Skip to content

Commit

Permalink
Add readonly role for org sec plan
Browse files Browse the repository at this point in the history 
Adding a read only role to allow the management account pipeline to plan
for org sec resources.
  • Loading branch information
@davidkelliott
davidkelliott committed Oct 9, 2023
1 parent 8dced09 commit 99d28f4
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 17 deletions.
34 changes: 17 additions & 17 deletions management-account/terraform/providers-organisation-security.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ provider "aws" {
alias = "organisation-security-us-east-1"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -18,7 +18,7 @@ provider "aws" {
alias = "organisation-security-us-east-2"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -28,7 +28,7 @@ provider "aws" {
alias = "organisation-security-us-west-1"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -38,7 +38,7 @@ provider "aws" {
alias = "organisation-security-us-west-2"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -48,7 +48,7 @@ provider "aws" {
alias = "organisation-security-ap-south-1"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -58,7 +58,7 @@ provider "aws" {
alias = "organisation-security-ap-northeast-3"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -68,7 +68,7 @@ provider "aws" {
alias = "organisation-security-ap-northeast-2"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -78,7 +78,7 @@ provider "aws" {
alias = "organisation-security-ap-southeast-1"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -88,7 +88,7 @@ provider "aws" {
alias = "organisation-security-ap-southeast-2"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -98,7 +98,7 @@ provider "aws" {
alias = "organisation-security-ap-northeast-1"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -108,7 +108,7 @@ provider "aws" {
alias = "organisation-security-ca-central-1"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -118,7 +118,7 @@ provider "aws" {
alias = "organisation-security-eu-central-1"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -128,7 +128,7 @@ provider "aws" {
alias = "organisation-security-eu-west-1"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -138,7 +138,7 @@ provider "aws" {
alias = "organisation-security-eu-west-2"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -148,7 +148,7 @@ provider "aws" {
alias = "organisation-security-eu-west-3"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -158,7 +158,7 @@ provider "aws" {
alias = "organisation-security-eu-north-1"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}

Expand All @@ -168,6 +168,6 @@ provider "aws" {
alias = "organisation-security-sa-east-1"

assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
role_arn = can(regex("GitHubActions", data.aws_caller_identity.current.arn)) ? "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/ReadOnly" : "arn:aws:iam::${aws_organizations_account.organisation_security.id}:role/OrganizationAccountAccessRole"
}
}
24 changes: 24 additions & 0 deletions organisation-security/terraform/iam-roles.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
############
# ReadOnly #
############
resource "aws_iam_role" "read_only" {
name = "ReadOnly"
assume_role_policy = data.aws_iam_policy_document.read_only_role.json
}

data "aws_iam_policy_document" "read_only_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.root.id}:root"]
}
}
}

# Role policy attachments
resource "aws_iam_role_policy_attachment" "read_only_role" {
role = aws_iam_role.read_only.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

0 comments on commit 99d28f4

Please sign in to comment.