terraform.aws-baseline-infra/modules/security_identity_compliance/five-deployer-roles/main.tf

data "aws_default_tags" "this" {
  lifecycle {
    postcondition {
      condition     = length(self.tags) >= 1
      error_message = "Validation failed: Provider default_tags not set."
    }
  }
}

data "aws_iam_policy_document" "assume-role-policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "AWS"
      identifiers = [var.role-trusted-entity-arn]
    }
  }
}

resource "aws_iam_role" "SecurityDeployer" {
  name                 = "SecurityDeployer"
  description          = "Admin access to IAM, KMS, SecretsManager, ec2 Key Pair"
  max_session_duration = var.max_session_duration
  assume_role_policy   = data.aws_iam_policy_document.assume-role-policy.json
}

resource "aws_iam_role_policy" "SecurityDeployerPolicy" {
  name = "SecurityDeployerPolicy"
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Action" : [
          "iam:*",
          "secretsmanager:*",
          "ec2:ImportKeyPair",
          "kms:*",
          "ec2:CreateKeyPair",
          "ec2:DescribeKeyPairs",
          "ec2:DeleteKeyPair",
          "acm:*",
          "config:*",
          "guardduty:*",
          "inspector2:*",
          "securityhub:*",
          "shield:*",
          "sso:*",
          "organizations:*"
        ],
        "Resource" : "*"
      }
    ]
    }
  )
  role = aws_iam_role.SecurityDeployer.id
}

resource "aws_iam_role" "NetworkDeployer" {
  name                 = "NetworkDeployer"
  description          = "Admin access to VPC, SecurityGroup, Route53"
  max_session_duration = var.max_session_duration
  assume_role_policy   = data.aws_iam_policy_document.assume-role-policy.json
}

