-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathroles.tf
121 lines (100 loc) · 3.74 KB
/
roles.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#=====================================
# Viget admin role
#=====================================
# Create admin IAM role for SAML 2.0 federation.
resource "aws_iam_role" "admin_federation_role" {
name = "viget_admin_federation_role"
assume_role_policy = data.aws_iam_policy_document.admin_saml_assume_role_policy.json
tags = var.tags
}
# Define the IAM policy document that allows federated admin users to assume the role.
data "aws_iam_policy_document" "admin_saml_assume_role_policy" {
statement {
actions = ["sts:AssumeRoleWithSAML"]
effect = "Allow"
# Grant access to the SAML provider.
principals {
type = "Federated"
identifiers = [aws_iam_saml_provider.admin.arn]
}
# Require that the SAML assertion is destined for AWS.
condition {
test = "StringEquals"
variable = "SAML:aud"
values = ["https://signin.aws.amazon.com/saml"]
}
}
}
## Attach policies to admin IAM role for SAML 2.0 federation.
resource "aws_iam_role_policy_attachment" "admin_federation_role__aws_admin" {
role = aws_iam_role.admin_federation_role.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
#=====================================
# Viget developer role
#=====================================
## Create developer IAM role for SAML 2.0 federation.
resource "aws_iam_role" "developer_federation_role" {
name = "viget_developer_federation_role"
assume_role_policy = data.aws_iam_policy_document.developer_saml_assume_role_policy.json
tags = var.tags
}
## Define the IAM policy document that allows federated developer users to assume the role.
data "aws_iam_policy_document" "developer_saml_assume_role_policy" {
statement {
actions = ["sts:AssumeRoleWithSAML"]
effect = "Allow"
# Grant access to the SAML provider.
principals {
type = "Federated"
identifiers = [aws_iam_saml_provider.developer.arn]
}
# Require that the SAML assertion is destined for AWS.
condition {
test = "StringEquals"
variable = "SAML:aud"
values = ["https://signin.aws.amazon.com/saml"]
}
}
}
## Attach policies to developer IAM role for SAML 2.0 federation.
resource "aws_iam_role_policy_attachment" "developer_federation_role__aws_poweruser" {
role = aws_iam_role.developer_federation_role.name
policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
}
#=====================================
# Viget pm role
#=====================================
## Create pm IAM role for SAML 2.0 federation.
resource "aws_iam_role" "pm_federation_role" {
name = "viget_pm_federation_role"
assume_role_policy = data.aws_iam_policy_document.pm_saml_assume_role_policy.json
tags = var.tags
}
## Define the IAM policy document that allows federated pm users to assume the role.
data "aws_iam_policy_document" "pm_saml_assume_role_policy" {
statement {
actions = ["sts:AssumeRoleWithSAML"]
effect = "Allow"
# Grant access to the SAML provider.
principals {
type = "Federated"
identifiers = [aws_iam_saml_provider.pm.arn]
}
# Require that the SAML assertion is destined for AWS.
condition {
test = "StringEquals"
variable = "SAML:aud"
values = ["https://signin.aws.amazon.com/saml"]
}
}
}
## Attach policies to pm IAM role for SAML 2.0 federation.
resource "aws_iam_role_policy_attachment" "pm_federation_role__aws_viewer" {
role = aws_iam_role.pm_federation_role.name
policy_arn = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
}
resource "aws_iam_role_policy_attachment" "pm_federation_role__aws_billing" {
role = aws_iam_role.pm_federation_role.name
policy_arn = "arn:aws:iam::aws:policy/job-function/Billing"
}