ocxo/cross_account_iam.tf

## cross_account_iam.tf
# set up iam users, groups, roles, policies for cross account sts assume role access
# devs have near full rights to dev account, read access to prod with mfa requirement
# works great with a bit of https://github.com/remind101/assume-role for cli switching

# create a thing in one account vs the other

variable "prod_enable_flag" {
    default = {
        stage = 0
        prod = 1
    }
}

variable "stage_enable_flag" {
    default = {
        stage = 1
        prod = 0
    }
}

# ran into problems with support for lists as variables that should be fixed
# in tf 0.7 so lists of usernames currently duplicated in a few places

variable "devs" {
    default = {
        stage = "foo,bar,baz"
        prod = ""
    }
}

# Prod account setup

# establish trust and require mfa to access prod

resource "aws_iam_role" "dev" {
    count = "${lookup(var.prod_enable_flag, var.env)}"

    name = "dev"
    path = "/people/"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${lookup(var.account_id, "stage")}:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}
EOF
}

# prod read only
resource "aws_iam_policy_attachment" "dev_role_read_only_policy" {
    count = "${lookup(var.prod_enable_flag, var.env)}"

    name = "read_only"
    roles = ["${aws_iam_role.dev.name}"]
    policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

# Stage account setup

# group to hold our devs

resource "aws_iam_group" "devs" {
    count = "${lookup(var.stage_enable_flag, var.env)}"

    name = "devs"
    path = "/people/"
}

# allow mfa management

resource "aws_iam_policy" "enable_mfa" {
    count = "${lookup(var.stage_enable_flag, var.env)}"

    name = "enable_mfa"
    path = "/people/"
    policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUsersToCreateDeleteTheirOwnVirtualMFADevices",
            "Effect": "Allow",
            "Action": [
                "iam:*VirtualMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::${lookup(var.account_id, "stage")}:mfa/$${aws:username}"
            ]
        },
        {
            "Sid": "AllowUsersToEnableSyncDisableTheirOwnMFADevices",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::${lookup(var.account_id, "stage")}:user/people/$${aws:username}"
            ]
        },
        {
            "Sid": "AllowUsersToListVirtualMFADevices",
            "Effect": "Allow",
            "Action": [
                "iam:ListVirtualMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::${lookup(var.account_id, "stage")}:mfa/*"
            ]
        },
        {
            "Sid": "AllowUsersToListUsersInConsole",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers"
            ],
            "Resource": [
                "arn:aws:iam::${lookup(var.account_id, "stage")}:user/*"
            ]
        }
    ]
}
EOF
}

resource "aws_iam_policy_attachment" "dev_group_enable_mfa_policy" {
    count = "${lookup(var.stage_enable_flag, var.env)}"

    name = "dev_enable_mfa"
    groups = ["${aws_iam_group.devs.name}"]
    policy_arn = "${aws_iam_policy.enable_mfa.arn}"
}

# allow access to prod

resource "aws_iam_policy" "access_prod" {
    count = "${lookup(var.stage_enable_flag, var.env)}"

    name = "access_prod"
    path = "/people/"
    policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::${lookup(var.account_id, "prod")}:role/people/dev"
    }
}
EOF
}

resource "aws_iam_policy_attachment" "dev_group_access_prod_policy" {
    count = "${lookup(var.stage_enable_flag, var.env)}"

    name = "dev_access_prod"
    groups = ["${aws_iam_group.devs.name}"]
    policy_arn = "${aws_iam_policy.access_prod.arn}"
}

