/terraform-aws-iam-group-restricted-admin

terraform-aws-iam-group-restricted-admin is used to create a group with roles and policies needed to have admin access after MFA with a few restrictions (can't delete logs or audit trails for instance)

Primary LanguageHCLApache License 2.0Apache-2.0

Contact Us | Stratusphere FinOps | StratusGrid Home | Blog

terraform-aws-iam-group-restricted-admin

GitHub: StratusGrid/terraform-aws-iam-group-restricted-admin

This module creates a group and associated policies/roles to be able to grant users a restricted admin policy (full admin minus deletion of logs, cloudtrail, etc.) in addition to user self service rights. The default policy requires MFA access for console, but not role assumption (though the role can be switched into), and requires role assumption for cli (best way to do MFA in cli).

This is meant to be used as a one and done solution for people with a single AWS account who want to have/enforce MFA access on their admins.

Example usage of the module:

module "iam_group_restricted_admin" {
  source  = "GenesisFunction/iam-group-restricted-admin/aws"
  version = "1.0.2"
  # source  = "github.com/GenesisFunction/terraform-aws-iam-group-restricted-admin"

  group_name = "${name_prefix}-restricted-admin"

  s3_bucket_paths_to_protect = [
    module.cloudtrail.s3_bucket_arn,
    "${module.cloudtrail.s3_bucket_arn}/*"
  ]

  input_tags = merge(local.common_tags, {})
}

Using different policies

To use this as a template for a different set of permissions, change the inputs, readme, and policy document/description in iam-policy.tf

NOTE: The MFA restrictions come from the DENY on the user self service policy. If that is removed, you should make two of the restricted-admin (or your replacement) policies. Make one to be used in the role and not have the BOOL MFA conditions, and have another one for the direct group attachment and have the conditions.

Resources

Name Type
aws_iam_group.group resource
aws_iam_group_policy.role_assumption resource
aws_iam_group_policy.user_self_service resource
aws_iam_group_policy_attachment.this resource
aws_iam_policy.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.this resource

Inputs

Name Description Type Default Required
group_name Unique string name of iam group to be created. Also prepends supporting resource names string n/a yes
group_path The path (prefix) for the group in IAM string "/" no
input_tags Map of tags to apply to resources map(string) 
{
  "Developer": "GenesisFunction",
  "Provisioner": "Terraform"
}
 no
s3_bucket_paths_to_protect List of bucket matching ARNs which the restricted admin should not be able to delete or put in. Commonly used for cloudtrail and logging buckets... list(string) n/a yes

Outputs

Name Description
iam_group_id ID of IAM Group created
iam_role_arn ARN of IAM role created
iam_role_assumption_url URL to assume role in Console

Note: Manual changes to the README will be overwritten when the documentation is updated. To update the documentation, run terraform-docs -c .config/.terraform-docs.yml .