v1.10.5: add network_admin to iam-general-policies

CHANGELOG.md

@@ -97,3 +97,7 @@
     - add 120s delay before applying bucket policy
   - s3-flow-logs
     - add 120s delay before applying bucket policy
+
+* v1.10.5 -- 20210511
+  - iam-general-policies
+    - add additional policy for network admin

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.10.4"
+  _module_version = "1.10.5"
 }

iam-general-policies/README.md

@@ -110,6 +110,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_policy.general](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.policy_network-admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.deny_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -119,6 +120,7 @@ No modules.
 | [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.manage_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.manage_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.network_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.root_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sts_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

iam-general-policies/custom_policies.tf

@@ -35,6 +35,13 @@ locals {
       policy        = data.aws_iam_policy_document.deny_readonly_data.json
       create_policy = true
     }
+    "network_admin" = {
+      name          = "network-admin"
+      path          = "/"
+      description   = "Policy to augment (allow/deny) access for NetworkAdministrator"
+      policy        = data.aws_iam_policy_document.network_admin.json
+      create_policy = true
+    }
 
     #---
     # sts

iam-general-policies/policy_data.tf

@@ -101,6 +101,34 @@ data "aws_iam_policy_document" "deny_readonly_data" {
   }
 }
 
+data "aws_iam_policy_document" "network_admin" {
+  statement {
+    sid    = "NetworkAdminDeny"
+    effect = "Deny"
+    actions = [
+      "route53:*",
+      "route53domains:*",
+      #      "cloudfront:ListDistributions",
+      "elasticloadbalancing:*",
+      "elasticbeanstalk:*",
+      "sns:CreateTopic",
+      "cloudwatch:DeleteAlarms",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "policy_network-admin" {
+  name        = format("%vinf-%v", "p-", "network-admin")
+  path        = "/"
+  description = "inf-network-admin policy"
+  policy      = data.aws_iam_policy_document.policy_network-admin.json
+
+  tags = merge(
+    local.common_tags,
+    tomap({ "boc:created_by" = "terraform" }),
+    tomap({ "Name" = format("%vinf-%v", "p-", "network-admin") }),
+  )
+}
 #---
 # sts (for roles)
 #---