Skip to content

Instantly share code, notes, and snippets.

@hyiromori hyiromori/manage_iam.tf
Last active Dec 7, 2019

Embed
What would you like to do?
# ---------- AWS Settings ----------
terraform {
required_version = ">=0.12.0"
backend "s3" {
bucket = "bucket-name"
region = "ap-northeast-1"
key = "manage_iam/terraform.tfstate"
}
}
provider "aws" {
version = "~>2.41.0"
region = "ap-northeast-1"
}
# ---------- IAM Policy ----------
data "aws_iam_policy" "administrator_access" {
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
data "aws_iam_policy" "read_only_access" {
arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
resource "aws_iam_policy" "access_key_rotate" {
name = "access_key_rotate"
path = "/"
policy = file("./policy-access_key_rotate.json")
}
resource "aws_iam_policy" "sts_federation" {
name = "sts_federation"
path = "/"
policy = file("./policy-sts_federation.json")
}
# ---------- IAM Group ----------
resource "aws_iam_group" "users" {
name = "users"
}
resource "aws_iam_group_policy_attachment" "access_key_rotate" {
group = aws_iam_group.users.name
policy_arn = aws_iam_policy.access_key_rotate.arn
}
resource "aws_iam_group_policy_attachment" "sts_federation" {
group = aws_iam_group.users.name
policy_arn = aws_iam_policy.sts_federation.arn
}
# ---------- IAM User ----------
resource "aws_iam_user" "user1" {
name = "user1"
}
resource "aws_iam_user" "user2" {
name = "user2"
}
# ---------- Join Group ----------
resource "aws_iam_user_group_membership" "user1" {
user = aws_iam_user.user1.name
groups = [aws_iam_group.users.name]
}
resource "aws_iam_user_group_membership" "user2" {
user = aws_iam_user.user2.name
groups = [aws_iam_group.users.name]
}
# ---------- IAM Role ----------
data "aws_iam_policy_document" "assume_role" {
version = "2012-10-17"
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = [
aws_iam_user.user1.arn,
aws_iam_user.user2.arn,
]
}
}
}
resource "aws_iam_role" "admin" {
name = "admin"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_iam_role_policy_attachment" "administrator_access" {
policy_arn = data.aws_iam_policy.administrator_access.arn
role = aws_iam_role.admin.name
}
resource "aws_iam_role" "read_only" {
name = "read_only"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_iam_role_policy_attachment" "read_only_access" {
policy_arn = data.aws_iam_policy.read_only_access.arn
role = aws_iam_role.read_only.name
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetUser"
],
"Resource": [
"arn:aws:iam::644989259572:user/${aws:username}"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.