-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam-groups.tf
99 lines (89 loc) · 4.65 KB
/
iam-groups.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# .####....###....##.....##.....######...########...#######..##.....##.########...######.
# ..##....##.##...###...###....##....##..##.....##.##.....##.##.....##.##.....##.##....##
# ..##...##...##..####.####....##........##.....##.##.....##.##.....##.##.....##.##......
# ..##..##.....##.##.###.##....##...####.########..##.....##.##.....##.########...######.
# ..##..#########.##.....##....##....##..##...##...##.....##.##.....##.##..............##
# ..##..##.....##.##.....##....##....##..##....##..##.....##.##.....##.##........##....##
# .####.##.....##.##.....##.....######...##.....##..#######...#######..##.........######.
resource "aws_iam_group" "administrators" {
name = "abcde_administrators"
path = "/"
}
resource "aws_iam_group" "console_users" {
name = "abcde_console-users"
path = "/"
}
resource "aws_iam_group" "developers" {
name = "abcde_developers"
path = "/"
}
# .########.##.....##.####..######..########.####.##....##..######.....
# .##........##...##...##..##....##....##.....##..###...##.##....##....
# .##.........##.##....##..##..........##.....##..####..##.##..........
# .######......###.....##...######.....##.....##..##.##.##.##...####...
# .##.........##.##....##........##....##.....##..##..####.##....##....
# .##........##...##...##..##....##....##.....##..##...###.##....##....
# .########.##.....##.####..######.....##....####.##....##..######.....
# .########...#######..##.......####..######..####.########..######.
# .##.....##.##.....##.##........##..##....##..##..##.......##....##
# .##.....##.##.....##.##........##..##........##..##.......##......
# .########..##.....##.##........##..##........##..######....######.
# .##........##.....##.##........##..##........##..##.............##
# .##........##.....##.##........##..##....##..##..##.......##....##
# .##.........#######..########.####..######..####.########..######.
data "aws_iam_policy" "AdministratorAccess" {
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
data "aws_iam_policy" "AmazonS3FullAccess" {
arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
data "aws_iam_policy" "AmazonEC2ReadOnlyAccess" {
arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
}
data "aws_iam_policy" "AmazonEC2FullAccess" {
arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}
# ..######...########...#######..##.....##.########.
# .##....##..##.....##.##.....##.##.....##.##.....##
# .##........##.....##.##.....##.##.....##.##.....##
# .##...####.########..##.....##.##.....##.########.
# .##....##..##...##...##.....##.##.....##.##.......
# .##....##..##....##..##.....##.##.....##.##.......
# ..######...##.....##..#######...#######..##.......
# .########...#######..##.......####..######..##....##
# .##.....##.##.....##.##........##..##....##..##..##.
# .##.....##.##.....##.##........##..##.........####..
# .########..##.....##.##........##..##..........##...
# .##........##.....##.##........##..##..........##...
# .##........##.....##.##........##..##....##....##...
# .##.........#######..########.####..######.....##...
# ....###....########.########....###.....######..##.....##.##.....##.########.##....##.########..######.
# ...##.##......##.......##......##.##...##....##.##.....##.###...###.##.......###...##....##....##....##
# ..##...##.....##.......##.....##...##..##.......##.....##.####.####.##.......####..##....##....##......
# .##.....##....##.......##....##.....##.##.......#########.##.###.##.######...##.##.##....##.....######.
# .#########....##.......##....#########.##.......##.....##.##.....##.##.......##..####....##..........##
# .##.....##....##.......##....##.....##.##....##.##.....##.##.....##.##.......##...###....##....##....##
# .##.....##....##.......##....##.....##..######..##.....##.##.....##.########.##....##....##.....######.
# ADMINISTRATORS
resource "aws_iam_group_policy_attachment" "administrator" {
group = aws_iam_group.administrators.name
policy_arn = data.aws_iam_policy.AdministratorAccess.arn
}
# CONSOLE READ-ONLY PLUS S3.
resource "aws_iam_group_policy_attachment" "console_users_AmazonEC2ReadOnlyAccess" {
group = aws_iam_group.console_users.name
policy_arn = data.aws_iam_policy.AmazonEC2ReadOnlyAccess.arn
}
resource "aws_iam_group_policy_attachment" "console_users_AmazonS3FullAccess" {
group = aws_iam_group.console_users.name
policy_arn = data.aws_iam_policy.AmazonS3FullAccess.arn
}
# DEVELOPERS
resource "aws_iam_group_policy_attachment" "developers_AmazonS3FullAccess" {
group = aws_iam_group.developers.name
policy_arn = data.aws_iam_policy.AmazonS3FullAccess.arn
}
resource "aws_iam_group_policy_attachment" "developers_AmazonEC2FullAccess" {
group = aws_iam_group.developers.name
policy_arn = data.aws_iam_policy.AmazonEC2FullAccess.arn
}