-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathiam.tf
98 lines (81 loc) · 2.48 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user
resource "aws_iam_user" "main" {
name = aws_s3_bucket.main.bucket
path = var.iam_group_path
}
# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key
resource "aws_iam_access_key" "main" {
user = aws_iam_user.main.name
pgp_key = "keybase:${var.keybase_user}"
}
# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
# also see https://learn.hashicorp.com/tutorials/terraform/aws-iam-policy#refactor-your-policy
data "aws_iam_policy_document" "user" {
statement {
sid = "AllowListOperationsOnBucket"
effect = "Allow"
actions = [
"s3:GetBucketLocation",
"s3:ListBucket",
]
resources = [
aws_s3_bucket.main.arn,
]
# see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip
condition {
test = "IpAddress"
variable = "aws:SourceIp"
values = [
local.ip_address_constraint
]
}
}
statement {
sid = "AllowCrudOperationsOnBucketObjects"
effect = "Allow"
actions = [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject",
"s3:PutObjectAcl",
]
resources = [
"${aws_s3_bucket.main.arn}/*"
]
# see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip
condition {
test = "IpAddress"
variable = "aws:SourceIp"
values = [
local.ip_address_constraint
]
}
}
# see https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
statement {
sid = "DenyInsecureOperationsOnBucketAndBucketObjects"
effect = "Deny"
actions = [
"s3:*",
]
resources = [
aws_s3_bucket.main.arn,
"${aws_s3_bucket.main.arn}/*"
]
# see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = [
false
]
}
}
}
# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy
resource "aws_iam_user_policy" "main" {
policy = data.aws_iam_policy_document.user.json
name_prefix = "${aws_s3_bucket.main.id}-"
user = aws_iam_user.main.name
}