Skip to content

Commit 93780f6

Browse files
TOEL2TOEL2
committed
[ELI] addressing comments
1 parent b2c3f59 commit 93780f6

4 files changed

Lines changed: 28 additions & 20 deletions

File tree

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -704,16 +704,19 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
704704
values = ["sts.amazonaws.com"]
705705
}
706706
}
707-
statement {
708-
sid = "AllowDevSSORoleToAssumeIamBootstrap"
709-
effect = "Allow"
710-
actions = ["sts:AssumeRole"]
711-
712-
principals {
713-
type = "AWS"
714-
identifiers = [
715-
local.dev_role_arn
716-
]
707+
dynamic "statement" {
708+
for_each = var.environment == "dev" ? [1] : []
709+
content {
710+
sid = "AllowDevSSORoleToAssumeIamBootstrap"
711+
effect = "Allow"
712+
actions = ["sts:AssumeRole"]
713+
714+
principals {
715+
type = "AWS"
716+
identifiers = [
717+
local.dev_role_arn
718+
]
719+
}
717720
}
718721
}
719722
}

infrastructure/stacks/iams-developer-roles/github_actions_role.tf

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -91,16 +91,19 @@ data "aws_iam_policy_document" "github_actions_iam_bootstrap_assume_role" {
9191
]
9292
}
9393
}
94-
statement {
95-
sid = "AllowDevSSORoleToAssumeIamBootstrap"
96-
effect = "Allow"
97-
actions = ["sts:AssumeRole"]
94+
dynamic "statement" {
95+
for_each = var.environment == "dev" ? [1] : []
96+
content {
97+
sid = "AllowDevSSORoleToAssumeIamBootstrap"
98+
effect = "Allow"
99+
actions = ["sts:AssumeRole"]
98100

99-
principals {
100-
type = "AWS"
101-
identifiers = [
102-
local.dev_role_arn
103-
]
101+
principals {
102+
type = "AWS"
103+
identifiers = [
104+
local.dev_role_arn
105+
]
106+
}
104107
}
105108
}
106109
}

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -416,6 +416,7 @@ data "aws_iam_policy_document" "iam_bootstrap_permissions_boundary" {
416416
"iam:DetachRolePolicy",
417417
"iam:PutRolePolicy",
418418
"iam:DeleteRolePolicy",
419+
"iam:UpdateAssumeRolePolicy",
419420
"iam:PutRolePermissionsBoundary",
420421
"iam:DeleteRolePermissionsBoundary",
421422
]
@@ -429,6 +430,7 @@ data "aws_iam_policy_document" "iam_bootstrap_permissions_boundary" {
429430
sid = "DenyBootstrapBoundaryModification"
430431
effect = "Deny"
431432
actions = [
433+
"iam:CreatePolicyVersion",
432434
"iam:DeletePolicy",
433435
"iam:DeletePolicyVersion",
434436
"iam:SetDefaultPolicyVersion",

infrastructure/stacks/iams-developer-roles/locals.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
locals {
22
stack_name = "iams-developer-roles"
3-
dev_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/${var.default_aws_region}/AWSReservedSSO_vdselid_dev_d92ae328ac8d84c7"
3+
dev_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/${var.default_aws_region}/AWSReservedSSO_vdselid_${var.environment}_d92ae328ac8d84c7"
44
lambda_signing_profile_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"
55
lambda_signing_profile_arn = "arn:aws:signer:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:/signing-profiles/${local.lambda_signing_profile_name}"
66
}

0 commit comments

Comments
 (0)