# iam:PassRole required to create flowlogs
resource "aws_iam_role_policy" "NetworkDeployerPolicy" {
  name = "NetworkDeployerPolicy"
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Action" : [
          "iam:PassRole",
          "ec2:AcceptVpcEndpointConnections",
          "ec2:AllocateAddress",
          "ec2:AssignIpv6Addresses",
          "ec2:AssignPrivateIpAddresses",
          "ec2:AssociateAddress",
          "ec2:AssociateDhcpOptions",
          "ec2:AssociateRouteTable",
          "ec2:AssociateSubnetCidrBlock",
          "ec2:AssociateVpcCidrBlock",
          "ec2:AttachInternetGateway",
          "ec2:AttachNetworkInterface",
          "ec2:AttachVpnGateway",
          "ec2:CreateCarrierGateway",
          "ec2:CreateCustomerGateway",
          "ec2:CreateDefaultSubnet",
          "ec2:CreateDefaultVpc",
          "ec2:CreateDhcpOptions",
          "ec2:CreateEgressOnlyInternetGateway",
          "ec2:CreateFlowLogs",
          "ec2:CreateInternetGateway",
          "ec2:CreateNatGateway",
          "ec2:CreateNetworkAcl",
          "ec2:CreateNetworkAclEntry",
          "ec2:CreateNetworkInterface",
          "ec2:CreateNetworkInterfacePermission",
          "ec2:CreatePlacementGroup",
          "ec2:CreateRoute",
          "ec2:CreateRouteTable",
          "ec2:CreateSecurityGroup",
          "ec2:CreateSubnet",
          "ec2:CreateTags",
          "ec2:CreateVpc",
          "ec2:CreateVpcEndpoint",
          "ec2:CreateVpcEndpointConnectionNotification",
          "ec2:CreateVpcEndpointServiceConfiguration",
          "ec2:CreateVpnConnection",
          "ec2:CreateVpnConnectionRoute",
          "ec2:CreateVpnGateway",
          "ec2:DeleteCarrierGateway",
          "ec2:DeleteEgressOnlyInternetGateway",
          "ec2:DeleteFlowLogs",
          "ec2:DeleteNatGateway",
          "ec2:DeleteNetworkInterface",
          "ec2:DeleteNetworkInterfacePermission",
          "ec2:DeletePlacementGroup",
          "ec2:DeleteSubnet",
          "ec2:DeleteTags",
          "ec2:DeleteVpc",
          "ec2:DeleteVpcEndpointConnectionNotifications",
          "ec2:DeleteVpcEndpointServiceConfigurations",
          "ec2:DeleteVpcEndpoints",
          "ec2:DeleteVpnConnection",
          "ec2:DeleteVpnConnectionRoute",
          "ec2:DeleteVpnGateway",
          "ec2:DescribeAccountAttributes",
          "ec2:DescribeAddresses",
          "ec2:DescribeAvailabilityZones",
          "ec2:DescribeCarrierGateways",
          "ec2:DescribeClassicLinkInstances",
          "ec2:DescribeCustomerGateways",
          "ec2:DescribeDhcpOptions",
          "ec2:DescribeEgressOnlyInternetGateways",
          "ec2:DescribeFlowLogs",
          "ec2:DescribeInstances",
          "ec2:DescribeInternetGateways",
          "ec2:DescribeKeyPairs",
          "ec2:DescribeMovingAddresses",
          "ec2:DescribeNatGateways",
          "ec2:DescribeNetworkAcls",
          "ec2:DescribeNetworkInterfaceAttribute",
          "ec2:DescribeNetworkInterfacePermissions",
          "ec2:DescribeNetworkInterfaces",
          "ec2:DescribePlacementGroups",
          "ec2:DescribePrefixLists",
          "ec2:DescribeRouteTables",
          "ec2:DescribeSecurityGroupReferences",
          "ec2:DescribeSecurityGroupRules",
          "ec2:DescribeSecurityGroups",
          "ec2:DescribeStaleSecurityGroups",
          "ec2:DescribeSubnets",
          "ec2:DescribeTags",
          "ec2:DescribeVpcAttribute",
          "ec2:DescribeVpcClassicLink",
          "ec2:DescribeVpcClassicLinkDnsSupport",
          "ec2:DescribeVpcEndpointConnectionNotifications",
          "ec2:DescribeVpcEndpointConnections",
          "ec2:DescribeVpcEndpointServiceConfigurations",
          "ec2:DescribeVpcEndpointServicePermissions",
          "ec2:DescribeVpcEndpointServices",
          "ec2:DescribeVpcEndpoints",
          "ec2:DescribeVpcPeeringConnections",
          "ec2:DescribeVpcs",
          "ec2:DescribeVpnConnections",
          "ec2:DescribeVpnGateways",
          "ec2:DescribePublicIpv4Pools",
          "ec2:DescribeIpv6Pools",
          "ec2:DetachInternetGateway",
          "ec2:DetachNetworkInterface",
          "ec2:DetachVpnGateway",
          "ec2:DisableVgwRoutePropagation",
