This repository has been archived by the owner on Jun 10, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
/
iam-policy-documents.tf
63 lines (51 loc) · 1.87 KB
/
iam-policy-documents.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
locals {
workspace_key_prefix = var.workspace_key_prefix != "" ? "${var.workspace_key_prefix}/" : ""
}
data "aws_iam_policy_document" "backend_assume_role_all" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = length(var.all_workspaces_details) > 0 ? var.all_workspaces_details : [data.aws_caller_identity.current.account_id]
}
}
}
data "aws_iam_policy_document" "iam_role_policy_all" {
statement {
actions = ["s3:GetBucketVersioning", "s3:ListBucket"]
resources = ["arn:aws:s3:::${aws_s3_bucket.backend.id}"]
}
statement {
actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
resources = ["arn:aws:s3:::${aws_s3_bucket.backend.id}/*"]
}
statement {
actions = ["dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem"]
resources = ["arn:aws:dynamodb:*:*:table/${var.resource_prefix}-terraform-lock"]
}
}
data "aws_iam_policy_document" "backend_assume_role_restricted" {
for_each = var.workspace_details
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = length(each.value) > 0 ? each.value : [data.aws_caller_identity.current.account_id]
}
}
}
data "aws_iam_policy_document" "iam_role_policy_restricted" {
for_each = var.workspace_details
statement {
actions = ["s3:GetBucketVersioning", "s3:ListBucket"]
resources = ["arn:aws:s3:::${aws_s3_bucket.backend.id}"]
}
statement {
actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
resources = ["arn:aws:s3:::${aws_s3_bucket.backend.id}/${local.workspace_key_prefix}${each.key}*"]
}
statement {
actions = ["dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem"]
resources = ["arn:aws:dynamodb:*:*:table/${var.resource_prefix}-terraform-lock"]
}
}