ezalejski · February 27, 2020 15:22
diff --git a/assumed_roles.tf b/assumed_roles.tf
 ## re-using aws 'administrator_access' policy
 data "aws_iam_policy" "administrator_access" {
  arn = "arn:aws:iam::aws:policy/AdministratorAccess"
 }
 ## allowing master account to manage access via AssumeRole
 data "aws_iam_policy_document" "master_account_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::<MASTER_ACCOUNT_ID>:root"]
    }
  }
 }
 ## 'administrator_access' role definition
 resource "aws_iam_role" "administrator_access" {
  name               = "administrator-access"
  path               = "/"
  assume_role_policy = data.aws_iam_policy_document.master_account_assume_role_policy.json
  description        = "Master account managed administrator-access"
 }
 ## 'administrator_access' policy attachment
 resource "aws_iam_role_policy_attachment" "administrator_access" {
  role       = aws_iam_role.administrator_access.name
  policy_arn = data.aws_iam_policy.administrator_access.arn
 }
	## re-using aws 'administrator_access' policy
	data "aws_iam_policy" "administrator_access" {
	arn = "arn:aws:iam::aws:policy/AdministratorAccess"
	}
	## allowing master account to manage access via AssumeRole
	data "aws_iam_policy_document" "master_account_assume_role_policy" {
	statement {
	actions = ["sts:AssumeRole"]
	principals {
	type = "AWS"
	identifiers = ["arn:aws:iam::<MASTER_ACCOUNT_ID>:root"]
	}
	}
	}
	## 'administrator_access' role definition
	resource "aws_iam_role" "administrator_access" {
	name = "administrator-access"
	path = "/"
	assume_role_policy = data.aws_iam_policy_document.master_account_assume_role_policy.json
	description = "Master account managed administrator-access"
	}
	## 'administrator_access' policy attachment
	resource "aws_iam_role_policy_attachment" "administrator_access" {
	role = aws_iam_role.administrator_access.name
	policy_arn = data.aws_iam_policy.administrator_access.arn
	}