-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiam.tf
114 lines (95 loc) · 2.26 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#
# 루트계정 관련 설정
#
resource "aws_iam_account_alias" "alias" {
account_alias = "upnl"
}
#
# 유피넬 회원들 계정 정보
#
locals {
sysadmins = {
integraldx = {
name = "전민혁"
keybase_id = "integraldx"
}
simnalamburt = {
name = "김지현"
keybase_id = "simnalamburt"
}
tirr = {
name = "최원우"
keybase_id = "vbchunguk"
}
pbzweihander = {
name = "이강욱"
keybase_id = "pbzweihander"
}
}
}
resource "aws_iam_group" "sysadmins" {
name = "sysadmins"
path = "/sysadmins/"
}
resource "aws_iam_group_policy_attachment" "sysadmins" {
group = aws_iam_group.sysadmins.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource "aws_iam_user" "sysadmins" {
for_each = local.sysadmins
name = each.key
path = "/sysadmins/"
tags = {
Name = each.value.name
}
}
resource "aws_iam_user_login_profile" "sysadmins" {
for_each = local.sysadmins
user = each.key
pgp_key = "keybase:${each.value.keybase_id}"
}
resource "aws_iam_user_group_membership" "sysadmins" {
for_each = local.sysadmins
user = each.key
groups = [aws_iam_group.sysadmins.name]
}
resource "aws_iam_access_key" "sysadmins" {
for_each = local.sysadmins
user = each.key
pgp_key = "keybase:${each.value.keybase_id}"
}
locals {
iam_secrets = {
for key in aws_iam_access_key.sysadmins :
key.user => {
aws_access_key_id = key.id,
encrypted_aws_secret_access_key = key.encrypted_secret
encrypted_initial_password = aws_iam_user_login_profile.sysadmins[key.user].encrypted_password
}
}
}
resource "aws_iam_account_password_policy" "sane_default" {
minimum_password_length = 16
allow_users_to_change_password = true
}
#
# IAM Policy for backup script
# TODO: Create an IAM User with this policy
#
data "aws_iam_policy_document" "s3_upnl_backups" {
# Policy required to worker nodes for perform homepage backups
statement {
actions = [
"s3:ListBucket"
]
resources = [aws_s3_bucket.backups.arn]
}
statement {
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
]
resources = ["${aws_s3_bucket.backups.arn}/*"]
}
}