-
Notifications
You must be signed in to change notification settings - Fork 8
/
main.tf
75 lines (63 loc) · 1.93 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
module "lz_info" {
source = "github.com/BCDevOps/terraform-aws-sea-organization-info"
providers = {
aws = aws.master-account
}
}
data "aws_caller_identity" "master_account_caller" {
provider = aws.master-account
}
locals {
core_accounts = { for account in module.lz_info.core_accounts : account.name => account }
iam_security_account = local.core_accounts["iam-security"]
perimeter_account = local.core_accounts["Perimeter"]
saml_destination_url = "https://login.${var.domain_name}/${aws_api_gateway_deployment.samlpost.stage_name}"
//Put all common tags here
common_tags = {
Project = "SAML Login Provider"
Environment = "Development"
}
# This is needed by the lambda code so it knows what role to assume to read org metadata, but can be replaced by ${aws_iam_role.saml_read_role.name} once we have the role creation in TF working
saml_read_role_name = "BCGOV_SAML_Organizations_Read_Role"
master_account_id = data.aws_caller_identity.master_account_caller.account_id
}
resource "aws_iam_role" "saml_read_role" {
provider = aws.master-account
name = local.saml_read_role_name
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${local.iam_security_account.id}:role/${var.lambda_name}-${var.resource_name_suffix}"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "saml_read_role_policy" {
provider = aws.master-account
name = "saml_user_account_readpolicy"
role = aws_iam_role.saml_read_role.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:ListTagsForResource",
"organizations:DescribeAccount"
],
"Resource": [
"*"
]
}
]
}
EOF
}