diff --git a/iam.tf b/iam.tf index a7bf72a..605797b 100644 --- a/iam.tf +++ b/iam.tf @@ -1,4 +1,26 @@ -# Policies + +data "aws_caller_identity" "current" {} + +# Policy template +data "aws_iam_policy_document" "role_trust" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + +# TODO: add policies for admins to manage their own mfa and enable after testing +# condition { +# test = "Bool" +# variable = "aws:MultiFactorAuthPresent" +# values = ["true"] +# } + } +} + +# Base Policies resource "aws_iam_account_password_policy" "strict" { minimum_password_length = 16 require_lowercase_characters = true @@ -10,7 +32,7 @@ resource "aws_iam_account_password_policy" "strict" { max_password_age = 90 } -# Users +# Create users resource "aws_iam_user" "nastevens" { name = "nastevens" } @@ -19,21 +41,52 @@ resource "aws_iam_user" "ryankurte" { name = "ryankurte" } -# Groups and group membership + +# Create adminstrator group resource "aws_iam_group" "administrators" { name = "Administrators" } +# Policy document for assume_role_admin +data "aws_iam_policy_document" "assume_role_admin" { + statement { + actions = ["sts:AssumeRole"] + resources = ["${aws_iam_role.administrators.arn}"] + } +} + +# Actual policy for assume_role_admin +resource "aws_iam_policy" "assume_role_admin" { + name = "administrators-permit-assume-role" + description = "Allow administrators to assume admin role" + policy = "${data.aws_iam_policy_document.assume_role_admin.json}" +} + +# Create administrators role with assume-admin policy +resource "aws_iam_role" "administrators" { + name = "assume-admin" + assume_role_policy = "${data.aws_iam_policy_document.role_trust.json}" +} + +# Attach assume admin policy to administrators group +resource "aws_iam_group_policy_attachment" "assume_role_admin" { + group = "${aws_iam_group.administrators.name}" + policy_arn = "${aws_iam_policy.assume_role_admin.arn}" +} + +# Attach admin policy to administrators group resource "aws_iam_group_policy_attachment" "administrators_admin" { group = "${aws_iam_group.administrators.name}" policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" } +# Attach pasword change policy to administrators group resource "aws_iam_group_policy_attachment" "administrators_change_pw" { group = "${aws_iam_group.administrators.name}" policy_arn = "arn:aws:iam::aws:policy/IAMUserChangePassword" } +# Add members to group resource "aws_iam_group_membership" "administrators_membership" { name = "AdministratorsMembership" users = [ @@ -42,3 +95,4 @@ resource "aws_iam_group_membership" "administrators_membership" { ] group = "${aws_iam_group.administrators.name}" } + diff --git a/terraform.tfstate b/terraform.tfstate index d25c535..fc96a67 100644 --- a/terraform.tfstate +++ b/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 3, "terraform_version": "0.11.10", - "serial": 16, + "serial": 17, "lineage": "06aae676-abab-bb3e-6cf0-33dcc3b68c52", "modules": [ { @@ -111,6 +111,71 @@ "deposed": [], "provider": "provider.aws" }, + "aws_iam_group_policy_attachment.assume_role_admin": { + "type": "aws_iam_group_policy_attachment", + "depends_on": [ + "aws_iam_group.administrators", + "aws_iam_policy.assume_role_admin" + ], + "primary": { + "id": "Administrators-20181108221230921900000001", + "attributes": { + "group": "Administrators", + "id": "Administrators-20181108221230921900000001", + "policy_arn": "arn:aws:iam::537658973298:policy/administrators-permit-assume-role" + }, + "meta": {}, + "tainted": false + }, + "deposed": [], + "provider": "provider.aws" + }, + "aws_iam_policy.assume_role_admin": { + "type": "aws_iam_policy", + "depends_on": [ + "data.aws_iam_policy_document.assume_role_admin" + ], + "primary": { + "id": "arn:aws:iam::537658973298:policy/administrators-permit-assume-role", + "attributes": { + "arn": "arn:aws:iam::537658973298:policy/administrators-permit-assume-role", + "description": "Allow administrators to assume admin role", + "id": "arn:aws:iam::537658973298:policy/administrators-permit-assume-role", + "name": "administrators-permit-assume-role", + "path": "/", + "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Resource\": \"arn:aws:iam::537658973298:role/assume-admin\"\n }\n ]\n}" + }, + "meta": {}, + "tainted": false + }, + "deposed": [], + "provider": "provider.aws" + }, + "aws_iam_role.administrators": { + "type": "aws_iam_role", + "depends_on": [ + "data.aws_iam_policy_document.role_trust" + ], + "primary": { + "id": "assume-admin", + "attributes": { + "arn": "arn:aws:iam::537658973298:role/assume-admin", + "assume_role_policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::537658973298:root\"},\"Action\":\"sts:AssumeRole\"}]}", + "create_date": "2018-11-08T22:11:57Z", + "description": "", + "force_detach_policies": "false", + "id": "assume-admin", + "max_session_duration": "3600", + "name": "assume-admin", + "path": "/", + "unique_id": "AROAI6KC2I4SPDRJ4CKX4" + }, + "meta": {}, + "tainted": false + }, + "deposed": [], + "provider": "provider.aws" + }, "aws_iam_user.nastevens": { "type": "aws_iam_user", "depends_on": [], @@ -371,6 +436,7 @@ "id": "Z1Q9EUUS8L74PK", "attributes": { "comment": "Managed by Terraform", + "delegation_set_id": "", "force_destroy": "false", "id": "Z1Q9EUUS8L74PK", "name": "areweembeddedyet.com.", @@ -380,6 +446,9 @@ "name_servers.2": "ns-393.awsdns-49.com", "name_servers.3": "ns-683.awsdns-21.net", "tags.