- https://github.com/GovTechSG/terraform-iam-users-gcc
- https://github.com/GovTechSG/terraform-iam-group-gcc
- https://github.com/GovTechSG/terraform-iam-group-role-gcc
These are the modules related to the sharing. If you're just looking for the modules required to refactor your team's users, you can start from here.
Something that was alluded in the sharing is that policies should always be applied to group instead of users itself. Users itself shouldn't have any policy applied, so all the pre-made policies are on the group level; this includes the permission to assume your base role, as well as forcing MFA, and allowing your users to rotate their own access keys.
The order of creation should be.
- Users
- Groups (for you to add users)
- Roles (sky's the limit)
- /account-1
- /iam
- /users
- /groups
- /roles
- /iam
- /account-2
- /iam
- /roles
- /iam
- /account-3
- /iam
- /roles
- /iam
- https://github.com/GovTechSG/terraform-iam-service-user-gcc
- https://github.com/GovTechSG/terraform-iam-service-role-gcc
This is a more loose module where most of the "hand-holding" is disabled and you have to write your own trust-policy (conditions and all). This is useful for cases where you're writing service role for AWS services (e.g. lambda, cloudwatch). This is honestly where the more advanced use cases lie after the team users have been settled.
If you have any questions, feel free to reach out to me on
Telegram: ACE devops group
Slack: @Kai Hong