-
Notifications
You must be signed in to change notification settings - Fork 1
/
aws_identity_and_roles.tf
96 lines (89 loc) · 3.07 KB
/
aws_identity_and_roles.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
resource "time_sleep" "wait_60_seconds" {
depends_on = [
azuread_service_principal.azuread_service_principal,
azuread_application_identifier_uri.azuread_aws_sso_application_uri,
azuread_service_principal_token_signing_certificate.azuread_signing_certificate,
azuread_service_principal_claims_mapping_policy_assignment.azuread_claims_mapping_policy_assignment,
azuread_claims_mapping_policy.azuread_sso_policy,
data.azuread_application.azuread_aws_sso_application
]
create_duration = "60s"
}
data "http" "azure_metadata_xml" {
depends_on = [time_sleep.wait_60_seconds]
url = "https://login.microsoftonline.com/${azuread_service_principal.azuread_service_principal.application_tenant_id}/federationmetadata/2007-06/federationmetadata.xml?appid=${azuread_service_principal.azuread_service_principal.application_id}"
}
resource "vault_generic_secret" "metadata_sso_xml" {
depends_on = [data.http.azure_metadata_xml]
path = "secret/aws/sso/${var.env}/${var.account}"
data_json = <<EOT
{
"metadata_xml": "${base64encode(data.http.azure_metadata_xml.response_body)}"
}
EOT
lifecycle {
ignore_changes = [data_json]
}
}
resource "aws_iam_saml_provider" "aws_saml_provider" {
depends_on = [vault_generic_secret.metadata_sso_xml]
name = "aws_azure_sso_saml_provider"
saml_metadata_document = base64decode(vault_generic_secret.metadata_sso_xml.data["metadata_xml"])
lifecycle {
ignore_changes = [saml_metadata_document]
}
}
//Read Only Policy
resource "aws_iam_role" "aws_read_only_group_policy" {
depends_on = [aws_iam_saml_provider.aws_saml_provider]
name = "aws_read_only_role"
max_session_duration = "43200"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
"Effect" : "Allow",
"Principal" : {
"Federated" : aws_iam_saml_provider.aws_saml_provider.arn
},
"Action" : "sts:AssumeRoleWithSAML",
"Condition" : {
"StringEquals" : {
"SAML:aud" : "https://signin.aws.amazon.com/saml"
}
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "aws_iam_policy_read_only_rights" {
role = aws_iam_role.aws_read_only_group_policy.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
// Admin Policy
resource "aws_iam_role" "aws_admin_group_policy" {
depends_on = [aws_iam_saml_provider.aws_saml_provider]
name = "aws_admin_role"
max_session_duration = "43200"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
"Effect" : "Allow",
"Principal" : {
"Federated" : aws_iam_saml_provider.aws_saml_provider.arn
},
"Action" : "sts:AssumeRoleWithSAML",
"Condition" : {
"StringEquals" : {
"SAML:aud" : "https://signin.aws.amazon.com/saml"
}
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "aws_iam_policy_admin_rights" {
role = aws_iam_role.aws_admin_group_policy.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}