
+    ]
+    Storage = [
+      "arn:aws:iam::aws:policy/AmazonS3FullAccess",
+      "arn:aws:iam::aws:policy/AmazonEC2FullAccess",
+      "arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess",
+      "arn:aws:iam::aws:policy/AmazonFSxFullAccess",
+      "arn:aws:iam::aws:policy/AmazonGlacierFullAccess",
+      "arn:aws:iam::aws:policy/AWSBackupFullAccess"
+    ]
+    Database = [
+      "arn:aws:iam::aws:policy/DatabaseAdministrator",
+      "arn:aws:iam::aws:policy/AWSBackupFullAccess"
+    ]
+    DeveloperTools = [
+      "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess",
+      "arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess",
+      "arn:aws:iam::aws:policy/AWSCodePipeline_FullAccess"
+    ]
+    Analytics = [
+      "arn:aws:iam::aws:policy/AmazonOpenSearchServiceFullAccess",
+      "arn:aws:iam::aws:policy/AmazonMSKFullAccess",
+      "arn:aws:iam::aws:policy/AmazonEMRFullAccessPolicy_v2",
+      "arn:aws:iam::aws:policy/AmazonRedshiftFullAccess"
+    ]
+    MachineLearning = [
+      "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
+      "arn:aws:iam::aws:policy/AmazonMachineLearningFullAccess",
+      "arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess",
+      "arn:aws:iam::aws:policy/AWSStepFunctionsFullAccess"
+    ]
+    Serverless = [
+      "arn:aws:iam::aws:policy/AWSLambda_FullAccess",
+      "arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk",
+      "arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator",
+      "arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess",
+      "arn:aws:iam::aws:policy/AmazonSESFullAccess",
+      "arn:aws:iam::aws:policy/AmazonWorkSpacesAdmin"
+    ]
+  }
+
+
+}
--- a/modules/security_identity_compliance/terraform-user/outputs.tf
+++ b/modules/security_identity_compliance/terraform-user/outputs.tf
@ -0,0 +1,6 @@
+output keys {
+  value = {
+    access-key = module.terraform-user.iam-user-access-key-pgp
+    secret-key = module.terraform-user.iam-user-secret-key-pgp
+  }
+}
--- a/modules/security_identity_compliance/terraform-user/provider.tf
+++ b/modules/security_identity_compliance/terraform-user/provider.tf
@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.40"
+    }
+  }
+}
--- a/modules/security_identity_compliance/terraform-user/variables.tf
+++ b/modules/security_identity_compliance/terraform-user/variables.tf
@ -0,0 +1,7 @@
+variable default-tags {}
+variable user-name {
+  type = string
+  default = "terraform-role"
+}
+variable service-category {}
+variable gpg-key {}