47 lines
1.1 KiB
HCL
47 lines
1.1 KiB
HCL
data "aws_organizations_organization" "main" {}
|
|
|
|
resource "aws_iam_role" "main" {
|
|
assume_role_policy = jsonencode({
|
|
Statement = {
|
|
Action = "sts:AssumeRole"
|
|
Effect = "Allow"
|
|
Principal = {
|
|
AWS = format(
|
|
"arn:aws:iam::%s:root",
|
|
data.aws_organizations_organization.main.master_account_id,
|
|
)
|
|
}
|
|
}
|
|
Version = "2012-10-17"
|
|
})
|
|
name = var.name
|
|
}
|
|
|
|
resource "aws_iam_role_policy" "main" {
|
|
name = var.name
|
|
policy = jsonencode({
|
|
Statement = concat(
|
|
[
|
|
{ # Read only access to the role's IAM objects
|
|
Action = [
|
|
"iam:Get*",
|
|
"iam:List*",
|
|
]
|
|
Effect = "Allow"
|
|
Resource = [
|
|
aws_iam_role.main.arn,
|
|
"arn:aws:iam::*:policy/${var.name}",
|
|
]
|
|
},
|
|
{ # Describe the organization
|
|
Action = "organizations:DescribeOrganization"
|
|
Effect = "Allow"
|
|
Resource = "*"
|
|
}
|
|
],
|
|
jsondecode(var.policy_statements),
|
|
)
|
|
Version = "2012-10-17"
|
|
})
|
|
role = aws_iam_role.main.id
|
|
}
|