-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathmain.tf
119 lines (106 loc) · 2.77 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# DEPLOY USERS THAT REQUIRE MFA TO BE ACTIVATED
# This example creates a set of three users with two attached default
# IAM Policies. It will also create and attach custom IAM Policies
# that allow the users to self-manage their credentials if MFA is active.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
provider "aws" {
region = "eu-west-1"
}
# ------------------------------------------------------------------------------
# Create the IAM Users with attached IAM Policies
# ------------------------------------------------------------------------------
module "iam-users" {
source = "mineiros-io/iam-user/aws"
version = "~> 0.4.0"
names = [
"user.one",
"user.two",
"user.three",
]
policy_arns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess",
"arn:aws:iam::aws:policy/job-function/Billing",
]
policy_statements = [
{
sid = "AllowViewAccountInfo"
effect = "Allow"
actions = [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
]
resources = ["*"]
},
{
sid = "AllowManageOwnPasswords"
effect = "Allow"
actions = [
"iam:ChangePassword",
"iam:GetUser"
]
resources = [
"arn:aws:iam::*:user/&{aws:username}"
]
},
{
sid = "AllowManageOwnAccessKeys"
effect = "Allow"
actions = [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
resources = [
"arn:aws:iam::*:user/&{aws:username}"
]
},
{
sid = "AllowManageOwnVirtualMFADevice"
effect = "Allow"
actions = [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
]
resources = [
"arn:aws:iam::*:user/&{aws:username}"
]
},
{
sid = "AllowManageOwnUserMFA"
effect = "Allow"
actions = [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
]
resources = [
"arn:aws:iam::*:user/&{aws:username}"
]
},
{
sid = "DenyAllExceptListedIfNoMFA"
effect = "Deny"
not_actions = [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
]
resources = ["*"],
conditions = [
{
test = "ConditionIfBoolExists"
variable = "aws:MultiFactorAuthPresent"
values = ["false"]
}
]
}
]
}