          "ec2:DisableVpcClassicLinkDnsSupport",
          "ec2:DisassociateAddress",
          "ec2:DisassociateRouteTable",
          "ec2:DisassociateSubnetCidrBlock",
          "ec2:DisassociateVpcCidrBlock",
          "ec2:EnableVgwRoutePropagation",
          "ec2:EnableVpcClassicLinkDnsSupport",
          "ec2:ModifyNetworkInterfaceAttribute",
          "ec2:ModifySecurityGroupRules",
          "ec2:ModifySubnetAttribute",
          "ec2:ModifyVpcAttribute",
          "ec2:ModifyVpcEndpoint",
          "ec2:ModifyVpcEndpointConnectionNotification",
          "ec2:ModifyVpcEndpointServiceConfiguration",
          "ec2:ModifyVpcEndpointServicePermissions",
          "ec2:ModifyVpcPeeringConnectionOptions",
          "ec2:ModifyVpcTenancy",
          "ec2:MoveAddressToVpc",
          "ec2:RejectVpcEndpointConnections",
          "ec2:ReleaseAddress",
          "ec2:ReplaceNetworkAclAssociation",
          "ec2:ReplaceNetworkAclEntry",
          "ec2:ReplaceRoute",
          "ec2:ReplaceRouteTableAssociation",
          "ec2:ResetNetworkInterfaceAttribute",
          "ec2:RestoreAddressToClassic",
          "ec2:UnassignIpv6Addresses",
          "ec2:UnassignPrivateIpAddresses",
          "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
          "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
          "ec2:AcceptVpcPeeringConnection",
          "ec2:AttachClassicLinkVpc",
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:CreateVpcPeeringConnection",
          "ec2:DeleteCustomerGateway",
          "ec2:DeleteDhcpOptions",
          "ec2:DeleteInternetGateway",
          "ec2:DeleteNetworkAcl",
          "ec2:DeleteNetworkAclEntry",
          "ec2:DeleteRoute",
          "ec2:DeleteRouteTable",
          "ec2:DeleteSecurityGroup",
          "ec2:DeleteVolume",
          "ec2:DeleteVpcPeeringConnection",
          "ec2:DetachClassicLinkVpc",
          "ec2:DisableVpcClassicLink",
          "ec2:EnableVpcClassicLink",
          "ec2:GetConsoleScreenshot",
          "ec2:RejectVpcPeeringConnection",
          "ec2:RevokeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupIngress",
          "ec2:CreateLocalGatewayRoute",
          "ec2:CreateLocalGatewayRouteTableVpcAssociation",
          "ec2:DeleteLocalGatewayRoute",
          "ec2:DeleteLocalGatewayRouteTableVpcAssociation",
          "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
          "ec2:DescribeLocalGatewayRouteTableVpcAssociations",
          "ec2:DescribeLocalGatewayRouteTables",
          "ec2:DescribeLocalGatewayVirtualInterfaceGroups",
          "ec2:DescribeLocalGatewayVirtualInterfaces",
          "ec2:DescribeLocalGateways",
          "ec2:SearchLocalGatewayRoutes",
          "ec2:AcceptTransitGatewayVpcAttachment",
          "ec2:AssociateTransitGatewayRouteTable",
          "ec2:CreateTransitGateway",
          "ec2:CreateTransitGatewayRoute",
          "ec2:CreateTransitGatewayRouteTable",
          "ec2:CreateTransitGatewayVpcAttachment",
          "ec2:DeleteTransitGateway",
          "ec2:DeleteTransitGatewayRoute",
          "ec2:DeleteTransitGatewayRouteTable",
          "ec2:DeleteTransitGatewayVpcAttachment",
          "ec2:DescribeTransitGatewayAttachments",
          "ec2:DescribeTransitGatewayRouteTables",
          "ec2:DescribeTransitGatewayVpcAttachments",
          "ec2:DescribeTransitGateways",
          "ec2:DisableTransitGatewayRouteTablePropagation",
          "ec2:DisassociateTransitGatewayRouteTable",
          "ec2:EnableTransitGatewayRouteTablePropagation",
          "ec2:ExportTransitGatewayRoutes",
          "ec2:GetTransitGatewayAttachmentPropagations",
          "ec2:GetTransitGatewayRouteTableAssociations",
          "ec2:GetTransitGatewayRouteTablePropagations",
          "ec2:ModifyTransitGateway",
          "ec2:ModifyTransitGatewayVpcAttachment",
          "ec2:RejectTransitGatewayVpcAttachment",
          "ec2:ReplaceTransitGatewayRoute",
          "ec2:SearchTransitGatewayRoutes",
          "route53domains:*",
          "route53resolver:*",
          "route53:*",
          "directconnect:*"
        ],
        "Resource" : "*"
      }
    ]
    }
  )
  role = aws_iam_role.NetworkDeployer.id
}

