xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: decoupled iam group from iam user module. create new iam-group module

Browse Source
This commit is contained in:
KF 2022-10-19 22:09:15 +08:00
parent c866a877b6
commit f11b4fbc44
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
6 changed files with 69 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
modules/security_identity_compliance/iam-group/README.md Normal file
View File

@ -0,0 +1,24 @@
# iam-user module
Module for creating IAM user. Credentials, if any, will be stored in secretsmanager
## Example
```terraform
module iam-user {
source = "../../modules/security_identity_compliance/iam-user"
default-tags = local.default-tags
iam-user-name = var.iam-user-name
iam-user-policy = ""
iam-user-policy-name = "SelfServicePermissions"
create-access-key = false
create-password = false
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
create-group = true
add-to-groups = []
iam-group-name = var.iam-group-name
}
output iam-user-arn {
value = module.iam-user.iam-user-arn
}
```

17
modules/security_identity_compliance/iam-group/main.tf Normal file
View File

@ -0,0 +1,17 @@
resource "aws_iam_group" "iam-group" {
name = var.iam-group-name
}
resource "aws_iam_group_policy" "iam-group-policy-new-group" {
count = var.iam-group-policy != "" ? 1 : 0
name = var.iam-group-policy-name
group = aws_iam_group.iam-group.name
policy = var.iam-group-policy
}
resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
count = length(var.managed-policy-arns) > 0 ? 1 : 0
group = aws_iam_group.iam-group.name
policy_arn = var.managed-policy-arns[count.index]
}

7
modules/security_identity_compliance/iam-group/outputs.tf Normal file
View File

@ -0,0 +1,7 @@
output iam-group-name {
value = aws_iam_group.iam-group.name
}
output iam-group-arn {
value = aws_iam_group.iam-group.arn
}

5
modules/security_identity_compliance/iam-group/variables.tf Normal file
View File

@ -0,0 +1,5 @@
variable default-tags {}
variable managed-policy-arns {}
variable iam-group-name {}
variable iam-group-policy {}
variable iam-group-policy-name {}

59
modules/security_identity_compliance/iam-user/main.tf
View File

@ -9,21 +9,20 @@ resource "aws_iam_access_key" "iam-user-access-key" {
user = aws_iam_user.iam-user.name user = aws_iam_user.iam-user.name
} }
# need to work on attaching additional user policy resource "aws_iam_user_policy" "iam-user-policy" {
#resource "aws_iam_user_policy" "iam-user-policy" { count = var.iam-user-policy != "" ? 1 : 0
# count = var.create-group ? 0 : 1 name = var.iam-user-policy-name
# name = var.iam-user-policy-name user = aws_iam_user.iam-user.name
# user = aws_iam_user.iam-user.name policy = var.iam-user-policy
# policy = var.iam-user-policy }
#}
resource "aws_iam_user_policy" iam-user-selfservice-policy { resource "aws_iam_user_policy" "iam-user-selfservice-policy" {
name = "SelfServicePermissions" name = "SelfServicePermissions"
user = aws_iam_user.iam-user.name user = aws_iam_user.iam-user.name
policy = data.aws_iam_policy_document.user-policy.json policy = data.aws_iam_policy_document.user-policy.json
} }
data aws_iam_policy_document user-policy { data "aws_iam_policy_document" "user-policy" {
statement { statement {
sid = "ManageOwnCredentials" sid = "ManageOwnCredentials"
@ -39,13 +38,13 @@ data aws_iam_policy_document user-policy {
"iam:ResyncMFADevice" "iam:ResyncMFADevice"
] ]
effect = "Allow" effect = "Allow"
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"] resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
} }
} }
resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" { resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
count = var.create-group ? 0: length(var.managed-policy-arns) count = length(var.add-to-groups) > 0 ? 0 : length(var.managed-policy-arns)
user = aws_iam_user.iam-user.name user = aws_iam_user.iam-user.name
policy_arn = var.managed-policy-arns[count.index] policy_arn = var.managed-policy-arns[count.index]
} }
@ -78,36 +77,10 @@ resource "aws_secretsmanager_secret_version" "iam-user-secret" {
}) })
} }
resource aws_iam_group iam-group { resource "aws_iam_group_membership" "group-membership" {
count = var.create-group ? 1 : 0 for_each = toset(var.add-to-groups)
name = var.iam-group-name name = "MembershipToExistingGroups"
} group = each.value
users = [aws_iam_user.iam-user.name]
resource aws_iam_group_membership new-group-membership {
for_each = aws_iam_group.iam-group
name = "MembershipToNewGroups"
group = each.value
users = [aws_iam_user.iam-user.name]
}
resource aws_iam_group_membership existing-group-membership {
for_each = var.add-to-groups
name = "MembershipToExistingGroups"
group = each.value
users = [aws_iam_user.iam-user.name]
}
# need to work on attaching additional group policy
#resource "aws_iam_group_policy" "iam-group-policy" {
# count = var.create-group ? 1 : 0
# name = "SelfServiceAccess"
# group = aws_iam_group.iam-group[0].name
# policy = var.iam-user-policy
#}
resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
count = var.create-group ? length(var.managed-policy-arns) : 0
group = aws_iam_group.iam-group[0].name
policy_arn = var.managed-policy-arns[count.index]
} }

8
modules/security_identity_compliance/iam-user/variables.tf
View File

@ -8,14 +8,6 @@ variable create-password {
} }
variable default-tags {} variable default-tags {}
variable managed-policy-arns {} variable managed-policy-arns {}
variable create-group {
type = bool
}
variable iam-group-name {
type = string
default = ""
}
variable add-to-groups { variable add-to-groups {
type = list type = list
default = [] default = []