Grant infra team members IAM access

Mark-Simulacrum · Mark-Simulacrum · commit 8d5bf18cf39b · 2022-10-07T09:31:03.000-04:00
diff --git a/terraform/team-members-access/_users.tf b/terraform/team-members-access/_users.tf
@@ -3,20 +3,20 @@
 
 locals {
   users = {
-    "jynelson"      = [aws_iam_group.docs_rs.name],
+    "jynelson"      = [aws_iam_group.docs_rs.name, aws_iam_group.infra_team.name],
     "pietroalbini"  = [aws_iam_group.infra_admins.name],
     "simulacrum"    = [aws_iam_group.infra_admins.name],
     "jdn"           = [aws_iam_group.infra_admins.name],
     "technetos"     = [aws_iam_group.mods_discord.name],
     "carols10cents" = [aws_iam_group.crates_io.name],
     "jtgeibel"      = [aws_iam_group.crates_io.name],
     "Turbo87"       = [aws_iam_group.crates_io.name],
-    "rylev"         = [aws_iam_group.rustc_perf.name],
+    "rylev"         = [aws_iam_group.rustc_perf.name, aws_iam_group.infra_team.name],
     "JoelMarcey"    = [aws_iam_group.foundation.name],
     "rebeccarumbul" = [aws_iam_group.foundation.name],
     "abibroom"      = [aws_iam_group.foundation.name],
     "paullenz"      = [aws_iam_group.foundation.name],
-    "shepmaster"    = [aws_iam_group.infra_deploy_playground.name],
+    "shepmaster"    = [aws_iam_group.infra_deploy_playground.name, aws_iam_group.infra_team.name],
     "oli-obk"       = [aws_iam_group.infra_deploy_staging_dev_desktop.name],
   }
 }
diff --git a/terraform/team-members-access/infra-team.tf b/terraform/team-members-access/infra-team.tf
@@ -0,0 +1,21 @@
+// Permissions for the members of the infra team as a whole.
+
+resource "aws_iam_group" "infra_team" {
+  name = "infra-team"
+}
+
+resource "aws_iam_group_policy_attachment" "infra_team_manage_own_credentials" {
+  group      = aws_iam_group.infra_team.name
+  policy_arn = aws_iam_policy.manage_own_credentials.arn
+}
+
+resource "aws_iam_group_policy_attachment" "infra_team_enforce_mfa" {
+  group      = aws_iam_group.infra_team.name
+  policy_arn = aws_iam_policy.enforce_mfa.arn
+}
+
+// Infra team members are allowed to have read access to IAM
+resource "aws_iam_group_policy_attachment" "infra_team_iam_access" {
+  group      = aws_iam_group.infra_team.name
+  policy_arn = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
+}
