Merge pull request #17 from BCDevOps/update-boundary

Add sqs and secrets manager to boundary policy
BCDevOps · Oct 18, 2024 · 19e24a3 · 19e24a3
2 parents 8803230 + ef3c6d9
commit 19e24a3
Showing 1 changed file with 64 additions and 37 deletions.
diff --git a/modules/iam-users/main.tf b/modules/iam-users/main.tf
@@ -187,41 +187,68 @@ resource "aws_iam_policy" "s3_full_access_boundary" {
   path        = "/"
   description = "Permission boundary policy for the BC Gov IAM user service"
 
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Sid      = "S3FullAccess",
-        Effect   = "Allow",
-        Action   = "s3:*",
-        Resource = "*"
-      },
-      {
-        Sid      = "SESFullAccess",
-        Effect   = "Allow",
-        Action   = "ses:*",
-        Resource = "*"
-      },
-      {
-        Sid      = "BedrockFullAccess",
-        Effect   = "Allow",
-        Action   = "bedrock:*",
-        Resource = "*"
-      },
-      {
-        Sid    = "SSMandKMSAccess",
-        Effect = "Allow",
-        Action = [
-          "ssm:GetParameter",
-          "ssm:GetParameters",
-          "ssm:GetParametersByPath",
-          "kms:Decrypt"
-        ],
-        Resource = [
-          "arn:aws:ssm:*:*:parameter/iam_users/*",
-          "arn:aws:kms:*:*:key/*"
-        ]
-      }
-    ]
-  })
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "S3FullAccess",
+      "Effect": "Allow",
+      "Action": "s3:*",
+      "Resource": "*"
+    },
+    {
+      "Sid": "SESFullAccess",
+      "Effect": "Allow",
+      "Action": "ses:*",
+      "Resource": "*"
+    },
+    {
+      "Sid": "BedrockFullAccess",
+      "Effect": "Allow",
+      "Action": "bedrock:*",
+      "Resource": "*"
+    },
+    {
+      "Sid": "SQSFullAccess",
+      "Effect": "Allow",
+      "Action": "sqs:*",
+      "Resource": "*"
+    },
+    {
+      "Sid": "AllowSecretsManagerFullAccessToExternalSecrets",
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:*"
+      ],
+      "Resource": "arn:aws:secretsmanager:*:*:secret:external/*"
+    },
+    {
+      "Sid": "AllowSSMFullAccessToExternalParameters",
+      "Effect": "Allow",
+      "Action": "ssm:*",
+      "Resource": "arn:aws:ssm:*:*:parameter/external/*"
+    },
+    {
+      "Sid": "SSMAccess",
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameter",
+        "ssm:GetParameters",
+        "ssm:GetParametersByPath"
+      ],
+      "Resource": "arn:aws:ssm:*:*:parameter/iam_users/*"
+    },
+    {
+      "Sid": "KMSAccess",
+      "Effect": "Allow",
+      "Action": [
+        "kms:Decrypt",
+        "kms:Encrypt"
+      ],
+      "Resource": "arn:aws:kms:*:*:key/*"
+    }
+  ]
+}
+EOF
 }