Search

IAM

# Bastion resource "aws_iam_role" "bastion_role" { name = "wsi-bastion-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "ec2.amazonaws.com" } } ] }) } resource "aws_iam_role_policy_attachment" "bastion_role_attachment" { role = aws_iam_role.bastion_role.name policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" } resource "aws_iam_instance_profile" "wsi-bastion-profile" { name = "wsi-bastion-profile" role = aws_iam_role.bastion_role.name } # wsi App resource "aws_iam_role" "wsi_app_role" { name = "wsi-app-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "ec2.amazonaws.com" } } ] }) } resource "aws_iam_role_policy_attachment" "wsi_app_role_s3_attachment" { role = aws_iam_role.wsi_app_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" } resource "aws_iam_role_policy_attachment" "wsi_app_role_codedeploy_attachment" { role = aws_iam_role.wsi_app_role.name policy_arn = "arn:aws:iam::aws:policy/AWSCodeDeployFullAccess" } resource "aws_iam_role_policy_attachment" "wsi_app_role_ecr_attachment" { role = aws_iam_role.wsi_app_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess" } resource "aws_iam_instance_profile" "wsi-app-profile" { name = "wsi-app-profile" role = aws_iam_role.wsi_app_role.name } # CodeBuild resource "aws_iam_role" "codebuild_role" { name = "wsi-codebuild-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "codebuild.amazonaws.com" } } ] }) } resource "aws_iam_policy" "codebuild_role_policy" { name = "codebuild-role-policy" policy = jsonencode({ Version = "2012-10-17", Statement = [ { Effect = "Allow", Action = [ "logs:*", "s3:*", "ecr:*", "codestar-connections:*" ], Resource = "*" } ] }) } resource "aws_iam_role_policy_attachment" "codebuild_role_attachment" { role = aws_iam_role.codebuild_role.name policy_arn = aws_iam_policy.codebuild_role_policy.arn } # CodeDeploy resource "aws_iam_role" "codedeploy_role" { name = "wsi-codedeploy-role" assume_role_policy = jsonencode({ Version = "2008-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "codedeploy.amazonaws.com" } } ] }) } resource "aws_iam_role_policy_attachment" "codedeploy_role_attachment" { role = aws_iam_role.codedeploy_role.name policy_arn = "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole" } # CodePipeline resource "aws_iam_role" "codepipeline_role" { name = "wsi-codepipeline-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "codepipeline.amazonaws.com" } } ] }) } resource "aws_iam_policy" "codepipeline_role_policy" { name = "codepipeline-policy" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = [ "codestar-connections:UseConnection" ] Resource = "${aws_codestarconnections_connection.wlstmd.arn}" }, { Effect = "Allow" Action = [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", ] Resource = "${aws_s3_bucket.codepipeline_s3_bucket.arn}/*" }, { Effect = "Allow" Action = [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ] Resource = "*" }, { Effect = "Allow" Action = [ "codedeploy:CreateDeployment", "codedeploy:GetDeployment", "codedeploy:GetApplication", "codedeploy:GetApplicationRevision", "codedeploy:RegisterApplicationRevision", "codedeploy:GetDeploymentConfig", "codedeploy:GetDeploymentGroup" ] Resource = "*" }, { Effect = "Allow" Action = [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:DescribeKey" ] Resource = "*" } ] }) } resource "aws_iam_role_policy_attachment" "codepipeline_role_attachment" { role = aws_iam_role.codepipeline_role.name policy_arn = aws_iam_policy.codepipeline_role_policy.arn }
JSON
복사