Merge pull request #12 from hackforla/cb/testuser

Creating users to test permissions and updating level 4 policy
hackforla · Feb 29, 2024 · 5ef82fa · 5ef82fa
2 parents e79f5cc + 8da07fb
commit 5ef82fa
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 27 deletions.
diff --git a/terraform/aws-custom-policies.tf b/terraform/aws-custom-policies.tf
@@ -1,9 +1,9 @@
 module "aws_custom_policies" {
   source = "./modules/aws-policies"
   policies = {
-    "IAMServicesAdmin" = {
+    "IAMServicesSupervisor" = {
       description = "Policy granting IAM services admins permissions to make changes to user accounts"
-      filename    = "level-4-iam-services-admin-policy.json"
+      filename    = "level-4-iam-services-supervisor-policy.json"
     }
   }
 }
diff --git a/terraform/aws-custom-policies/level-4-iam-services-admin-policy.json b/terraform/aws-custom-policies/level-4-iam-services-admin-policy.json
diff --git a/terraform/aws-custom-policies/level-4-iam-services-supervisor-policy.json b/terraform/aws-custom-policies/level-4-iam-services-supervisor-policy.json
@@ -0,0 +1,38 @@
+{
+    "Statement": [
+        {
+            "Action": [
+                "iam:CreateAccessKey"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:iam::*:user/*"
+        },
+        {
+            "Action": [
+                "iam:UpdateLoginProfile"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "iam:ResourceTag/Access Level": [
+                        "1",
+                        "2"
+                    ]
+                }
+            },
+            "Effect": "Allow",
+            "Resource": "arn:aws:iam::*:user/*"
+        },
+        {
+            "Action": [
+                "cloudshell:CreateEnvironment",
+                "cloudshell:GetEnvironmentStatus",
+                "cloudshell:CreateSession",
+                "cloudshell:StartEnvironment",
+                "cloudshell:StopEnvironment"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ],
+    "Version": "2012-10-17"
+}
diff --git a/terraform/aws-groups.tf b/terraform/aws-groups.tf
@@ -15,7 +15,7 @@ module "iam_services_admin_group" {
 
   group_name = "iam-services-admin-group"
   policy_arn = {
-    "IAMServicesAdmin" = module.aws_custom_policies.policy_arns["IAMServicesAdmin"]
+    "IAMServicesAdmin" = module.aws_custom_policies.policy_arns["IAMServicesSupervisor"]
   }
 }
 
diff --git a/terraform/aws-users.tf b/terraform/aws-users.tf
@@ -84,4 +84,26 @@ module "iam_user_awlFCCamp" {
     "Access Level" = "1"
   }
   user_groups = ["read-only-group"]
+}
+
+module "iam_user_testiamuser" {
+  source = "./modules/aws-users"
+
+  user_name = "testiamuser"
+  user_tags = {
+    "Project"      = "devops-security"
+    "Access Level" = "1"
+  }
+  user_groups = ["read-only-group"]
+}
+
+module "iam_user_chelseyb" {
+  source = "./modules/aws-users"
+
+  user_name = "chelseyb"
+  user_tags = {
+    "Project"      = "devops-security"
+    "Access Level" = "1"
+  }
+  user_groups = ["read-only-group", "iam-services-admin-group"]
 }