forked from nozaq/terraform-aws-secure-baseline
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
166 lines (150 loc) · 5.52 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# --------------------------------------------------------------------------------------------------
# Password Policy
# --------------------------------------------------------------------------------------------------
resource "aws_iam_account_password_policy" "default" {
minimum_password_length = "${var.minimum_password_length}"
password_reuse_prevention = "${var.password_reuse_prevention}"
require_lowercase_characters = "${var.require_lowercase_characters}"
require_numbers = "${var.require_numbers}"
require_uppercase_characters = "${var.require_uppercase_characters}"
require_symbols = "${var.require_symbols}"
allow_users_to_change_password = "${var.allow_users_to_change_password}"
max_password_age = "${var.max_password_age}"
}
# --------------------------------------------------------------------------------------------------
# Manager & Master Role Separation
# --------------------------------------------------------------------------------------------------
resource "aws_iam_role" "master" {
name = "${var.master_iam_role_name}"
assume_role_policy = <<END_OF_POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::${var.aws_account_id}:root"
}
}
]
}
END_OF_POLICY
}
resource "aws_iam_role_policy" "master_policy" {
name = "${var.master_iam_role_policy_name}"
role = "${aws_iam_role.master.id}"
policy = <<END_OF_POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateGroup", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateUser",
"iam:DeleteGroup", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DeleteUser",
"iam:PutRolePolicy",
"iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy",
"iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListGroupsForUser",
"iam:ListPolicies", "iam:ListPoliciesGrantingServiceAccess", "iam:ListPolicyVersions",
"iam:ListRolePolicies", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies", "iam:ListRoles", "iam:ListUsers"
],
"Resource": "*",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}, {
"Effect": "Deny",
"Action": [
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:DeleteGroupPolicy", "iam:DeleteUserPolicy",
"iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy",
"iam:PutGroupPolicy", "iam:PutUserPolicy",
"iam:RemoveUserFromGroup",
"iam:UpdateGroup", "iam:UpdateAssumeRolePolicy", "iam:UpdateUser"
],
"Resource": "*"
}
]
}
END_OF_POLICY
}
resource "aws_iam_role" "manager" {
name = "${var.manager_iam_role_name}"
assume_role_policy = <<END_OF_POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::${var.aws_account_id}:root"
}
}
]
}
END_OF_POLICY
}
resource "aws_iam_role_policy" "manager_policy" {
name = "${var.manager_iam_role_policy_name}"
role = "${aws_iam_role.manager.id}"
policy = <<END_OF_POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:DeleteGroupPolicy", "iam:DeleteUserPolicy",
"iam:DetachGroupPolicy", "iam:DetachRolePolicy","iam:DetachUserPolicy",
"iam:PutGroupPolicy", "iam:PutUserPolicy",
"iam:RemoveUserFromGroup",
"iam:UpdateGroup", "iam:UpdateAssumeRolePolicy", "iam:UpdateUser",
"iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy",
"iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListGroupsForUser",
"iam:ListPolicies", "iam:ListPoliciesGrantingServiceAccess", "iam:ListPolicyVersions",
"iam:ListRolePolicies", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies", "iam:ListRoles", "iam:ListUsers"
],
"Resource": "*",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}, {
"Effect": "Deny",
"Action": [
"iam:CreateGroup", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateUser",
"iam:DeleteGroup", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DeleteUser",
"iam:PutRolePolicy"
],
"Resource": "*"
}
]
}
END_OF_POLICY
}
# --------------------------------------------------------------------------------------------------
# Support Role
# --------------------------------------------------------------------------------------------------
resource "aws_iam_role" "support" {
name = "${var.support_iam_role_name}"
assume_role_policy = <<END_OF_POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "${var.support_iam_role_principal_arn}"
}
}
]
}
END_OF_POLICY
}
resource "aws_iam_role_policy_attachment" "support_policy" {
role = "${aws_iam_role.support.id}"
policy_arn = "arn:aws:iam::aws:policy/AWSSupportAccess"
}