Create base_roles module (#14)

* Adds new module to create some base roles Admin and readonly roles * Add the readonly role to the /ops/ path as well * Fix readonly policy name * Document base_roles module * Small refactor to simplify variables
skyscrapers · Jan 17, 2019 · 95fcb44 · 95fcb44
1 parent 3a2738c
commit 95fcb44
Show file tree

Hide file tree

Showing 5 changed files with 95 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -244,3 +244,34 @@ module "terraform_ci_user" {
   pgp_key = "keybase:some_person_that_exists"
 }
 ```
+
+## base_roles
+
+Creates some base IAM roles:
+
+* `admin` with `AdministratorAccess` policy attached
+* `ro` with `ReadOnlyAccess` policy attached
+
+### Variables
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| admin_role_principal_ids | List of AWS principal ids (or ARNs) that'll be allowed to assume the admin role in the ops account | list | - | yes |
+| readonly_role_principal_ids | List of AWS principal ids (or ARNs) that'll be allowed to assume the readonly role in the ops account | list | - | yes |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| admin_role_arn | Admin role ARN |
+| ro_role_arn | Readonly role ARN |
+
+### Example
+
+```tf
+module "base_roles" {
+  source                      = "github.com/skyscrapers/terraform-iam//base_roles"
+  readonly_role_principal_ids = ["109034686754"]
+  admin_role_principals_arns  = ["arn:aws:iam::109034686754:role/something"]
+}
+```
diff --git a/base_roles/admin_role.tf b/base_roles/admin_role.tf
@@ -0,0 +1,23 @@
+data "aws_iam_policy_document" "admin_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${var.admin_role_principal_ids}"]
+    }
+  }
+}
+
+resource "aws_iam_role" "admin" {
+  name               = "admin"
+  path               = "/ops/"
+  description        = "This role has full Aministrator access and is to be assumed to mange this account"
+  assume_role_policy = "${data.aws_iam_policy_document.admin_assume_role_policy.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "admin" {
+  role       = "${aws_iam_role.admin.name}"
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
diff --git a/base_roles/outputs.tf b/base_roles/outputs.tf
@@ -0,0 +1,9 @@
+output "admin_role_arn" {
+  value       = "${aws_iam_role.admin.arn}"
+  description = "Admin role ARN"
+}
+
+output "ro_role_arn" {
+  value       = "${aws_iam_role.ro.arn}"
+  description = "Readonly role ARN"
+}
diff --git a/base_roles/ro_role.tf b/base_roles/ro_role.tf
@@ -0,0 +1,23 @@
+data "aws_iam_policy_document" "ro_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${var.readonly_role_principal_ids}"]
+    }
+  }
+}
+
+resource "aws_iam_role" "ro" {
+  name               = "readonly"
+  path               = "/ops/"
+  description        = "This role has read only access to this account"
+  assume_role_policy = "${data.aws_iam_policy_document.ro_assume_role_policy.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "ro" {
+  role       = "${aws_iam_role.ro.name}"
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
diff --git a/base_roles/variables.tf b/base_roles/variables.tf
@@ -0,0 +1,9 @@
+variable "admin_role_principal_ids" {
+  description = "List of AWS principal ids (or ARNs) that'll be allowed to assume the admin role in the ops account"
+  type        = "list"
+}
+
+variable "readonly_role_principal_ids" {
+  description = "List of AWS principal ids (or ARNs) that'll be allowed to assume the readonly role in the ops account"
+  type        = "list"
+}