# give almost full access to dev account

resource "aws_iam_policy" "dev_sandbox_admin" {
    count = "${lookup(var.stage_enable_flag, var.env)}"

    name = "dev_sandbox_admin"
    path = "/people/"
    policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:Get*",
                "iam:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword"
            ],
            "Resource": [
                "arn:aws:iam::${lookup(var.account_id, "stage")}:user/people/$${aws:username}"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "iam:*"
            ],
            "Resource": [
                "arn:aws:iam::${lookup(var.account_id, "stage")}:group/people/devs",
                "arn:aws:iam::${lookup(var.account_id, "stage")}:policy/people/access_prod",
                "arn:aws:iam::${lookup(var.account_id, "stage")}:policy/people/enable_mfa"
            ]
        }
    ]
}
EOF
}

resource "aws_iam_policy_attachment" "dev_group_admin_policy" {
    count = "${lookup(var.stage_enable_flag, var.env)}"

    name = "dev_sandbox_admin"
    groups = ["${aws_iam_group.devs.name}"]
    policy_arn = "${aws_iam_policy.dev_sandbox_admin.arn}"
}

# establish password policy

resource "aws_iam_account_password_policy" "strict" {
    minimum_password_length = 10
    require_lowercase_characters = true
    require_numbers = true
    require_uppercase_characters = true
    require_symbols = true
    allow_users_to_change_password = true
}

# create users

resource "aws_iam_user" "foo" {
    count = "${lookup(var.stage_enable_flag, var.env)}"

    name = "foo"
    path = "/people/"
}

# add users to group

resource "aws_iam_group_membership" "dev" {
    count = "${lookup(var.stage_enable_flag, var.env)}"

    name = "dev"
    users = [ "foo","bar","baz" ]
    group = "${aws_iam_group.devs.name}"
}
	# set up iam users, groups, roles, policies for cross account sts assume role access
	# devs have near full rights to dev account, read access to prod with mfa requirement
	# works great with a bit of https://github.com/remind101/assume-role for cli switching

	# create a thing in one account vs the other

	variable "prod_enable_flag" {
	default = {
	stage = 0
	prod = 1
	}
	}

	variable "stage_enable_flag" {
	default = {
	stage = 1
	prod = 0
	}
	}

	# ran into problems with support for lists as variables that should be fixed
	# in tf 0.7 so lists of usernames currently duplicated in a few places

	variable "devs" {
	default = {
	stage = "foo,bar,baz"
	prod = ""
	}
	}

	# Prod account setup

	# establish trust and require mfa to access prod

	resource "aws_iam_role" "dev" {
	count = "${lookup(var.prod_enable_flag, var.env)}"

	name = "dev"
	path = "/people/"
	assume_role_policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::${lookup(var.account_id, "stage")}:root"
	},
	"Action": "sts:AssumeRole",
	"Condition": {
	"Bool": {
	"aws:MultiFactorAuthPresent": "true"
	}
	}
	}
	]
	}
	EOF
	}

	# prod read only
	resource "aws_iam_policy_attachment" "dev_role_read_only_policy" {
	count = "${lookup(var.prod_enable_flag, var.env)}"

	name = "read_only"
	roles = ["${aws_iam_role.dev.name}"]
	policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
	}

	# Stage account setup

	# group to hold our devs

	resource "aws_iam_group" "devs" {
	count = "${lookup(var.stage_enable_flag, var.env)}"

	name = "devs"
	path = "/people/"
	}

	# allow mfa management

	resource "aws_iam_policy" "enable_mfa" {
	count = "${lookup(var.stage_enable_flag, var.env)}"

	name = "enable_mfa"
	path = "/people/"
	policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "AllowUsersToCreateDeleteTheirOwnVirtualMFADevices",
	"Effect": "Allow",
	"Action": [
	"iam:*VirtualMFADevice"
	],
	"Resource": [
	"arn:aws:iam::${lookup(var.account_id, "stage")}:mfa/$${aws:username}"
	]
	},
	{
	"Sid": "AllowUsersToEnableSyncDisableTheirOwnMFADevices",
	"Effect": "Allow",
	"Action": [
	"iam:DeactivateMFADevice",
	"iam:EnableMFADevice",
	"iam:ListMFADevices",
	"iam:ResyncMFADevice"
	],
	"Resource": [
	"arn:aws:iam::${lookup(var.account_id, "stage")}:user/people/$${aws:username}"
	]
	},
	{
	"Sid": "AllowUsersToListVirtualMFADevices",
	"Effect": "Allow",
	"Action": [
	"iam:ListVirtualMFADevices"
	],
	"Resource": [
	"arn:aws:iam::${lookup(var.account_id, "stage")}:mfa/*"
	]
	},
	{
	"Sid": "AllowUsersToListUsersInConsole",
	"Effect": "Allow",
	"Action": [
	"iam:ListUsers"
	],
	"Resource": [
	"arn:aws:iam::${lookup(var.account_id, "stage")}:user/*"
	]
	}
	]
	}
	EOF
	}

