resource "aws_iam_role" "contractor_audit" {
name = var.role_name
max_session_duration = var.max_session_duration
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = { AWS = var.contractor_principal_arn }
Action = "sts:AssumeRole"
Condition = {
StringEquals = { "sts:ExternalId" = var.external_id }
}
}]
})
}
resource "aws_iam_role_policy_attachment" "security_audit" {
role = aws_iam_role.contractor_audit.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "aws_iam_role_policy_attachment" "view_only" {
count = var.attach_view_only ? 1 : 0
role = aws_iam_role.contractor_audit.name
policy_arn = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
}
resource "aws_iam_role_policy" "cost_explorer" {
count = var.enable_cost_explorer ? 1 : 0
name = "ContractorCostExplorerReadOnly"
role = aws_iam_role.contractor_audit.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = [
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetTags",
"ce:GetReservationCoverage",
"ce:GetRightsizingRecommendation",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansUtilization"
]
Resource = "*"
}]
})
}
