feat(module): initial import

2025-04-10 13:01:01 +02:00 · 2025-04-10 13:01:01 +02:00 · 336e7703d6
commit 336e7703d6
8 changed files with 400 additions and 0 deletions
--- a/main.tf
+++ b/main.tf
@ -0,0 +1,47 @@
+data "aws_organizations_organization" "main" {}
+
+resource "aws_iam_role" "main" {
+  assume_role_policy = jsonencode({
+    Statement = {
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        AWS = format(
+          "arn:aws:iam::%s:root",
+          data.aws_organizations_organization.main.master_account_id,
+        )
+      }
+    }
+    Version = "2012-10-17"
+  })
+  name = var.name
+}
+
+resource "aws_iam_role_policy" "main" {
+  name = var.name
+  policy = jsonencode({
+    Statement = concat(
+      [
+        { # Read only access to the role's IAM objects
+          Action = [
+            "iam:Get*",
+            "iam:List*",
+          ]
+          Effect = "Allow"
+          Resource = [
+            aws_iam_role.main.arn,
+            "arn:aws:iam::*:policy/${var.name}",
+          ]
+        },
+        { # Describe the organization
+          Action   = "organizations:DescribeOrganization"
+          Effect   = "Allow"
+          Resource = "*"
+        }
+      ],
+      jsondecode(var.policy_statements),
+    )
+    Version = "2012-10-17"
+  })
+  role = aws_iam_role.main.id
+}