resource "aws_iam_role" "DatabaseDeployer" {
  name                 = "DatabaseDeployer"
  description          = "Admin access to databases"
  max_session_duration = var.max_session_duration
  assume_role_policy   = data.aws_iam_policy_document.assume-role-policy.json
}

resource "aws_iam_role_policy" "DatabaseDeployerPolicy" {
  name = "DatabaseDeployerPolicy"
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Action" : [
            "rds:*",
            "redshift:*",
            "elasticache:*",
            "kms:Get*",
            "kms:List*",
            "kms:Describe*"
          ],
          "Resource" : "*"
        }
      ]
    }
  )
  role = aws_iam_role.DatabaseDeployer.id
}

resource "aws_iam_role" "StorageDeployer" {
  name                 = "StorageDeployer"
  description          = "Admin access to S3, RDS, ElastiCache, ECR"
  max_session_duration = var.max_session_duration
  assume_role_policy   = data.aws_iam_policy_document.assume-role-policy.json
}

resource "aws_iam_role_policy" "StorageDeployerPolicy" {
  name = "StorageDeployerPolicy"
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Action" : [
            "s3:*",
            "ecr:*",
            "elasticfilesystem:*",
            "fsx:*",
            "kms:Get*",
            "kms:List*",
            "kms:Describe*"
          ],
          "Resource" : "*"
        }
      ]
    }
  )
  role = aws_iam_role.StorageDeployer.id
}

resource "aws_iam_role" "CommonDeployer" {
  name                 = "CommonDeployer"
  description          = "Admin access to all services except those allowed in other deployer roles"
  max_session_duration = var.max_session_duration
  assume_role_policy   = data.aws_iam_policy_document.assume-role-policy.json
}

