Switch to admin role for terraform and access

ckdake · Aug 3, 2023 · ddf74e6 · ddf74e6
1 parent f36f6b4
commit ddf74e6
Show file tree

Hide file tree

Showing 4 changed files with 104 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 ## Terraform for AWS plaground
 
-This requires env vars with root credentials for the root account.
+This requires env vars with user credentials that can assume to adminstrator.
 
 ```
 export AWS_ACCESS_KEY_ID=

diff --git a/modules/s3-bucket/main.tf b/modules/s3-bucket/main.tf
@@ -10,5 +10,15 @@ terraform {
 }
 
 provider "aws" {
-  region  = "us-east-1"
+  region = "us-east-1"
+
+  assume_role {
+    role_arn = "arn:aws:iam::053562908965:role/administrator"
+  }
+
+  default_tags {
+    tags = {
+      ManagedBy = "terraform"
+    }
+  }
 }
diff --git a/tenants/management/iam.tf b/tenants/management/iam.tf
@@ -0,0 +1,75 @@
+# Role to be used for any administrative tasks
+data "aws_iam_policy_document" "administrator_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_user.ckdake.arn]
+    }
+  }
+}
+
+resource "aws_iam_role" "administrator" {
+  name               = "administrator"
+  assume_role_policy = data.aws_iam_policy_document.administrator_assume_role_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "administrator_gets_administrator" {
+  role       = aws_iam_role.administrator.id
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+# Group of users allowed to assume the administrator role
+resource "aws_iam_group" "administrators" {
+  name = "administrators"
+}
+
+resource "aws_iam_group_membership" "administrators" {
+  name  = "administrators"
+  group = aws_iam_group.administrators.name
+
+  users = [
+    aws_iam_user.ckdake.name,
+  ]
+}
+
+resource "aws_iam_policy" "admin_assumption" {
+  name        = "admin-assumption"
+  description = "allow assuming the admin role"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Allow",
+        Action   = "sts:AssumeRole",
+        Resource = "${aws_iam_role.administrator.arn}"
+    }]
+  })
+}
+
+resource "aws_iam_group_policy_attachment" "admin_assumption" {
+  group      = aws_iam_group.administrators.name
+  policy_arn = aws_iam_policy.admin_assumption.arn
+}
+
+# Single user that can only assume to the administrator role
+resource "aws_iam_user" "ckdake" {
+  name          = "ckdake"
+  force_destroy = true
+  depends_on    = [aws_iam_group.administrators]
+}
+
+resource "aws_iam_user_login_profile" "ckdake" {
+  user                    = aws_iam_user.ckdake.name
+  password_length         = 32
+  password_reset_required = true
+
+  lifecycle {
+    ignore_changes = [
+      password_length,
+      password_reset_required,
+      pgp_key,
+    ]
+  }
+}
diff --git a/tenants/management/main.tf b/tenants/management/main.tf
@@ -9,14 +9,25 @@ terraform {
   required_version = ">= 1.2.0"
 
   backend "s3" {
-    bucket = "ithought-terraform"
-    key = "management.tfstate"
-    region = "us-east-1"
+    bucket         = "ithought-terraform"
+    key            = "management.tfstate"
+    region         = "us-east-1"
     dynamodb_table = "terraform-lock"
-    encrypt = true
+    role_arn       = "arn:aws:iam::053562908965:role/administrator"
+    encrypt        = true
   }
 }
 
 provider "aws" {
-  region  = "us-east-1"
-}
+  region = "us-east-1"
+
+  assume_role {
+    role_arn = "arn:aws:iam::053562908965:role/administrator"
+  }
+
+  default_tags {
+    tags = {
+      ManagedBy = "terraform"
+    }
+  }
+}