add readonly to tf group

terraform-modules · Apr 26, 2022 · 077a9ef · 077a9ef
1 parent ff3edcd
commit 077a9ef
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -150,3 +150,7 @@
 * 1.15.1 -- 2022-04-26
   - terraform-state
     -  add group inf-terraform with write access
+
+* 1.15.2 -- 2022-04-26
+  - terraform-state
+    -  add readonly to group inf-terraform w
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.15.1"
+  _module_version = "1.15.2"
 }
diff --git a/terraform-state/README.md b/terraform-state/README.md
@@ -77,6 +77,7 @@ No modules.
 | [aws_s3_bucket_public_access_block.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy.managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy_document.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.tfstate_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.tfstate_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

diff --git a/terraform-state/group.tf b/terraform-state/group.tf
@@ -1,6 +1,8 @@
 locals {
-  group_name     = format("%v%v", lookup(local._prefixes, "group", ""), "inf-terraform")
-  group_policies = [aws_iam_policy.tfstate_write.arn]
+  group_name                   = format("%v%v", lookup(local._prefixes, "group", ""), "inf-terraform")
+  group_policies               = [aws_iam_policy.tfstate_write.arn]
+  group_managed_policies_names = ["ReadOnlyAccess"]
+  group_managed_policies       = [for k, p in data.aws_iam_policy.managed_policies : p.arn]
 }
 
 resource "aws_iam_group" "terraform" {
@@ -9,7 +11,13 @@ resource "aws_iam_group" "terraform" {
 }
 
 resource "aws_iam_group_policy_attachment" "terraform" {
-  for_each   = { for p in local.group_policies : p => p }
+  for_each   = { for p in concat(local.group_policies, local.group_managed_policies) : p => p }
   group      = aws_iam_group.terraform.name
   policy_arn = each.value
 }
+
+
+data "aws_iam_policy" "managed_policies" {
+  for_each = toset(local.group_managed_policies)
+  name     = each.key
+}