Merge pull request #12 from hackforla/cb/testuser

freaky4wrld · web-flow · commit 5ef82fa75cc0 · 2024-02-29T14:20:06.000+05:30
Creating users to test permissions and updating level 4 policy
diff --git a/terraform/aws-custom-policies.tf b/terraform/aws-custom-policies.tf
@@ -1,9 +1,9 @@
 module "aws_custom_policies" {
   source = "./modules/aws-policies"
   policies = {
-    "IAMServicesAdmin" = {
+    "IAMServicesSupervisor" = {
       description = "Policy granting IAM services admins permissions to make changes to user accounts"
-      filename    = "level-4-iam-services-admin-policy.json"
+      filename    = "level-4-iam-services-supervisor-policy.json"
     }
   }
 }
diff --git a/terraform/aws-custom-policies/level-4-iam-services-admin-policy.json b/terraform/aws-custom-policies/level-4-iam-services-admin-policy.json
diff --git a/terraform/aws-custom-policies/level-4-iam-services-supervisor-policy.json b/terraform/aws-custom-policies/level-4-iam-services-supervisor-policy.json
@@ -0,0 +1,38 @@
+{
+    "Statement": [
+        {
+            "Action": [
+                "iam:CreateAccessKey"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:iam::*:user/*"
+        },
+        {
+            "Action": [
+                "iam:UpdateLoginProfile"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "iam:ResourceTag/Access Level": [
+                        "1",
+                        "2"
+                    ]
+                }
+            },
+            "Effect": "Allow",
+            "Resource": "arn:aws:iam::*:user/*"
+        },
+        {
+            "Action": [
+                "cloudshell:CreateEnvironment",
+                "cloudshell:GetEnvironmentStatus",
+                "cloudshell:CreateSession",
+                "cloudshell:StartEnvironment",
+                "cloudshell:StopEnvironment"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ],
+    "Version": "2012-10-17"
+}
diff --git a/terraform/aws-groups.tf b/terraform/aws-groups.tf
@@ -15,7 +15,7 @@ module "iam_services_admin_group" {
 
   group_name = "iam-services-admin-group"
   policy_arn = {
-    "IAMServicesAdmin" = module.aws_custom_policies.policy_arns["IAMServicesAdmin"]
+    "IAMServicesAdmin" = module.aws_custom_policies.policy_arns["IAMServicesSupervisor"]
   }
 }
 
diff --git a/terraform/aws-users.tf b/terraform/aws-users.tf
@@ -84,4 +84,26 @@ module "iam_user_awlFCCamp" {
     "Access Level" = "1"
   }
   user_groups = ["read-only-group"]
+}
+
+module "iam_user_testiamuser" {
+  source = "./modules/aws-users"
+
+  user_name = "testiamuser"
+  user_tags = {
+    "Project"      = "devops-security"
+    "Access Level" = "1"
+  }
+  user_groups = ["read-only-group"]
+}
+
+module "iam_user_chelseyb" {
+  source = "./modules/aws-users"
+
+  user_name = "chelseyb"
+  user_tags = {
+    "Project"      = "devops-security"
+    "Access Level" = "1"
+  }
+  user_groups = ["read-only-group", "iam-services-admin-group"]
 }

Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,9 @@`
`1`	`1`	`module "aws_custom_policies" {`
`2`	`2`	`source = "./modules/aws-policies"`
`3`	`3`	`policies = {`
`4`		`- "IAMServicesAdmin" = {`
	`4`	`+ "IAMServicesSupervisor" = {`
`5`	`5`	`description = "Policy granting IAM services admins permissions to make changes to user accounts"`
`6`		`- filename = "level-4-iam-services-admin-policy.json"`
	`6`	`+ filename = "level-4-iam-services-supervisor-policy.json"`
`7`	`7`	`}`
`8`	`8`	`}`
`9`	`9`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ module "iam_services_admin_group" {`
`15`	`15`
`16`	`16`	`group_name = "iam-services-admin-group"`
`17`	`17`	`policy_arn = {`
`18`		`- "IAMServicesAdmin" = module.aws_custom_policies.policy_arns["IAMServicesAdmin"]`
	`18`	`+ "IAMServicesAdmin" = module.aws_custom_policies.policy_arns["IAMServicesSupervisor"]`
`19`	`19`	`}`
`20`	`20`	`}`
`21`	`21`