From 8401a4771ad5c7de2c4e1e83ecc92725d1ec3c01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Harper?= Date: Thu, 7 Dec 2023 16:26:03 -0500 Subject: [PATCH] chore: add a Terraform plan to create an admin role in AWS to be assumed --- tools/aws-create-role.tf | 67 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 tools/aws-create-role.tf diff --git a/tools/aws-create-role.tf b/tools/aws-create-role.tf new file mode 100644 index 000000000..58aabd839 --- /dev/null +++ b/tools/aws-create-role.tf @@ -0,0 +1,67 @@ +# +# Terraform plan to create the administrator role that will be assumed +# +# Please read the comment within the file (not just this one) carefully to prevent any security issues within your organization! +# +# Replace the AWS account ID `111111111111` with yours. +# +# Ensure that the default values fit your needs (i.e., AWS region, role permission...) +# +# To run this plan: +# terraform init +# terraform apply +# + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.67.0" + } + } +} + +provider "aws" { + region = "us-east-1" +} + +resource "aws_iam_role" "assumed_admin" { + + # The role name + name = "AssumedAdmin" + + # The default session time is 1 hour, this set it to 12 hours for convenience. It's less annoying, but less secure, feel free to remove or change! + max_session_duration = 43200 + + # + # Below is a permissive role not intended for long-term use. + # + # It grants all IAM users of the AWS account the ability to assume the role `AssumedAdmin` (or whatever name you gave it), which we created and give the `AdministratorAccess` policy. + # + # The value `:root` grants assume to the whole account but you can replace it with your individual IAM ARN, or your role if appropriate. + # + # As a reminder, the value `111111111111` below should be replaced with your AWS account ID. + # + # Anyone with IAM can assume the role while it's in place like this. You can scope it down to your specific user, or across accounts, or whatever you need. + # + assume_role_policy = <