-
Notifications
You must be signed in to change notification settings - Fork 0
/
read_only_policy_role.tf
76 lines (64 loc) · 2.14 KB
/
read_only_policy_role.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# ------------------------------------------------------------------------------
# Create the IAM policy and role that allow read-only access to the WAS DynamoDB
# tables in the User Services account.
# ------------------------------------------------------------------------------
data "aws_iam_policy_document" "read_only_doc" {
statement {
actions = [
"dynamodb:BatchGetItem",
"dynamodb:ConditionCheckItem",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
]
resources = [
aws_dynamodb_table.reports.arn,
aws_dynamodb_table.stakeholders.arn,
]
}
# Allow the user to list all DynamoDB tables so that they can find and select
# the WAS DynamoDB tables when using the AWS web console.
statement {
actions = [
"dynamodb:ListTables",
]
resources = [
"arn:aws:dynamodb:${var.aws_region}:${local.userservices_account_id}:table/*",
]
}
# Allow the user to view metrics for the WAS DynamoDB tables. I have not yet
# found a way to limit this access to only the WAS tables.
statement {
actions = [
"logs:DescribeMetricFilters",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
]
resources = [
"*",
]
}
}
# Create the IAM policy
resource "aws_iam_policy" "read_only" {
provider = aws.userservicesprovisionaccount
description = var.read_only_policy_role_description
name = var.read_only_policy_role_name
policy = data.aws_iam_policy_document.read_only_doc.json
}
# Create the IAM role
resource "aws_iam_role" "read_only" {
provider = aws.userservicesprovisionaccount
assume_role_policy = data.aws_iam_policy_document.users_account_assume_role_doc.json
description = var.read_only_policy_role_description
name = var.read_only_policy_role_name
}
# Attach the IAM policy to the IAM role
resource "aws_iam_role_policy_attachment" "read_only" {
provider = aws.userservicesprovisionaccount
policy_arn = aws_iam_policy.read_only.arn
role = aws_iam_role.read_only.name
}