Skip to content

Commit

Permalink
✏️ WIP
Browse files Browse the repository at this point in the history
  • Loading branch information
@bendoerr
bendoerr committed Dec 11, 2023
1 parent 3dea88e commit 885698f
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 14 deletions.
24 changes: 12 additions & 12 deletions aws-iam-backend.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ data "aws_iam_policy_document" "backend_dynamodb_rw" {
count = var.backend_role.dynamodb_policy.create ? 1 : 0

statement {
sid = replace("${module.label_backend_dynamodb_rw[0].id}-0", "-", "")
effect = "Allow"
sid = replace("${module.label_backend_dynamodb_rw[0].id}-0", "-", "")
effect = "Allow"
actions = [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
Expand All @@ -49,8 +49,8 @@ data "aws_iam_policy_document" "backend_dynamodb_rw" {
dynamic "statement" {
for_each = var.backend_role.dynamodb_policy.kms_key != null ? ["this"] : []
content {
sid = replace("${module.label_backend_dynamodb_rw[0].id}-1", "-", "")
effect = "Allow"
sid = replace("${module.label_backend_dynamodb_rw[0].id}-1", "-", "")
effect = "Allow"
actions = [
"kms:Encrypt",
"kms:Decrypt",
Expand Down Expand Up @@ -79,29 +79,30 @@ data "aws_iam_policy_document" "backend_s3_rw" {
count = var.backend_role.s3_policy.create ? 1 : 0

statement {
sid = replace("${module.label_backend_s3_rw[0].id}-0", "-", "")
effect = "Allow"
sid = replace("${module.label_backend_s3_rw[0].id}-0", "-", "")
effect = "Allow"
actions = [
"s3:ListBucket",
]
resources = [var.backend_role.s3_policy.bucket_arn]
}

statement {
sid = replace("${module.label_backend_s3_rw[0].id}-1", "-", "")
effect = "Allow"
sid = replace("${module.label_backend_s3_rw[0].id}-1", "-", "")
effect = "Allow"
actions = [
"s3:GetObject",
"s3:PutObject",
]
# tfsec:ignore:aws-iam-no-policy-wildcards
resources = ["${var.backend_role.s3_policy.bucket_arn}:*"]
}

dynamic "statement" {
for_each = var.backend_role.s3_policy.kms_key != null ? ["this"] : []
content {
sid = replace("${module.label_backend_s3_rw[0].id}-2", "-", "")
effect = "Allow"
sid = replace("${module.label_backend_s3_rw[0].id}-2", "-", "")
effect = "Allow"
actions = [
"kms:Encrypt",
"kms:Decrypt",
Expand All @@ -125,7 +126,7 @@ data "aws_iam_policy_document" "assume_role" {
sid = replace("${module.label_backend[0].id}-0", "-", "")
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
type = "AWS"
identifiers = [
var.backend_user.create ? aws_iam_user.backend[0].arn : data.aws_iam_user.backend[0].arn
]
Expand Down Expand Up @@ -163,4 +164,3 @@ resource "aws_iam_role_policy_attachment" "backend_s3" {
role = aws_iam_role.backend[0].id
policy_arn = var.backend_role.s3_policy.create ? aws_iam_policy.backend_s3_rw[0].arn : var.backend_role.s3_policy.policy_arn
}

2 changes: 1 addition & 1 deletion outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,4 @@ output "backend_dynamodb_rw_policy_arn" {

output "backend_s3_rw_policy_arn" {
value = var.backend_role.s3_policy.create ? aws_iam_policy.backend_s3_rw[0].arn : var.backend_role.s3_policy.policy_arn
}
}
2 changes: 1 addition & 1 deletion variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ variable "backend_user" {
type = object({
create = bool
name = optional(string) # req, if create is false or invalid
force_destroy = optional(bool) # opt
force_destroy = optional(bool) # opt
pgp_key = optional(string) # req if create is true or invalid
})

Expand Down

0 comments on commit 885698f

Please sign in to comment.