resource "aws_iam_role_policy" "CommonDeployerPolicy" {
  name = "CommonDeployerPolicy"
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Sid" : "NegateSecurityDeployerPermissions",
          "Effect" : "Allow",
          "NotAction" : [
            "iam:*",
            "secretsmanager:*",
            "ec2:ImportKeyPair",
            "kms:EnableKey",
            "kms:ImportKeyMaterial",
            "kms:Decrypt",
            "kms:GenerateRandom",
            "kms:PutKeyPolicy",
            "kms:GenerateDataKeyWithoutPlaintext",
            "kms:Verify",
            "kms:CancelKeyDeletion",
            "kms:ReplicateKey",
            "kms:GenerateDataKeyPair",
            "kms:SynchronizeMultiRegionKey",
            "kms:DeleteCustomKeyStore",
            "kms:GenerateMac",
            "kms:UpdatePrimaryRegion",
            "kms:UpdateCustomKeyStore",
            "kms:Encrypt",
            "kms:ScheduleKeyDeletion",
            "kms:ReEncryptTo",
            "kms:CreateKey",
            "kms:ConnectCustomKeyStore",
            "kms:Sign",
            "kms:CreateGrant",
            "kms:EnableKeyRotation",
            "kms:UpdateKeyDescription",
            "kms:DeleteImportedKeyMaterial",
            "kms:GenerateDataKeyPairWithoutPlaintext",
            "kms:DisableKey",
            "kms:ReEncryptFrom",
            "kms:DisableKeyRotation",
            "kms:RetireGrant",
            "kms:VerifyMac",
            "kms:UpdateAlias",
            "kms:CreateCustomKeyStore",
            "kms:RevokeGrant",
            "kms:GenerateDataKey",
            "kms:CreateAlias",
            "kms:DisconnectCustomKeyStore",
            "kms:DeleteAlias",
            "ec2:CreateKeyPair",
            "ec2:DescribeKeyPairs",
            "ec2:DeleteKeyPair",
            "acm:*",
            "config:*",
            "guardduty:*",
            "inspector2:*",
            "securityhub:*",
            "shield:*",
            "sso:*",
            "organizations:*"
          ],
          "Resource" : "*"
        },
        {
          "Sid" : "NegateNetworkDeployerPermissions",
          "Effect" : "Allow",
          "NotAction" : [
            "ec2:AcceptVpcEndpointConnections",
            "ec2:AllocateAddress",
            "ec2:AssignIpv6Addresses",
            "ec2:AssignPrivateIpAddresses",
            "ec2:AssociateAddress",
            "ec2:AssociateDhcpOptions",
            "ec2:AssociateRouteTable",
            "ec2:AssociateSubnetCidrBlock",
            "ec2:AssociateVpcCidrBlock",
            "ec2:AttachInternetGateway",
            "ec2:AttachNetworkInterface",
            "ec2:AttachVpnGateway",
            "ec2:CreateCarrierGateway",
            "ec2:CreateCustomerGateway",
            "ec2:CreateDefaultSubnet",
            "ec2:CreateDefaultVpc",
            "ec2:CreateDhcpOptions",
            "ec2:CreateEgressOnlyInternetGateway",
            "ec2:CreateFlowLogs",
            "ec2:CreateInternetGateway",
            "ec2:CreateNatGateway",
            "ec2:CreateNetworkAcl",
            "ec2:CreateNetworkAclEntry",
            "ec2:CreateNetworkInterface",
            "ec2:CreateNetworkInterfacePermission",
            "ec2:CreatePlacementGroup",
            "ec2:CreateRoute",
            "ec2:CreateRouteTable",
            "ec2:CreateSecurityGroup",
            "ec2:CreateSubnet",
            "ec2:CreateTags",
            "ec2:CreateVpc",
            "ec2:CreateVpcEndpoint",
            "ec2:CreateVpcEndpointConnectionNotification",
            "ec2:CreateVpcEndpointServiceConfiguration",
            "ec2:CreateVpnConnection",
            "ec2:CreateVpnConnectionRoute",
            "ec2:CreateVpnGateway",
            "ec2:DeleteCarrierGateway",
            "ec2:DeleteEgressOnlyInternetGateway",
            "ec2:DeleteFlowLogs",
            "ec2:DeleteNatGateway",
            "ec2:DeleteNetworkInterface",
            "ec2:DeleteNetworkInterfacePermission",
            "ec2:DeletePlacementGroup",
            "ec2:DeleteSubnet",
            "ec2:DeleteTags",
            "ec2:DeleteVpc",
            "ec2:DeleteVpcEndpointConnectionNotifications",
            "ec2:DeleteVpcEndpointServiceConfigurations",
            "ec2:DeleteVpcEndpoints",
            "ec2:DeleteVpnConnection",
            "ec2:DeleteVpnConnectionRoute",
            "ec2:DeleteVpnGateway",
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeAddresses",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeCarrierGateways",
            "ec2:DescribeClassicLinkInstances",
            "ec2:DescribeCustomerGateways",
            "ec2:DescribeDhcpOptions",
            "ec2:DescribeEgressOnlyInternetGateways",
            "ec2:DescribeFlowLogs",
            "ec2:DescribeInstances",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeKeyPairs",
            "ec2:DescribeMovingAddresses",
            "ec2:DescribeNatGateways",
            "ec2:DescribeNetworkAcls",
            "ec2:DescribeNetworkInterfaceAttribute",
            "ec2:DescribeNetworkInterfacePermissions",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribePlacementGroups",
            "ec2:DescribePrefixLists",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroupReferences",
            "ec2:DescribeSecurityGroupRules",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeStaleSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:DescribeTags",
            "ec2:DescribeVpcAttribute",
            "ec2:DescribeVpcClassicLink",
            "ec2:DescribeVpcClassicLinkDnsSupport",
