Turbot Guardrails Hub 
Hub
Policy Packs
AWS CIS v3.0.0 - Section 1 - Identity and Access Management
Overview
30
Policy Settings
0
Variables
DevelopersGithub

Policy Setting: AWS > IAM > Stack > Source

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "aws_iam_stack_source" {
  resource       = turbot_policy_pack.main.id
  type           = "tmod:@turbot/aws-iam#/policy/types/iamStackSource"
  note           = "AWS CIS v3.0.0 - Controls:  1.17"
  template_input = <<-EOT
    {
      account  {
        Id
        metadata
      }
    }
    EOT
  template       = <<-EOT
    |
    resource "aws_iam_role" "aws_support_role" {
      name = "AWSSupportRole"
      managed_policy_arns = [
        "arn:aws:iam::aws:policy/AWSSupportAccess"
      ]
      assume_role_policy = jsonencode({
        Version = "2012-10-17"
        Statement = [
          {
            Action = "sts:AssumeRole"
            Effect = "Allow"
            Principal = {
                "AWS": "arn:{{ $.account.metadata.aws.partition }}:::{{ $.account.Id }}:root"
            }
          },
        ]
      })
    }
    EOT
}