Closed hoangmirs closed 1 year ago
Currently, we are still creating IAM groups & accounts manually from the AWS console. We should support creating them with Terraform.
Typically, the following groups should be created
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowManageRoleAndPolicy", "Effect": "Allow", "Action": [ "iam:UpdateRoleDescription", "iam:UpdateRole", "iam:UpdateAssumeRolePolicy", "iam:UntagUser", "iam:UntagServerCertificate", "iam:UntagSAMLProvider", "iam:UntagRole", "iam:UntagPolicy", "iam:UntagOpenIDConnectProvider", "iam:UntagMFADevice", "iam:UntagInstanceProfile", "iam:TagUser", "iam:TagServerCertificate", "iam:TagSAMLProvider", "iam:TagRole", "iam:TagPolicy", "iam:TagOpenIDConnectProvider", "iam:TagMFADevice", "iam:TagInstanceProfile", "iam:SimulatePrincipalPolicy", "iam:SimulateCustomPolicy", "iam:SetDefaultPolicyVersion", "iam:RemoveRoleFromInstanceProfile", "iam:PutRolePolicy", "iam:PutRolePermissionsBoundary", "iam:PassRole", "iam:ListVirtualMFADevices", "iam:ListUsers", "iam:ListUserTags", "iam:ListUserPolicies", "iam:ListSigningCertificates", "iam:ListServiceSpecificCredentials", "iam:ListServerCertificates", "iam:ListServerCertificateTags", "iam:ListSSHPublicKeys", "iam:ListSAMLProviders", "iam:ListSAMLProviderTags", "iam:ListRoles", "iam:ListRoleTags", "iam:ListRolePolicies", "iam:ListPolicyVersions", "iam:ListPolicyTags", "iam:ListPoliciesGrantingServiceAccess", "iam:ListPolicies", "iam:ListOpenIDConnectProviders", "iam:ListOpenIDConnectProviderTags", "iam:ListMFADevices", "iam:ListMFADeviceTags", "iam:ListInstanceProfilesForRole", "iam:ListInstanceProfiles", "iam:ListInstanceProfileTags", "iam:ListGroupsForUser", "iam:ListGroups", "iam:ListGroupPolicies", "iam:ListEntitiesForPolicy", "iam:ListAttachedUserPolicies", "iam:ListAttachedRolePolicies", "iam:ListAttachedGroupPolicies", "iam:ListAccountAliases", "iam:ListAccessKeys", "iam:GetServiceLinkedRoleDeletionStatus", "iam:GetRolePolicy", "iam:GetRole", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:GetLoginProfile", "iam:GetAccountSummary", "iam:DetachRolePolicy", "iam:DeleteServiceLinkedRole", "iam:DeleteRolePolicy", "iam:DeleteRolePermissionsBoundary", "iam:DeleteRole", "iam:DeletePolicyVersion", "iam:DeletePolicy", "iam:CreateServiceLinkedRole", "iam:CreateRole", "iam:CreatePolicyVersion", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:AddRoleToInstanceProfile" ], "Resource": "arn:aws:iam::*" } ] }
The users should be created and assigned to the appropriate groups.
Developers
Why
Currently, we are still creating IAM groups & accounts manually from the AWS console. We should support creating them with Terraform.
Typically, the following groups should be created
The users should be created and assigned to the appropriate groups.
Who Benefits?
Developers