Merge pull request #181 from cloud-neutral-toolkit/codex/fix-unauthorized-operation-errors-in-vpc-setup-1gi8pl
Attach admin policy to terraform deploy role
This commit is contained in:
commit
ed80ef7b4c
@ -88,6 +88,11 @@ terraform init
|
||||
terraform apply \
|
||||
-var="account_name=dev" \
|
||||
-var="role_name=TerraformDeployRole-Dev"
|
||||
|
||||
By default the deploy role attaches the AWS managed **AdministratorAccess** policy so
|
||||
subsequent Terraform runs can create infrastructure resources (e.g., VPCs, EIPs). You
|
||||
can override this by passing `-var='managed_policy_arns=["arn:aws:iam::aws:policy/PowerUserAccess"]'`
|
||||
or another list of managed policy ARNs when tighter permissions are required.
|
||||
```
|
||||
|
||||
## 5. Use in Terraform Backend
|
||||
|
||||
@ -52,6 +52,13 @@ resource "aws_iam_role_policy" "terraform_deploy_role_policy" {
|
||||
policy = data.aws_iam_policy_document.terraform_deploy_inline.json
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "terraform_deploy_role_managed" {
|
||||
count = var.create_role ? length(var.managed_policy_arns) : 0
|
||||
|
||||
role = aws_iam_role.terraform_deploy_role[0].name
|
||||
policy_arn = var.managed_policy_arns[count.index]
|
||||
}
|
||||
|
||||
#
|
||||
# IAM User for Terraform (AK/SK)
|
||||
# ----------------------------------------
|
||||
|
||||
@ -79,3 +79,9 @@ variable "bootstrap_config_path" {
|
||||
type = string
|
||||
default = "../../config/accounts/bootstrap.yaml"
|
||||
}
|
||||
|
||||
variable "managed_policy_arns" {
|
||||
description = "List of managed policy ARNs to attach to the Terraform deploy role"
|
||||
type = list(string)
|
||||
default = ["arn:aws:iam::aws:policy/AdministratorAccess"]
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user