/terraform-aws-iam-group-restricted-read-only

terraform-aws-iam-group-restricted-admin is used to create a group with roles and policies needed to have read only access after MFA with a few restrictions (can't get most bucket objects, download lambda function code, etc.)

Primary LanguageHCLApache License 2.0Apache-2.0

Contact Us | Stratusphere FinOps | StratusGrid Home | Blog

terraform-aws-iam-group-restricted-read-only

GitHub: StratusGrid/terraform-aws-iam-group-restricted-read-only

iam-group-restricted-read-only creates a group and associated policies/roles to be able to grant users a restricted read only policy (full read only minus deletion of getting bucket objects, downloading lambda code, etc.) in addition to user self service rights. The default policy requires MFA access for console, but not role assumption(though the role can be switched into), and requires role assumption for cli (best way to do MFA in cli).

This is meant to be used as a one and done solution for people with a single AWS account who want to have/enforce MFA access on their admins.

Examples

module "iam_group_restricted_read_only" {
  source  = "github.com/StratusGrid/terraform-aws-iam-group-restricted-read-only"

  group_name = "${name_prefix}-restricted-read-only"

  s3_bucket_paths_to_allow = [
    module.cloudtrail.s3_bucket_arn,
    "${module.cloudtrail.s3_bucket_arn}/*"
  ]

  input_tags = merge(local.common_tags, {})
}

Using different policies

To use this as a template for a different set of permissions, delete iam-read-only-policy.tf, change the inputs, and policy document/description in iam-policy.tf

Requirements

Name Version
terraform >= 1.2.0
aws >= 4.9.0

Resources

Name Type
aws_iam_group.group resource
aws_iam_group_policy.role_assumption resource
aws_iam_group_policy.user_self_service resource
aws_iam_group_policy_attachment.read_only_access resource
aws_iam_group_policy_attachment.this resource
aws_iam_policy.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.read_only_access resource
aws_iam_role_policy_attachment.this resource

Inputs

Name Description Type Default Required
group_name Unique string name of iam group to be created. Also prepends supporting resource names string n/a yes
group_path The path (prefix) for the group in IAM string "/" no
input_tags Map of tags to apply to resources map(string) 
{
  "Developer": "StratusGrid",
  "Provisioner": "Terraform"
}
 no
s3_bucket_paths_to_allow List of bucket matching ARNs which the read only role should be able to get objects from. Commonly used for cloudtrail and logging buckets... list(string) n/a yes

Outputs

Name Description
iam_group_id ID of IAM Group created
iam_role_arn ARN of IAM role created
iam_role_assumption_url URL to assume role in Console

Note, manual changes to the README will be overwritten when the documentation is updated. To update the documentation, run terraform-docs -c .config/.terraform-docs.yml