            "ec2:DescribeVpcEndpointConnectionNotifications",
            "ec2:DescribeVpcEndpointConnections",
            "ec2:DescribeVpcEndpointServiceConfigurations",
            "ec2:DescribeVpcEndpointServicePermissions",
            "ec2:DescribeVpcEndpointServices",
            "ec2:DescribeVpcEndpoints",
            "ec2:DescribeVpcPeeringConnections",
            "ec2:DescribeVpcs",
            "ec2:DescribeVpnConnections",
            "ec2:DescribeVpnGateways",
            "ec2:DescribePublicIpv4Pools",
            "ec2:DescribeIpv6Pools",
            "ec2:DetachInternetGateway",
            "ec2:DetachNetworkInterface",
            "ec2:DetachVpnGateway",
            "ec2:DisableVgwRoutePropagation",
            "ec2:DisableVpcClassicLinkDnsSupport",
            "ec2:DisassociateAddress",
            "ec2:DisassociateRouteTable",
            "ec2:DisassociateSubnetCidrBlock",
            "ec2:DisassociateVpcCidrBlock",
            "ec2:EnableVgwRoutePropagation",
            "ec2:EnableVpcClassicLinkDnsSupport",
            "ec2:ModifyNetworkInterfaceAttribute",
            "ec2:ModifySecurityGroupRules",
            "ec2:ModifySubnetAttribute",
            "ec2:ModifyVpcAttribute",
            "ec2:ModifyVpcEndpoint",
            "ec2:ModifyVpcEndpointConnectionNotification",
            "ec2:ModifyVpcEndpointServiceConfiguration",
            "ec2:ModifyVpcEndpointServicePermissions",
            "ec2:ModifyVpcPeeringConnectionOptions",
            "ec2:ModifyVpcTenancy",
            "ec2:MoveAddressToVpc",
            "ec2:RejectVpcEndpointConnections",
            "ec2:ReleaseAddress",
            "ec2:ReplaceNetworkAclAssociation",
            "ec2:ReplaceNetworkAclEntry",
            "ec2:ReplaceRoute",
            "ec2:ReplaceRouteTableAssociation",
            "ec2:ResetNetworkInterfaceAttribute",
            "ec2:RestoreAddressToClassic",
            "ec2:UnassignIpv6Addresses",
            "ec2:UnassignPrivateIpAddresses",
            "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
            "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
            "ec2:AcceptVpcPeeringConnection",
            "ec2:AttachClassicLinkVpc",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:CreateVpcPeeringConnection",
            "ec2:DeleteCustomerGateway",
            "ec2:DeleteDhcpOptions",
            "ec2:DeleteInternetGateway",
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteRoute",
            "ec2:DeleteRouteTable",
            "ec2:DeleteSecurityGroup",
            "ec2:DeleteVolume",
            "ec2:DeleteVpcPeeringConnection",
            "ec2:DetachClassicLinkVpc",
            "ec2:DisableVpcClassicLink",
            "ec2:EnableVpcClassicLink",
            "ec2:GetConsoleScreenshot",
            "ec2:RejectVpcPeeringConnection",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:CreateLocalGatewayRoute",
            "ec2:CreateLocalGatewayRouteTableVpcAssociation",
            "ec2:DeleteLocalGatewayRoute",
            "ec2:DeleteLocalGatewayRouteTableVpcAssociation",
            "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
            "ec2:DescribeLocalGatewayRouteTableVpcAssociations",
            "ec2:DescribeLocalGatewayRouteTables",
            "ec2:DescribeLocalGatewayVirtualInterfaceGroups",
            "ec2:DescribeLocalGatewayVirtualInterfaces",
            "ec2:DescribeLocalGateways",
            "ec2:SearchLocalGatewayRoutes",
            "ec2:AcceptTransitGatewayVpcAttachment",
            "ec2:AssociateTransitGatewayRouteTable",
            "ec2:CreateTransitGateway",
            "ec2:CreateTransitGatewayRoute",
            "ec2:CreateTransitGatewayRouteTable",
            "ec2:CreateTransitGatewayVpcAttachment",
            "ec2:DeleteTransitGateway",
            "ec2:DeleteTransitGatewayRoute",
            "ec2:DeleteTransitGatewayRouteTable",
            "ec2:DeleteTransitGatewayVpcAttachment",
            "ec2:DescribeTransitGatewayAttachments",
            "ec2:DescribeTransitGatewayRouteTables",
            "ec2:DescribeTransitGatewayVpcAttachments",
            "ec2:DescribeTransitGateways",
            "ec2:DisableTransitGatewayRouteTablePropagation",
            "ec2:DisassociateTransitGatewayRouteTable",
            "ec2:EnableTransitGatewayRouteTablePropagation",
            "ec2:ExportTransitGatewayRoutes",
            "ec2:GetTransitGatewayAttachmentPropagations",
            "ec2:GetTransitGatewayRouteTableAssociations",
            "ec2:GetTransitGatewayRouteTablePropagations",
            "ec2:ModifyTransitGateway",
            "ec2:ModifyTransitGatewayVpcAttachment",
            "ec2:RejectTransitGatewayVpcAttachment",
            "ec2:ReplaceTransitGatewayRoute",
            "ec2:SearchTransitGatewayRoutes",
            "route53domains:*",
            "route53resolver:*",
            "route53:*",
            "directconnect:*"
          ],
          "Resource" : "*"
        },
        {
          "Sid" : "NegateDatabaseDeployerPermissions",
          "Effect" : "Allow",
          "NotAction" : [
            "rds:*",
            "redshift:*",
            "elasticache:*"
          ],
          "Resource" : "*"
        },
        {
          "Sid" : "NegateStorageDeployerPermissions",
          "Effect" : "Allow",
          "NotAction" : [
            "s3:*",
            "ecr:*",
            "elasticfilesystem:*",
            "fsx:*"
          ],
          "Resource" : "*"
        }
      ]
    }
  )
  role = aws_iam_role.CommonDeployer.id
}