[DEV-1400] Create developers readonly group and iam user (#649)

pagopa · Feb 21, 2024 · 3baac15 · 3baac15
1 parent 1e4b96e
commit 3baac15
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/.infrastructure/41_iam_users.tf b/.infrastructure/41_iam_users.tf
@@ -0,0 +1,19 @@
+resource "aws_iam_user" "mauro_dandrea" {
+  # This force the deletion of the user and its login profile
+  # because we manually give access to the console
+  force_destroy = true
+
+  name = "[email protected]"
+
+  tags = {
+    Company = "DGS"
+  }
+}
+
+# Allow IAM User to change the password
+# Attach IAM User policy because with IAM Group policy we have the following error
+# Error: deleting IAM User  DeleteConflict: Cannot delete entity, must delete login profile first.
+resource "aws_iam_user_policy_attachment" "change_password" {
+  user       = aws_iam_user.mauro_dandrea.name
+  policy_arn = "arn:aws:iam::aws:policy/IAMUserChangePassword"
+}
diff --git a/.infrastructure/42_iam_groups.tf b/.infrastructure/42_iam_groups.tf
@@ -0,0 +1,20 @@
+resource "aws_iam_group" "developers_read_only" {
+  name = "developers_read_only"
+}
+
+# IAM Group Membership - DGS
+resource "aws_iam_group_membership" "dgs" {
+  name = "DGS"
+
+  users = [
+    aws_iam_user.mauro_dandrea.name
+  ]
+
+  group = aws_iam_group.developers_read_only.name
+}
+
+resource "aws_iam_group_policy_attachment" "read_only" {
+  group = aws_iam_group.developers_read_only.name
+  # The AWS ReadOnly Access Policy
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}