Skip to content

Commit

Permalink
add perf aws policies
Browse files Browse the repository at this point in the history
  • Loading branch information
@manveru
manveru committed Mar 23, 2023
1 parent 866379f commit 56bd4f2
Showing 1 changed file with 51 additions and 0 deletions.
51 changes: 51 additions & 0 deletions nix/cloud/hydrationProfiles.nix
View file
Expand Up @@ -56,6 +56,56 @@ in {
policies = ["perf"];
};

resource.aws_iam_group.perf = {
name = "perf";
path = "/perf/";
};

resource.aws_iam_group_policy.perf = {
name = "perf";
group = "perf";
policy = ''
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ChangePassword"
],
"Resource": [
"arn:aws:iam::*:user/$${aws:username}"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::iog-cardano-perf",
"arn:aws:s3:::iog-cardano-perf/*"
]
}
]
}
'';
};

resource.vault_aws_secret_backend_role.perf = {
backend = "aws";
name = "perf";
credential_type = "iam_user";
iam_groups = ["perf"];
};

# ... operator role policies
locals.policies = {
vault = let
Expand All @@ -71,6 +121,7 @@ in {
"auth/token/lookup" = [u];
"auth/token/lookup-self" = [r];
"auth/token/renew-self" = [u];
"aws/creds/perf".capabilities = [r u];
"sys/capabilities-self" = [u];
"kv/data/postgrest/*" = [r l];
"kv/metadata/postgrest/*" = [r l];
Expand Down

0 comments on commit 56bd4f2

Please sign in to comment.