-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiam.tf
138 lines (112 loc) · 2.99 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
module "terraform_policy" {
source = "./modules/terraform_policy"
}
module "ami_builder_policy" {
source = "./modules/ami_builder_policy"
}
module "ec2_describe_policy" {
source = "./modules/ec2_describe_policy"
}
module "admin_role" {
source = "./modules/role"
name = "admin"
policy_arns = [
"arn:aws:iam::aws:policy/AdministratorAccess",
]
}
module "chaos_user" {
source = "./modules/user"
user = "chaos"
role_arns = [
module.admin_role.arn,
]
}
module "laptop_user" {
source = "./modules/user"
user = "laptop"
role_arns = [
module.admin_role.arn,
module.ami_builder_role.arn,
module.amisync_stable.lambda_role_arn,
module.amisync_local.lambda_role_arn,
module.jenkins_role.arn,
]
policy_arns = [
module.cloudtrail.bucket_read_policy_arn,
module.terraform_policy.arn,
module.tfstate_bucket.read_policy_arn,
module.drawbridge_dev.policy_arn,
module.drawbridge_stable.policy_arn,
module.cloud_zone.bind_policy_arn,
]
}
module "laptop_annex_user" {
source = "./modules/user"
user = "laptop-annex"
policy_arns = [
module.annex_archive_bucket.write_policy_arn,
module.annex_photos_bucket.write_policy_arn,
]
}
module "helios_user" {
source = "./modules/user"
user = "helios"
role_arns = [
module.admin_role.arn,
]
policy_arns = [
module.cloudtrail.bucket_read_policy_arn,
module.terraform_policy.arn,
module.tfstate_bucket.read_policy_arn,
module.drawbridge_dev.policy_arn,
module.drawbridge_stable.policy_arn,
module.cloud_zone.bind_policy_arn,
]
}
module "termux_phone_user" {
source = "./modules/user"
user = "termux-phone"
policy_arns = [
module.drawbridge_dev.policy_arn,
module.drawbridge_stable.policy_arn,
module.cloud_zone.bind_policy_arn,
]
}
module "ami_builder_role" {
source = "./modules/role"
name = "ami-builder"
create_instance_profile = true
policy_arns = [
module.ami_builder_policy.arn,
module.artifacts_bucket_stable.write_policy_arn,
module.artifacts_bucket_local.write_policy_arn,
module.registry_stable.push_policy_arn,
module.registry_local.push_policy_arn,
]
}
module "jenkins_role" {
source = "./modules/role"
name = "jenkins"
create_instance_profile = true
policy_arns = [
module.artifacts_bucket_stable.write_policy_arn,
module.artifacts_bucket_local.write_policy_arn,
module.registry_stable.push_policy_arn,
module.registry_local.push_policy_arn,
module.ec2_describe_policy.arn,
module.nix_cache_bucket_stable.write_policy_arn,
module.task_cluster_stable.run_policy_arn,
module.tmp_bucket.write_policy_arn,
]
}
module "nix_build_role" {
source = "./modules/role"
name = "nix-build"
trusted_services = ["ecs-tasks.amazonaws.com"]
policy_arns = [
module.artifacts_bucket_stable.write_policy_arn,
module.artifacts_bucket_local.write_policy_arn,
module.nix_cache_bucket_stable.write_policy_arn,
module.tmp_bucket.write_policy_arn,
]
}