forked from FormidableLabs/terraform-aws-serverless
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.tf
More file actions
73 lines (62 loc) · 2.52 KB
/
main.tf
File metadata and controls
73 lines (62 loc) · 2.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
###############################################################################
# IAM Groups
#
# - `admin`: An administrator that can create, delete, develop the services.
# - `developer`: A developer that deploy/update an existing service.
# - `ci`: The CI service can deploy/update an existing service.
#
# General reference
# - https://iam.cloudonaut.io/
# - https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
# - http://awspolicygen.s3.amazonaws.com/policygen.html
###############################################################################
# admin
resource "aws_iam_group" "admin" {
count = local.opt_disable_groups ? 0 : 1
name = local.tf_group_admin_name
}
resource "aws_iam_group_policy_attachment" "admin_admin" {
count = local.opt_disable_groups ? 0 : 1
group = element(aws_iam_group.admin.*.name, count.index)
policy_arn = aws_iam_policy.admin.arn
}
resource "aws_iam_group_policy_attachment" "admin_cd_lambdas" {
count = local.opt_disable_groups ? 0 : 1
group = element(aws_iam_group.admin.*.name, count.index)
policy_arn = aws_iam_policy.cd_lambdas.arn
}
resource "aws_iam_group_policy_attachment" "admin_developer" {
count = local.opt_disable_groups ? 0 : 1
group = element(aws_iam_group.admin.*.name, count.index)
policy_arn = aws_iam_policy.developer.arn
}
# ci
resource "aws_iam_group" "ci" {
count = local.opt_disable_groups ? 0 : 1
name = local.tf_group_ci_name
}
resource "aws_iam_group_policy_attachment" "ci_developer" {
count = local.opt_disable_groups ? 0 : 1
group = element(aws_iam_group.ci.*.name, count.index)
policy_arn = aws_iam_policy.developer.arn
}
resource "aws_iam_group_policy_attachment" "ci_cd_lambdas" {
count = false == local.opt_disable_groups && local.opt_many_lambdas ? 1 : 0
group = element(aws_iam_group.ci.*.name, count.index)
policy_arn = aws_iam_policy.cd_lambdas.arn
}
# developer
resource "aws_iam_group" "developer" {
count = local.opt_disable_groups ? 0 : 1
name = local.tf_group_developer_name
}
resource "aws_iam_group_policy_attachment" "developer_developer" {
count = local.opt_disable_groups ? 0 : 1
group = element(aws_iam_group.developer.*.name, count.index)
policy_arn = aws_iam_policy.developer.arn
}
resource "aws_iam_group_policy_attachment" "developer_cd_lambdas" {
count = false == local.opt_disable_groups && local.opt_many_lambdas ? 1 : 0
group = element(aws_iam_group.developer.*.name, count.index)
policy_arn = aws_iam_policy.cd_lambdas.arn
}