Skip to content

Commit

Permalink
Add policy to allow OIDC role assumption for modernisation accounts
Browse files Browse the repository at this point in the history
  • Loading branch information
sukeshreddyg committed Nov 20, 2024
1 parent d22adba commit 8949144
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions terraform/environments/sprinkler/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,20 @@ module "github-oidc" {
}

data "aws_iam_policy_document" "oidc_deny_specific_actions" {
statement {
sid = "AllowOIDCToAssumeRoles"
effect = "Allow"
resources = [
format("arn:aws:iam::%s:role/modernisation-account-limited-read-member-access", local.environment_management.modernisation_platform_account_id),
format("arn:aws:iam::%s:role/modernisation-account-terraform-state-member-access", local.environment_management.modernisation_platform_account_id)
]
condition {
test = "StringEquals"
variable = "aws:PrincipalAccount"
values = [local.environment_management.account_ids[terraform.workspace]]
}
actions = ["sts:AssumeRole"]
}
statement {
effect = "Deny"
actions = [
Expand Down

0 comments on commit 8949144

Please sign in to comment.