From 1fc4a19e24acb262d7008c5ee39cef331da37cfe Mon Sep 17 00:00:00 2001
From: oliviabholmes <36467568+oliviabholmes@users.noreply.github.com>
Date: Tue, 30 Apr 2019 14:04:55 -0700
Subject: [PATCH] New route53 poweruser (#94)

New route53 poweruserAdding in a new iam role for route53 poweruser who has all the route53 permissions

cc: @austinylin
---
 .../README.md                                 | 35 +++++++++++++++++++
 aws-iam-role-route53domains-poweruser/main.tf | 21 +++++++++++
 .../module_test.go                            | 26 ++++++++++++++
 .../outputs.tf                                |  3 ++
 .../variables.tf                              | 12 +++++++
 5 files changed, 97 insertions(+)
 create mode 100644 aws-iam-role-route53domains-poweruser/README.md
 create mode 100644 aws-iam-role-route53domains-poweruser/main.tf
 create mode 100644 aws-iam-role-route53domains-poweruser/module_test.go
 create mode 100644 aws-iam-role-route53domains-poweruser/outputs.tf
 create mode 100644 aws-iam-role-route53domains-poweruser/variables.tf

diff --git a/aws-iam-role-route53domains-poweruser/README.md b/aws-iam-role-route53domains-poweruser/README.md
new file mode 100644
index 00000000..bc7dfe07
--- /dev/null
+++ b/aws-iam-role-route53domains-poweruser/README.md
@@ -0,0 +1,35 @@
+# AWS IAM role for Route53Domains Poweruser
+
+This module will create a role which has Route53Domains FullAccess privileges.
+
+## Example
+
+```hcl
+module "route53domains-poweruser" {
+  source = "github.com/chanzuckerberg/cztack//aws-iam-role-route53domains-poweruser?ref=v0.14.0"
+
+  # The name of the role to create in this account.
+  role_name = "..."
+
+  # The ID of the other AWS account which can assume this role.
+  source_account_id = "..."
+}
+
+```
+
+<!-- START -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| iam\_path |  | string | `"/"` | no |
+| role\_name |  | string | n/a | yes |
+| source\_account\_id |  | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| arn |  |
+
+<!-- END -->
diff --git a/aws-iam-role-route53domains-poweruser/main.tf b/aws-iam-role-route53domains-poweruser/main.tf
new file mode 100644
index 00000000..6c6c6f1c
--- /dev/null
+++ b/aws-iam-role-route53domains-poweruser/main.tf
@@ -0,0 +1,21 @@
+data "aws_iam_policy_document" "assume-role" {
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "route53domains-poweruser" {
+  name               = "${var.role_name}"
+  path               = "${var.iam_path}"
+  assume_role_policy = "${data.aws_iam_policy_document.assume-role.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "route53domains-fullaccess" {
+  role       = "${aws_iam_role.route53domains-poweruser.name}"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonRoute53DomainsFullAccess"
+}
diff --git a/aws-iam-role-route53domains-poweruser/module_test.go b/aws-iam-role-route53domains-poweruser/module_test.go
new file mode 100644
index 00000000..e379d5d0
--- /dev/null
+++ b/aws-iam-role-route53domains-poweruser/module_test.go
@@ -0,0 +1,26 @@
+package test
+
+import (
+	"testing"
+
+	"github.com/chanzuckerberg/cztack/testutil"
+	"github.com/gruntwork-io/terratest/modules/random"
+)
+
+func TestAWSIAMRoleRoute53DomainsPoweruser(t *testing.T) {
+
+	curAcct := testutil.AWSCurrentAccountId(t)
+
+	terraformOptions := testutil.Options(
+		testutil.IAMRegion,
+
+		map[string]interface{}{
+			"role_name":         random.UniqueId(),
+			"source_account_id": curAcct,
+		},
+	)
+
+	defer testutil.Cleanup(t, terraformOptions)
+
+	testutil.Run(t, terraformOptions)
+}
diff --git a/aws-iam-role-route53domains-poweruser/outputs.tf b/aws-iam-role-route53domains-poweruser/outputs.tf
new file mode 100644
index 00000000..688aac05
--- /dev/null
+++ b/aws-iam-role-route53domains-poweruser/outputs.tf
@@ -0,0 +1,3 @@
+output "arn" {
+  value = "${aws_iam_role.route53domains-poweruser.arn}"
+}
diff --git a/aws-iam-role-route53domains-poweruser/variables.tf b/aws-iam-role-route53domains-poweruser/variables.tf
new file mode 100644
index 00000000..c7450473
--- /dev/null
+++ b/aws-iam-role-route53domains-poweruser/variables.tf
@@ -0,0 +1,12 @@
+variable "source_account_id" {
+  type = "string"
+}
+
+variable "role_name" {
+  type = "string"
+}
+
+variable "iam_path" {
+  type    = "string"
+  default = "/"
+}