Skip to content

Commit

Permalink
add RDS policy (#3)
Browse files Browse the repository at this point in the history 
* RDS policy
  • Loading branch information
@razvan-moj
razvan-moj authored Jul 21, 2022
1 parent 918a80e commit f1f439d
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 0 deletions.
3 changes: 3 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,14 @@ No modules.
| [auth0_rule.saml_mappings](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/rule) | resource |
| [auth0_rule_config.aws_saml_provider_name](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/rule_config) | resource |
| [aws_iam_policy.iam_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.rds_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.s3_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.sns_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.sqs_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.vpc_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.github_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.iam_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.rds_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.s3_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.sns_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.sqs_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
Expand All @@ -54,6 +56,7 @@ No modules.
| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
| [aws_iam_policy_document.federated_role_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.iam_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.rds_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.s3_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.sns_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.sqs_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand Down
44 changes: 44 additions & 0 deletions rds.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
data "aws_iam_policy_document" "rds_for_github" {

statement {
sid = "AllowListDescribe"
effect = "Allow"
actions = [
"rds:Describe*",
"rds:ListTagsForResource",
]
resources = ["*"]
}

statement {
sid = "AllowGetOwn"
effect = "Allow"
actions = [
"rds:CreateDBSnapshot",
"rds:DownloadCompleteDBLogFile",
"rds:DownloadDBLogFilePortion",
"rds:ModifyDBInstance",
"rds:RebootDBInstance"
]
resources = ["*"]
condition {
test = "StringLike"
variable = "aws:PrincipalTag/GithubTeam"
values = ["*:$${aws:ResourceTag/GithubTeam}:*"]
}
}

}

resource "aws_iam_policy" "rds_for_github" {
policy = data.aws_iam_policy_document.rds_for_github.json
name = "rds-for-github"
tags = {
GithubTeam = "webops"
}
}

resource "aws_iam_role_policy_attachment" "rds_for_github" {
role = aws_iam_role.github_access.name
policy_arn = aws_iam_policy.rds_for_github.arn
}

0 comments on commit f1f439d

Please sign in to comment.