bocan · September 5, 2024 15:31
diff --git a/final-roles.tf b/final-roles.tf
 variable external_id {
  description = "External ID provided by the Secureframe application."
  type = string
 }

 resource "aws_iam_policy" "secureframe" {
  name = "secureframe-org"
  description = "A Limited policy to allow secureframe to do its job"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Resource = "*"
        Action = [
          "ecr:Describe*",
          "ecs:GetTaskProtection",
          "elasticfilesystem:DescribeBackupPolicy",
          "elastictranscoder:ListPipelines",
          "es:ListVpcEndpoint*",
          "ses:GetEmailIdentity",
          "ses:ListEmailIdentities",
          "wafv2:GetLoggingConfiguration",
          "wafv2:GetWebACLForResource"
        ]
      }
    ]
  })
 }

 resource "aws_iam_role" "secureframe_read_only" {
  name = "secureframeOrgScanner"
  description = "Read Only Access for secureframe to fetch resources from member accounts"
  managed_policy_arns = [
    aws_iam_policy.secureframe.arn,
    "arn:aws:iam::aws:policy/SecurityAudit"
  ]
  max_session_duration = 28800
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::728997465891:root"
        }
        Action = [
          "sts:AssumeRole",
          "sts:TagSession"
        ]
        Condition = {
          StringEquals = { "sts:ExternalId" = var.external_id }
        }
      }
    ]
  })
 }

 output "admin_role_arn" {
  value = aws_iam_role.secureframe_read_only.arn
 }
	variable external_id {
	description = "External ID provided by the Secureframe application."
	type = string
	}

	resource "aws_iam_policy" "secureframe" {
	name = "secureframe-org"
	description = "A Limited policy to allow secureframe to do its job"
	policy = jsonencode({
	Version = "2012-10-17"
	Statement = [
	{
	Effect = "Allow"
	Resource = "*"
	Action = [
	"ecr:Describe*",
	"ecs:GetTaskProtection",
	"elasticfilesystem:DescribeBackupPolicy",
	"elastictranscoder:ListPipelines",
	"es:ListVpcEndpoint*",
	"ses:GetEmailIdentity",
	"ses:ListEmailIdentities",
	"wafv2:GetLoggingConfiguration",
	"wafv2:GetWebACLForResource"
	]
	}
	]
	})
	}

	resource "aws_iam_role" "secureframe_read_only" {
	name = "secureframeOrgScanner"
	description = "Read Only Access for secureframe to fetch resources from member accounts"
	managed_policy_arns = [
	aws_iam_policy.secureframe.arn,
	"arn:aws:iam::aws:policy/SecurityAudit"
	]
	max_session_duration = 28800
	assume_role_policy = jsonencode({
	Version = "2012-10-17"
	Statement = [
	{
	Effect = "Allow"
	Principal = {
	AWS = "arn:aws:iam::728997465891:root"
	}
	Action = [
	"sts:AssumeRole",
	"sts:TagSession"
	]
	Condition = {
	StringEquals = { "sts:ExternalId" = var.external_id }
	}
	}
	]
	})
	}

	output "admin_role_arn" {
	value = aws_iam_role.secureframe_read_only.arn
	}
No results found