Skip to content

Commit 0ea93d9

Browse files
hadiqurhadiqur
committed
feat: service IAM role assumable via SSO
1 parent be459fd commit 0ea93d9

2 files changed

Lines changed: 14 additions & 70 deletions

File tree

terraform/main.tf

Lines changed: 14 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,20 @@ resource "aws_iam_role" "lambda_function_role" {
7373
Principal = {
7474
Service = "lambda.amazonaws.com"
7575
}
76+
},
77+
{
78+
Action = "sts:AssumeRole"
79+
Effect = "Allow"
80+
Principal = {
81+
AWS = "arn:aws:iam::${var.aws_account_id}:root"
82+
}
83+
Condition = {
84+
ArnLike = {
85+
"aws:PrincipalArn" = [
86+
"arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_Standard_Administrator_Access_*"
87+
]
88+
}
89+
}
7690
}
7791
]
7892
})
@@ -138,59 +152,3 @@ resource "aws_cloudwatch_log_group" "loggroup" {
138152
name = "/aws/lambda/${aws_lambda_function.lambda_function.function_name}"
139153
retention_in_days = var.log_retention_days
140154
}
141-
142-
# IAM User Group
143-
resource "aws_iam_group" "group" {
144-
name = "${var.env_name}-${var.lambda_name}-user-group"
145-
path = "/"
146-
}
147-
148-
resource "aws_iam_group_policy_attachment" "group_vpc_permissions_attachment" {
149-
group = aws_iam_group.group.name
150-
policy_arn = aws_iam_policy.vpc_permissions.arn
151-
}
152-
153-
resource "aws_iam_group_policy_attachment" "group_lambda_logging_attachment" {
154-
group = aws_iam_group.group.name
155-
policy_arn = aws_iam_policy.lambda_logging.arn
156-
}
157-
158-
resource "aws_iam_group_policy_attachment" "group_lambda_s3_policy_attachment" {
159-
group = aws_iam_group.group.name
160-
policy_arn = aws_iam_policy.lambda_s3_policy.arn
161-
}
162-
163-
resource "aws_iam_group_policy_attachment" "group_lambda_secret_manager_policy_attachment" {
164-
group = aws_iam_group.group.name
165-
policy_arn = aws_iam_policy.lambda_secret_manager_policy.arn
166-
}
167-
168-
resource "aws_iam_group_policy_attachment" "group_lambda_eventbridge_policy_attachment" {
169-
group = aws_iam_group.group.name
170-
policy_arn = aws_iam_policy.lambda_eventbridge_policy.arn
171-
}
172-
173-
# IAM User
174-
resource "aws_iam_user" "user" {
175-
name = "${var.env_name}-${var.lambda_name}"
176-
path = "/"
177-
}
178-
179-
# Assign IAM User to group
180-
resource "aws_iam_user_group_membership" "user_group_attach" {
181-
user = aws_iam_user.user.name
182-
183-
groups = [
184-
aws_iam_group.group.name
185-
]
186-
}
187-
188-
# IAM Key Rotation Module
189-
module "iam_key_rotation" {
190-
source = "git::https://github.com/ONS-Innovation/keh-aws-iam-key-rotation.git?ref=v0.1.1"
191-
192-
iam_username = aws_iam_user.user.name
193-
access_key_secret_arn = aws_secretsmanager_secret.access_key.arn
194-
secret_key_secret_arn = aws_secretsmanager_secret.secret_key.arn
195-
rotation_in_days = 45
196-
}

terraform/secrets.tf

Lines changed: 0 additions & 14 deletions
This file was deleted.

0 commit comments

Comments
 (0)