Separate Terraform plan and apply roles for incubator (#147)

* Separate Terraform plan and apply roles for incubator

* Applying recommended role detail changes for plan and apply

* Removed Pull Request condition from incubator_tf_apply

* Removed Supervisors group reference in terraform/aws-groups.tf

* Removed iam-services-supervisor group from Chelseyb account

Author: Benettonkkb

terraform/aws-gha-oidc-providers.tf

@@ -9,4 +9,70 @@ module "iam_oidc_gha_incubator" {
   policy_arns = [
     "arn:aws:iam::aws:policy/AdministratorAccess"
   ]
+
+}
+resource "aws_iam_role" "incubator_tf_plan" {
+  name = "incubator-tf-plan"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Principal = {
+          Federated = module.iam_oidc_gha_incubator.provider_arn
+        }
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+          }
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" = [
+              "repo:hackforla/incubator:ref:refs/heads/*",
+              "repo:hackforla/incubator:pull_request"
+            ]
+          }
+        }
+      }
+    ]
+  })
 }
+
+resource "aws_iam_role_policy_attachment" "incubator_tf_plan_readonly" {
+  role      = aws_iam_role.incubator_tf_plan.name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
+resource "aws_iam_role" "incubator_tf_apply" {
+  name = "incubator-tf-apply"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Principal = {
+          Federated = module.iam_oidc_gha_incubator.provider_arn
+        }
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+          }
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" = [
+              "repo:hackforla/incubator:ref:refs/heads/main"
+            ]
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "incubator_tf_apply_admin" {
+  role       = aws_iam_role.incubator_tf_apply.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+

terraform/aws-groups.tf

@@ -10,14 +10,3 @@ module "iam_read_only_group" {
   }
 }
 
-// Create iam services admin group
-module "iam_services_supervisor_group" {
-  source = "./modules/aws-groups"
-
-  group_name = "iam-services-supervisor-group"
-  policy_arn = {
-    "IAMServicesSupervisor" = module.aws_custom_policies.policy_arns["IAMServicesSupervisor"],
-    "EnforceMFAForUsers"    = module.aws_custom_policies.policy_arns["EnforceMFAForUsers"]
-  }
-}
-

terraform/aws-users.tf

@@ -29,7 +29,7 @@ module "iam_user_chelseyb" {
     "Project"      = "devops-security"
     "Access Level" = "1"
   }
-  user_groups = ["read-only-group", "iam-services-supervisor-group"]
+  user_groups = ["read-only-group"]
 }
 
 
@@ -135,7 +135,7 @@ module "iam_user_raibarra" {
 module "iam_user_ezesalvatore4" {
   source = "./modules/aws-users"
 
-  user_name = "ezesalvatore" 
+  user_name = "ezesalvatore"
   user_tags = {
     "Project"      = "devops-security"
     "Access Level" = "1"