forked from tbekas/aws-organization-example
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeveloper_access.tf
84 lines (63 loc) · 1.94 KB
/
developer_access.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
module "developer_role_staging" {
source = "./modules/developer-role"
trusted_entity = "arn:aws:iam::${aws_organizations_account.users.id}:root"
providers = {
aws = aws.staging
}
}
module "developer_role_production" {
source = "./modules/developer-role"
trusted_entity = "arn:aws:iam::${aws_organizations_account.users.id}:root"
providers = {
aws = aws.production
}
}
module "developer_group_staging" {
source = "./modules/developer-group"
group_name = "DevelopersStaging"
assume_role_arns = [
module.developer_role_staging.role_arn,
]
providers = {
aws = aws.users
}
}
module "developer_group_production" {
source = "./modules/developer-group"
group_name = "DevelopersProduction"
assume_role_arns = [
module.developer_role_production.role_arn
]
providers = {
aws = aws.users
}
}
resource "aws_iam_group" "self_managing" {
name = "SelfManaging"
provider = aws.users
}
resource "aws_iam_group_policy_attachment" "iam_read_only_access" {
group = aws_iam_group.self_managing.name
policy_arn = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
provider = aws.users
}
resource "aws_iam_group_policy_attachment" "iam_self_manage_service_specific_credentials" {
group = aws_iam_group.self_managing.name
policy_arn = "arn:aws:iam::aws:policy/IAMSelfManageServiceSpecificCredentials"
provider = aws.users
}
resource "aws_iam_group_policy_attachment" "iam_user_change_password" {
group = aws_iam_group.self_managing.name
policy_arn = "arn:aws:iam::aws:policy/IAMUserChangePassword"
provider = aws.users
}
resource "aws_iam_policy" "self_manage_vmfa" {
name = "SelfManageVMFA"
policy = file("${path.module}/data/self_manage_vmfa.json")
provider = aws.users
}
resource "aws_iam_group_policy_attachment" "self_manage_vmfa" {
group = aws_iam_group.self_managing.name
policy_arn = aws_iam_policy.self_manage_vmfa.arn
provider = aws.users
}