dsk-iac/terraform/aws_iam/policy.tf

locals {
  services = {
    "S3"             : "s3",
    "EFS"            : "elasticfilesystem",
    "EC2"            : "ec2",
    "Autoscaling"    : "autoscaling",
    "ELB"            : "elasticloadbalancing",
    "VPC"            : "ec2",
    "Route53"        : "route53",
    "Lambda"         : "lambda",
    "CloudWatch"     : "cloudwatch",
    "CloudTrail"     : "cloudtrail",
    "KMS"            : "kms",
    "CloudFormation" : "cloudformation"
  }
}

resource "aws_iam_policy" "read_only" {
  for_each = local.services

  name   = "${each.key}_ReadOnly_Access"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "${each.value}:List*",
          "${each.value}:Get*",
          "${each.value}:Describe*"
        ],
        Effect   = "Allow",
        Resource = "*"
      }
    ]
  })
}

resource "aws_iam_policy" "full_access" {
  for_each = local.services

  name   = "${each.key}_Full_Access"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "${each.value}:*"
        ],
        Effect   = "Allow",
        Resource = "*"
      }
    ]
  })
}

resource "aws_iam_group" "read_only" {
  for_each = local.services

  name   = "${each.key}_ReadOnly_Access_Group"
}

resource "aws_iam_group_policy_attachment" "read_only" {
  for_each = aws_iam_group.read_only

  group      = each.value.name
  policy_arn = aws_iam_policy.read_only[each.key].arn
}

resource "aws_iam_group" "full_access" {
  for_each = local.services

  name   = "${each.key}_Full_Access_Group"
}

resource "aws_iam_group_policy_attachment" "full_access" {
  for_each = aws_iam_group.full_access

  group      = each.value.name
  policy_arn = aws_iam_policy.full_access[each.key].arn
}