	resource "aws_iam_policy_attachment" "dev_group_enable_mfa_policy" {
	count = "${lookup(var.stage_enable_flag, var.env)}"

	name = "dev_enable_mfa"
	groups = ["${aws_iam_group.devs.name}"]
	policy_arn = "${aws_iam_policy.enable_mfa.arn}"
	}

	# allow access to prod

	resource "aws_iam_policy" "access_prod" {
	count = "${lookup(var.stage_enable_flag, var.env)}"

	name = "access_prod"
	path = "/people/"
	policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": {
	"Effect": "Allow",
	"Action": "sts:AssumeRole",
	"Resource": "arn:aws:iam::${lookup(var.account_id, "prod")}:role/people/dev"
	}
	}
	EOF
	}

	resource "aws_iam_policy_attachment" "dev_group_access_prod_policy" {
	count = "${lookup(var.stage_enable_flag, var.env)}"

	name = "dev_access_prod"
	groups = ["${aws_iam_group.devs.name}"]
	policy_arn = "${aws_iam_policy.access_prod.arn}"
	}

	# give almost full access to dev account

	resource "aws_iam_policy" "dev_sandbox_admin" {
	count = "${lookup(var.stage_enable_flag, var.env)}"

	name = "dev_sandbox_admin"
	path = "/people/"
	policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": "*",
	"Resource": "*"
	},
	{
	"Effect": "Allow",
	"Action": [
	"iam:GenerateCredentialReport",
	"iam:Get*",
	"iam:List*"
	],
	"Resource": "*"
	},
	{
	"Effect": "Allow",
	"Action": [
	"iam:ChangePassword"
	],
	"Resource": [
	"arn:aws:iam::${lookup(var.account_id, "stage")}:user/people/$${aws:username}"
	]
	},
	{
	"Effect": "Deny",
	"Action": [
	"iam:*"
	],
	"Resource": [
	"arn:aws:iam::${lookup(var.account_id, "stage")}:group/people/devs",
	"arn:aws:iam::${lookup(var.account_id, "stage")}:policy/people/access_prod",
	"arn:aws:iam::${lookup(var.account_id, "stage")}:policy/people/enable_mfa"
	]
	}
	]
	}
	EOF
	}

	resource "aws_iam_policy_attachment" "dev_group_admin_policy" {
	count = "${lookup(var.stage_enable_flag, var.env)}"

	name = "dev_sandbox_admin"
	groups = ["${aws_iam_group.devs.name}"]
	policy_arn = "${aws_iam_policy.dev_sandbox_admin.arn}"
	}

	# establish password policy

	resource "aws_iam_account_password_policy" "strict" {
	minimum_password_length = 10
	require_lowercase_characters = true
	require_numbers = true
	require_uppercase_characters = true
	require_symbols = true
	allow_users_to_change_password = true
	}

	# create users

	resource "aws_iam_user" "foo" {
	count = "${lookup(var.stage_enable_flag, var.env)}"

	name = "foo"
	path = "/people/"
	}

	# add users to group

	resource "aws_iam_group_membership" "dev" {
	count = "${lookup(var.stage_enable_flag, var.env)}"

	name = "dev"
	users = [ "foo","bar","baz" ]
	group = "${aws_iam_group.devs.name}"
	}