forked from cloudposse/terraform-aws-amplify-app
-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam.tf
118 lines (106 loc) · 3.67 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
locals {
create_iam_role = local.enabled && var.iam_service_role_enabled && length(var.iam_service_role_arn) == 0
iam_service_role_arn = try(local.create_iam_role ? module.role.arn : var.iam_service_role_arn[0], null)
# source: https://github.com/aws-amplify/amplify-cli/issues/4322#issuecomment-455022473
default_actions = [
"appsync:*",
"amplify:*",
"apigateway:POST",
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:PUT",
"cloudformation:CreateStack",
"cloudformation:CreateStackSet",
"cloudformation:DeleteStack",
"cloudformation:DeleteStackSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:UpdateStackSet",
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"cloudfront:CreateDistribution",
"cloudfront:DeleteCloudFrontOriginAccessIdentity",
"cloudfront:DeleteDistribution",
"cloudfront:GetCloudFrontOriginAccessIdentity",
"cloudfront:GetCloudFrontOriginAccessIdentityConfig",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudfront:UpdateCloudFrontOriginAccessIdentity",
"cloudfront:UpdateDistribution",
"cognito-identity:CreateIdentityPool",
"cognito-identity:DeleteIdentityPool",
"cognito-identity:DescribeIdentity",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:SetIdentityPoolRoles",
"cognito-identity:UpdateIdentityPool",
"cognito-idp:CreateUserPool",
"cognito-idp:CreateUserPoolClient",
"cognito-idp:DeleteUserPool",
"cognito-idp:DeleteUserPoolClient",
"cognito-idp:DescribeUserPool",
"cognito-idp:UpdateUserPool",
"cognito-idp:UpdateUserPoolClient",
"dynamodb:CreateTable",
"dynamodb:DeleteItem",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:GetUser",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:UpdateRole",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:InvokeAsync",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"s3:*",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:DescribeLogGroups",
"logs:PutLogEvents"
]
actions = length(var.iam_service_role_actions) > 0 ? var.iam_service_role_actions : local.default_actions
}
data "aws_iam_policy_document" "default" {
count = local.create_iam_role ? 1 : 0
statement {
sid = "AmplifyAccess"
effect = "Allow"
resources = ["*"]
actions = local.actions
}
}
module "role" {
source = "cloudposse/iam-role/aws"
version = "0.18.0"
enabled = local.create_iam_role
policy_description = "IAM policy for Amplify to perform actions on AWS resources"
role_description = "IAM role with permissions for Amplify to perform actions on AWS resources"
principals = {
# AWS = ["arn:aws:iam::123456789012:role/workers"]
Service = ["amplify.amazonaws.com"]
}
policy_documents = [
one(data.aws_iam_policy_document.default[*].json)
]
managed_policy_arns = var.attach_amplify_admin_managed_policy ? ["arn:aws:iam::aws:policy/AdministratorAccess-Amplify"] : []
context = module.this.context
}