From 3c8e277a2bdb36aff942e211c5ee84a24cc44280 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Tue, 11 May 2021 10:40:13 -0400
Subject: [PATCH] add network_admin inf policy

---
 CHANGELOG.md                            |  4 ++++
 common/version.tf                       |  2 +-
 iam-general-policies/README.md          |  2 ++
 iam-general-policies/custom_policies.tf |  7 +++++++
 iam-general-policies/policy_data.tf     | 28 +++++++++++++++++++++++++
 5 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 81b73bb..30d3b47 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -97,3 +97,7 @@
     - add 120s delay before applying bucket policy
   - s3-flow-logs
     - add 120s delay before applying bucket policy
+
+* v1.10.5 -- 20210511
+  - iam-general-policies
+    - add additional policy for network admin
diff --git a/common/version.tf b/common/version.tf
index 139b925..46a0669 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.10.4"
+  _module_version = "1.10.5"
 }
diff --git a/iam-general-policies/README.md b/iam-general-policies/README.md
index 262261b..3eda451 100644
--- a/iam-general-policies/README.md
+++ b/iam-general-policies/README.md
@@ -110,6 +110,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_policy.general](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.policy_network-admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.deny_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -119,6 +120,7 @@ No modules.
 | [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.manage_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.manage_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.network_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.root_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sts_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
diff --git a/iam-general-policies/custom_policies.tf b/iam-general-policies/custom_policies.tf
index 452f3a4..a3d4e55 100644
--- a/iam-general-policies/custom_policies.tf
+++ b/iam-general-policies/custom_policies.tf
@@ -35,6 +35,13 @@ locals {
       policy        = data.aws_iam_policy_document.deny_readonly_data.json
       create_policy = true
     }
+    "network_admin" = {
+      name          = "network-admin"
+      path          = "/"
+      description   = "Policy to augment (allow/deny) access for NetworkAdministrator"
+      policy        = data.aws_iam_policy_document.network_admin.json
+      create_policy = true
+    }
 
     #---
     # sts
diff --git a/iam-general-policies/policy_data.tf b/iam-general-policies/policy_data.tf
index 6eb2702..307748a 100644
--- a/iam-general-policies/policy_data.tf
+++ b/iam-general-policies/policy_data.tf
@@ -101,6 +101,34 @@ data "aws_iam_policy_document" "deny_readonly_data" {
   }
 }
 
+data "aws_iam_policy_document" "network_admin" {
+  statement {
+    sid    = "NetworkAdminDeny"
+    effect = "Deny"
+    actions = [
+      "route53:*",
+      "route53domains:*",
+      #      "cloudfront:ListDistributions",
+      "elasticloadbalancing:*",
+      "elasticbeanstalk:*",
+      "sns:CreateTopic",
+      "cloudwatch:DeleteAlarms",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "policy_network-admin" {
+  name        = format("%vinf-%v", "p-", "network-admin")
+  path        = "/"
+  description = "inf-network-admin policy"
+  policy      = data.aws_iam_policy_document.policy_network-admin.json
+
+  tags = merge(
+    local.common_tags,
+    tomap({ "boc:created_by" = "terraform" }),
+    tomap({ "Name" = format("%vinf-%v", "p-", "network-admin") }),
+  )
+}
 #---
 # sts (for roles)
 #---