Support creating new IAM users in IAM module
hoangmirs opened this issue · comments
Why
Currently, we are still creating IAM groups & accounts manually from the AWS console. We should support creating them with Terraform.
Typically, the following groups should be created
- Admins: admin access
- Developers:
- PowerUser access
- Additional custom policies must be created so the users of this group can
- Bots:
- No console access
- Additional Policy to allow manage roles & policies, e.g.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowManageRoleAndPolicy",
"Effect": "Allow",
"Action": [
"iam:UpdateRoleDescription",
"iam:UpdateRole",
"iam:UpdateAssumeRolePolicy",
"iam:UntagUser",
"iam:UntagServerCertificate",
"iam:UntagSAMLProvider",
"iam:UntagRole",
"iam:UntagPolicy",
"iam:UntagOpenIDConnectProvider",
"iam:UntagMFADevice",
"iam:UntagInstanceProfile",
"iam:TagUser",
"iam:TagServerCertificate",
"iam:TagSAMLProvider",
"iam:TagRole",
"iam:TagPolicy",
"iam:TagOpenIDConnectProvider",
"iam:TagMFADevice",
"iam:TagInstanceProfile",
"iam:SimulatePrincipalPolicy",
"iam:SimulateCustomPolicy",
"iam:SetDefaultPolicyVersion",
"iam:RemoveRoleFromInstanceProfile",
"iam:PutRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PassRole",
"iam:ListVirtualMFADevices",
"iam:ListUsers",
"iam:ListUserTags",
"iam:ListUserPolicies",
"iam:ListSigningCertificates",
"iam:ListServiceSpecificCredentials",
"iam:ListServerCertificates",
"iam:ListServerCertificateTags",
"iam:ListSSHPublicKeys",
"iam:ListSAMLProviders",
"iam:ListSAMLProviderTags",
"iam:ListRoles",
"iam:ListRoleTags",
"iam:ListRolePolicies",
"iam:ListPolicyVersions",
"iam:ListPolicyTags",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListPolicies",
"iam:ListOpenIDConnectProviders",
"iam:ListOpenIDConnectProviderTags",
"iam:ListMFADevices",
"iam:ListMFADeviceTags",
"iam:ListInstanceProfilesForRole",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfileTags",
"iam:ListGroupsForUser",
"iam:ListGroups",
"iam:ListGroupPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListAccountAliases",
"iam:ListAccessKeys",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:GetRolePolicy",
"iam:GetRole",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:GetLoginProfile",
"iam:GetAccountSummary",
"iam:DetachRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:DeleteRolePolicy",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRole",
"iam:DeletePolicyVersion",
"iam:DeletePolicy",
"iam:CreateServiceLinkedRole",
"iam:CreateRole",
"iam:CreatePolicyVersion",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"iam:AddRoleToInstanceProfile"
],
"Resource": "arn:aws:iam::*"
}
]
}The users should be created and assigned to the appropriate groups.
- The bot account will be used by Terraform Cloud to provide the infrastructure.
- PR for reference: https://github.com/easyhoteluk/aws-infrastructure/pull/107/files (credit to @bterone)
Who Benefits?
Developers