108 lines
2.7 KiB
HCL
108 lines
2.7 KiB
HCL
data aws_caller_identity this {}
|
|
|
|
data aws_iam_policy_document assume-role-policy {
|
|
statement {
|
|
sid = "RackspaceRoleTrustPolicy"
|
|
effect = "Allow"
|
|
actions = ["sts:AssumeRole"]
|
|
principals {
|
|
identifiers = ["507897595701"]
|
|
type = "AWS"
|
|
}
|
|
|
|
condition {
|
|
test = "StringEquals"
|
|
values = [var.rackspace-role-external-id]
|
|
variable = "sts:ExternalId"
|
|
}
|
|
|
|
// IP addresses from 210218-ord-0000704
|
|
condition {
|
|
test = "IpAddress"
|
|
values = [
|
|
"103.251.196.229/32",
|
|
"104.130.34.10/31",
|
|
"108.166.30.184/29",
|
|
"119.9.33.76/31",
|
|
"119.9.34.76/32",
|
|
"119.9.63.37/31",
|
|
"120.136.32.96/28",
|
|
"161.47.149.40/31",
|
|
"173.203.4.160/29",
|
|
"180.150.145.101/32",
|
|
"184.106.36.113/32",
|
|
"198.247.174.254/32",
|
|
"198.54.240.38/31",
|
|
"202.168.209.40/32",
|
|
"202.168.209.55/31",
|
|
"206.188.29.84/30",
|
|
"212.100.225.41/32",
|
|
"212.64.133.101/31",
|
|
"212.64.133.96/29",
|
|
"216.252.194.205/32",
|
|
"217.72.240.100/32",
|
|
"217.72.241.224/27",
|
|
"217.72.241.40/30",
|
|
"4.15.234.50/30",
|
|
"50.56.228.101/31",
|
|
"50.56.228.64/26",
|
|
"50.56.229.0/24",
|
|
"50.56.230.0/26",
|
|
"50.56.230.140/32",
|
|
"50.56.230.87/31",
|
|
"52.10.115.132/32",
|
|
"52.40.141.99/32",
|
|
"63.131.143.173/32",
|
|
"64.106.130.93/32",
|
|
"64.106.131.0/27",
|
|
"64.106.131.248/29",
|
|
"64.27.120.64/28",
|
|
"66.151.187.234/31",
|
|
"66.70.118.224/27",
|
|
"66.70.123.0/26",
|
|
"66.70.65.182/32",
|
|
"69.20.46.238/31",
|
|
"72.3.128.198/32",
|
|
"72.3.161.16/28",
|
|
"72.32.180.176/29",
|
|
"72.36.238.244/32",
|
|
"72.4.120.192/28",
|
|
"78.136.22.232/32",
|
|
"78.136.22.238/31",
|
|
"83.138.138.214/32",
|
|
"85.133.14.26/31",
|
|
"85.133.30.136/30",
|
|
"89.234.23.52/32",
|
|
"92.52.76.135/32",
|
|
"92.52.76.140/32",
|
|
"94.236.3.80/29",
|
|
"94.236.7.176/28"
|
|
]
|
|
variable = "aws:SourceIp"
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
resource aws_iam_role rackspace-role {
|
|
name = "Rackspace"
|
|
description = "Read access for Rackspace role"
|
|
tags = var.default-tags
|
|
assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
|
|
max_session_duration = 7200
|
|
}
|
|
|
|
# Attach managed policies
|
|
locals {
|
|
managed_policies = [
|
|
"arn:aws:iam::aws:policy/SecurityAudit",
|
|
"arn:aws:iam::aws:policy/job-function/SupportUser",
|
|
"arn:aws:iam::aws:policy/ReadOnlyAccess"
|
|
]
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach-managed-policies" {
|
|
count = length(local.managed_policies)
|
|
role = aws_iam_role.rackspace-role.name
|
|
policy_arn = local.managed_policies[count.index]
|
|
} |