%": "0", + "vpc.#": "0", + "vpc_id": "", + "vpc_region": "", "zone_id": "Z1Q9EUUS8L74PK" }, "meta": {}, @@ -395,6 +464,7 @@ "id": "Z2GJVQBHJNLGYL", "attributes": { "comment": "Managed by Terraform", + "delegation_set_id": "", "force_destroy": "false", "id": "Z2GJVQBHJNLGYL", "name": "rust-embedded.com.", @@ -404,6 +474,9 @@ "name_servers.2": "ns-218.awsdns-27.com", "name_servers.3": "ns-879.awsdns-45.net", "tags.%": "0", + "vpc.#": "0", + "vpc_id": "", + "vpc_region": "", "zone_id": "Z2GJVQBHJNLGYL" }, "meta": {}, @@ -419,6 +492,7 @@ "id": "Z1K6QDM5H6MZNC", "attributes": { "comment": "Managed by Terraform", + "delegation_set_id": "", "force_destroy": "false", "id": "Z1K6QDM5H6MZNC", "name": "rust-embedded.org.", @@ -428,6 +502,9 @@ "name_servers.2": "ns-298.awsdns-37.com", "name_servers.3": "ns-758.awsdns-30.net", "tags.%": "0", + "vpc.#": "0", + "vpc_id": "", + "vpc_region": "", "zone_id": "Z1K6QDM5H6MZNC" }, "meta": {}, @@ -452,6 +529,7 @@ "force_destroy": "false", "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "areweembeddedyet.com", + "lifecycle_rule.#": "0", "logging.#": "0", "region": "us-east-1", "replication_configuration.#": "0", @@ -491,6 +569,7 @@ "force_destroy": "false", "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "rust-embedded.com", + "lifecycle_rule.#": "0", "logging.#": "0", "region": "us-east-1", "replication_configuration.#": "0", @@ -530,6 +609,7 @@ "force_destroy": "false", "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "www.areweembeddedyet.com", + "lifecycle_rule.#": "0", "logging.#": "0", "region": "us-east-1", "replication_configuration.#": "0", @@ -569,6 +649,7 @@ "force_destroy": "false", "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "www.rust-embedded.com", + "lifecycle_rule.#": "0", "logging.#": "0", "region": "us-east-1", "replication_configuration.#": "0", @@ -591,6 +672,83 @@ }, "deposed": [], "provider": "provider.aws" + }, + "data.aws_caller_identity.current": { + "type": "aws_caller_identity", + "depends_on": [], + "primary": { + "id": "2018-11-08 22:11:26.173533 +0000 UTC", + "attributes": { + "account_id": "537658973298", + "arn": "arn:aws:iam::537658973298:user/ryankurte", + "id": "2018-11-08 22:11:26.173533 +0000 UTC", + "user_id": "AIDAIVOCQQ5CRIKAOD2VA" + }, + "meta": {}, + "tainted": false + }, + "deposed": [], + "provider": "provider.aws" + }, + "data.aws_iam_policy_document.assume_role_admin": { + "type": "aws_iam_policy_document", + "depends_on": [ + "aws_iam_role.administrators" + ], + "primary": { + "id": "1814159211", + "attributes": { + "id": "1814159211", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Resource\": \"arn:aws:iam::537658973298:role/assume-admin\"\n }\n ]\n}", + "statement.#": "1", + "statement.0.actions.#": "1", + "statement.0.actions.2528466339": "sts:AssumeRole", + "statement.0.condition.#": "0", + "statement.0.effect": "Allow", + "statement.0.not_actions.#": "0", + "statement.0.not_principals.#": "0", + "statement.0.not_resources.#": "0", + "statement.0.principals.#": "0", + "statement.0.resources.#": "1", + "statement.0.resources.2220086942": "arn:aws:iam::537658973298:role/assume-admin", + "statement.0.sid": "" + }, + "meta": {}, + "tainted": false + }, + "deposed": [], + "provider": "provider.aws" + }, + "data.aws_iam_policy_document.role_trust": { + "type": "aws_iam_policy_document", + "depends_on": [ + "data.aws_caller_identity.current" + ], + "primary": { + "id": "2185275079", + "attributes": { + "id": "2185275079", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::537658973298:root\"\n }\n }\n ]\n}", + "statement.#": "1", + "statement.0.actions.#": "1", + "statement.0.actions.2528466339": "sts:AssumeRole", + "statement.0.condition.#": "0", + "statement.0.effect": "Allow", + "statement.0.not_actions.#": "0", + "statement.0.not_principals.#": "0", + "statement.0.not_resources.#": "0", + "statement.0.principals.#": "1", + "statement.0.principals.3686967839.identifiers.#": "1", + "statement.0.principals.3686967839.identifiers.4224304580": "arn:aws:iam::537658973298:root", + "statement.0.principals.3686967839.type": "AWS", + "statement.0.resources.#": "0", + "statement.0.sid": "" + }, + "meta": {}, + "tainted": false + }, + "deposed": [], + "provider": "provider.aws" } }, "depends_on": []