-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathbreakglassrole.tf
32 lines (28 loc) · 1.01 KB
/
breakglassrole.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
variable "AccoundID" {
type = number
description = "Enter the AWS account ID where the BreakGlassUser is deployed"
}
resource "aws_iam_role" "BreakGlassRole" {
name = "BreakGlassRole"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
AWS = "arn:aws:iam::${var.AccoundID}:user/BreakglassUser"
}
},
]
})
}
/* Assigning IAM Full Access to the breakglass user on the account where it's deployed
The code currently uses the AWS managed IAMFullAccess policy to ensure that the Breakglass User has sufficient permissions to be used in case of an emergency.
This is NOT a least privileged policy and can be changed according to Organization's security requirements.
*/
resource "aws_iam_role_policy_attachment" "BreakGlassRole-test-role-policy-attach" {
role = aws_iam_role.BreakGlassRole.name
policy_arn = "arn:aws:iam::aws:policy/IAMFullAccess"
}