New route53 poweruser (#94)

New route53 poweruserAdding in a new iam role for route53 poweruser who has all the route53 permissions cc: @austinylin
chanzuckerberg · Apr 30, 2019 · 1fc4a19 · 1fc4a19
1 parent 8fc7bf0
commit 1fc4a19
Show file tree

Hide file tree

Showing 5 changed files with 97 additions and 0 deletions.
diff --git a/aws-iam-role-route53domains-poweruser/README.md b/aws-iam-role-route53domains-poweruser/README.md
@@ -0,0 +1,35 @@
+# AWS IAM role for Route53Domains Poweruser
+
+This module will create a role which has Route53Domains FullAccess privileges.
+
+## Example
+
+```hcl
+module "route53domains-poweruser" {
+  source = "github.com/chanzuckerberg/cztack//aws-iam-role-route53domains-poweruser?ref=v0.14.0"
+
+  # The name of the role to create in this account.
+  role_name = "..."
+
+  # The ID of the other AWS account which can assume this role.
+  source_account_id = "..."
+}
+
+```
+
+<!-- START -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| iam\_path |  | string | `"/"` | no |
+| role\_name |  | string | n/a | yes |
+| source\_account\_id |  | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| arn |  |
+
+<!-- END -->
diff --git a/aws-iam-role-route53domains-poweruser/main.tf b/aws-iam-role-route53domains-poweruser/main.tf
@@ -0,0 +1,21 @@
+data "aws_iam_policy_document" "assume-role" {
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "route53domains-poweruser" {
+  name               = "${var.role_name}"
+  path               = "${var.iam_path}"
+  assume_role_policy = "${data.aws_iam_policy_document.assume-role.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "route53domains-fullaccess" {
+  role       = "${aws_iam_role.route53domains-poweruser.name}"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonRoute53DomainsFullAccess"
+}
diff --git a/aws-iam-role-route53domains-poweruser/module_test.go b/aws-iam-role-route53domains-poweruser/module_test.go
@@ -0,0 +1,26 @@
+package test
+
+import (
+	"testing"
+
+	"github.com/chanzuckerberg/cztack/testutil"
+	"github.com/gruntwork-io/terratest/modules/random"
+)
+
+func TestAWSIAMRoleRoute53DomainsPoweruser(t *testing.T) {
+
+	curAcct := testutil.AWSCurrentAccountId(t)
+
+	terraformOptions := testutil.Options(
+		testutil.IAMRegion,
+
+		map[string]interface{}{
+			"role_name":         random.UniqueId(),
+			"source_account_id": curAcct,
+		},
+	)
+
+	defer testutil.Cleanup(t, terraformOptions)
+
+	testutil.Run(t, terraformOptions)
+}
diff --git a/aws-iam-role-route53domains-poweruser/outputs.tf b/aws-iam-role-route53domains-poweruser/outputs.tf
@@ -0,0 +1,3 @@
+output "arn" {
+  value = "${aws_iam_role.route53domains-poweruser.arn}"
+}
diff --git a/aws-iam-role-route53domains-poweruser/variables.tf b/aws-iam-role-route53domains-poweruser/variables.tf
@@ -0,0 +1,12 @@
+variable "source_account_id" {
+  type = "string"
+}
+
+variable "role_name" {
+  type = "string"
+}
+
+variable "iam_path" {
+  type    = "string"
+  default = "/"
+}