Submodule to create accepter_aws_assume_role_arn peering role #59
Description
Have a question? Please checkout our Slack Community or visit our Slack Archive.
Describe the Feature
Docs on how to create this https://github.com/cloudposse/terraform-aws-components/tree/master/modules/vpc-peering
It would be nice to create the accepter_aws_assume_role_arn IAM role using a submodule
locals {
account_id = data.aws_caller_identity.current.account_id
}
data "aws_caller_identity" "current" {}
data "aws_iam_policy_document" "vpc_peering" {
statement {
sid = ""
effect = "Allow"
resources = ["arn:aws:ec2:*:${var.accepter_account}:route-table/*"]
actions = [
"ec2:CreateRoute",
"ec2:DeleteRoute",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeRouteTables",
]
}
statement {
sid = ""
effect = "Allow"
resources = [
"arn:aws:ec2:*:${var.accepter_account}:vpc-peering-connection/*",
"arn:aws:ec2:*:${var.accepter_account}:vpc/*",
]
actions = [
"ec2:AcceptVpcPeeringConnection",
"ec2:DeleteVpcPeeringConnection",
"ec2:CreateVpcPeeringConnection",
"ec2:RejectVpcPeeringConnection",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["arn:aws:ec2:*:${var.accepter_account}:vpc-peering-connection/*"]
actions = [
"ec2:DeleteTags",
"ec2:CreateTags",
]
}
}
resource "aws_iam_role" "vpc_peering" {
name = "vpc-peering-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
AWS = [
"arn:aws:iam::${var.requester_account}:root",
]
}
},
]
})
}
resource "aws_iam_role_policy" "vpc_peering" {
name = "vpc-peering-policy"
role = aws_iam_role.vpc_peering.id
policy = data.aws_iam_policy_document.vpc_peering.json
}