Skip to content

Commit

Permalink
first pass at an IAM role and trust policy to allow MP accounts to ca…
Browse files Browse the repository at this point in the history 
…rry out read-only actions against SSO in the root account
  • Loading branch information
@dms1981
dms1981 committed Feb 5, 2024
1 parent 2183b15 commit b1195cb
Showing 1 changed file with 32 additions and 0 deletions.
32 changes: 32 additions & 0 deletions management-account/terraform/iam-roles.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,38 @@ resource "aws_iam_role_policy_attachment" "modernisation_platform_sso_administra
policy_arn = aws_iam_policy.sso_administrator_policy.arn
}

#########################################
# ModernisationPlatformSSOReadOnly #
#########################################
resource "aws_iam_role" "modernisation_platform_sso_readonly" {
name = "ModernisationPlatformSSOReadOnly"
assume_role_policy = data.aws_iam_policy_document.modernisation_platform_sso_readonly.json
}

data "aws_iam_policy_document" "modernisation_platform_sso_readonly" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]

principals {
type = "AWS"
identifiers = ["*"]
}

condition {
test = "ForAnyValue:StringLike"
values = ["${data.aws_organizations_organization.root.id}/*/${aws_organizations_organizational_unit.platforms_and_architecture_modernisation_platform.id}/*"]
variable = "aws:PrincipalOrgPaths"
}
}
}

# Role policy attachments
resource "aws_iam_role_policy_attachment" "modernisation_platform_sso_readonly" {
role = aws_iam_role.modernisation_platform_sso_readonly.name
policy_arn = "arn:aws:iam::aws:policy/AWSSSOReadOnly"
}

##########################################
# ModernisationPlatformGithubActionsRole #
##########################################
Expand Down

0 comments on commit b1195cb

Please sign in to comment.