generated from clouddrove/terraform-module-template
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathmain.tf
116 lines (109 loc) · 3.4 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#Module : Labels
#Description : Terraform module to create consistent naming for multiple names.
module "labels" {
source = "clouddrove/labels/aws"
version = "1.3.0"
name = var.name
environment = var.environment
attributes = var.attributes
repository = var.repository
managedby = var.managedby
label_order = var.label_order
}
resource "aws_iam_policy" "enable_mfa" {
name = var.name
path = var.path
description = "Policy to enable MFA "
policy = data.aws_iam_policy_document.enable_mfa.json
tags = merge(
module.labels.tags,
{
"Name" = module.labels.id
}
)
}
#tfsec:ignore:aws-iam-no-policy-wildcards
data "aws_iam_policy_document" "enable_mfa" {
statement {
sid = "VisualEditor0"
effect = "Allow"
actions = [
"iam:GetPolicyVersion",
"iam:GetAccountPasswordPolicy",
"iam:ListRoleTags",
"iam:ListServerCertificates",
"iam:GenerateServiceLastAccessedDetails",
"iam:ListServiceSpecificCredentials",
"iam:ListSigningCertificates",
"iam:ListVirtualMFADevices",
"iam:ListSSHPublicKeys",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListOpenIDConnectProviderTags",
"iam:ListSAMLProviderTags",
"iam:ListRolePolicies",
"iam:GetAccountAuthorizationDetails",
"iam:GetCredentialReport",
"iam:ListPolicies",
"iam:GetServerCertificate",
"iam:GetRole",
"iam:ListSAMLProviders",
"iam:GetPolicy",
"iam:GetAccessKeyLastUsed",
"iam:ListEntitiesForPolicy",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:GetGroupPolicy",
"iam:GetOpenIDConnectProvider",
"iam:GetRolePolicy",
"iam:GetAccountSummary",
"iam:GenerateCredentialReport",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListInstanceProfileTags",
"iam:ListMFADevices",
"iam:GetServiceLastAccessedDetails",
"iam:GetGroup",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetOrganizationsAccessReport",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:ListInstanceProfilesForRole",
"iam:GenerateOrganizationsAccessReport",
"iam:EnableMFADevice",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListPolicyTags",
"iam:GetSAMLProvider",
"iam:ListAccessKeys",
"iam:GetInstanceProfile",
"iam:ListGroupPolicies",
"iam:GetSSHPublicKey",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListInstanceProfiles",
"iam:GetContextKeysForCustomPolicy",
"iam:ListPolicyVersions",
"iam:ListOpenIDConnectProviders",
"iam:ListServerCertificateTags",
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:GetUser",
"iam:ListGroups",
"iam:ListMFADeviceTags",
"iam:GetLoginProfile",
"iam:ListUserTags"
]
resources = ["*"]
}
}
resource "aws_iam_group_policy_attachment" "assign_force_mfa_policy_to_groups" {
count = length(var.groups)
group = element(var.groups, count.index)
policy_arn = aws_iam_policy.enable_mfa.arn
}
resource "aws_iam_user_policy_attachment" "assign_force_mfa_policy_to_users" {
count = length(var.users)
user = element(var.users, count.index)
policy_arn = aws_iam_policy.enable_mfa.arn
}