-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
92 lines (75 loc) · 2.37 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
module "label" {
source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.24.1"
namespace = var.namespace
name = var.name
stage = var.stage
delimiter = var.delimiter
attributes = var.attributes
tags = var.tags
}
locals {
enabled = var.enabled == "true" ? true : false
require_mfa = var.require_mfa == "true" ? true : false
role_arns = values(var.role_arns)
role_aliases = keys(var.role_arns)
}
resource "null_resource" "role" {
count = length(values(var.role_arns))
triggers = {
account_id = split(":", local.role_arns[count.index])[4]
role_name = split("/", split(":", local.role_arns[count.index])[5])[1]
alias = local.role_aliases[count.index]
}
lifecycle {
create_before_destroy = true
}
}
# https://www.terraform.io/docs/providers/aws/r/iam_group.html
resource "aws_iam_group" "default" {
count = local.enabled ? 1 : 0
name = module.label.id
}
# https://www.terraform.io/docs/providers/aws/r/iam_user_group_membership.html
resource "aws_iam_user_group_membership" "default" {
count = local.enabled && length(var.user_names) > 0 ? length(var.user_names) : 0
user = var.user_names[count.index]
groups = [join("", aws_iam_group.default.*.id)]
}
# https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html
data "aws_iam_policy_document" "with_mfa" {
count = local.enabled && local.require_mfa ? 1 : 0
statement {
actions = [
"sts:AssumeRole",
]
resources = local.role_arns
condition {
test = "Bool"
variable = "aws:MultiFactorAuthPresent"
values = ["true"]
}
effect = "Allow"
}
}
resource "aws_iam_group_policy" "with_mfa" {
count = local.enabled && local.require_mfa ? 1 : 0
name = module.label.id
group = join("", aws_iam_group.default.*.id)
policy = data.aws_iam_policy_document.with_mfa[count.index].json
}
data "aws_iam_policy_document" "without_mfa" {
count = local.enabled && local.require_mfa == false ? 1 : 0
statement {
actions = [
"sts:AssumeRole",
]
resources = local.role_arns
effect = "Allow"
}
}
resource "aws_iam_group_policy" "without_mfa" {
count = local.enabled && local.require_mfa == false ? 1 : 0
name = module.label.id
group = join("", aws_iam_group.default.*.id)
policy = data.aws_iam_policy_document.without_mfa[count.index].json
}