From 9a8d5cb68da61f8bf19e45051f2faf399026dd44 Mon Sep 17 00:00:00 2001 From: enver Date: Tue, 21 Mar 2023 12:34:00 +0100 Subject: [PATCH] fix: Update self manage policy to support users with path (#335) Co-authored-by: Bryant Biggs --- examples/iam-group-with-policies/main.tf | 1 + modules/iam-group-with-policies/policies.tf | 31 ++++++++++++++++----- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/examples/iam-group-with-policies/main.tf b/examples/iam-group-with-policies/main.tf index e77887bb..69dacf18 100644 --- a/examples/iam-group-with-policies/main.tf +++ b/examples/iam-group-with-policies/main.tf @@ -14,6 +14,7 @@ module "iam_user2" { source = "../../modules/iam-user" name = "user2" + path = "/developers/" create_iam_user_login_profile = false create_iam_access_key = false diff --git a/modules/iam-group-with-policies/policies.tf b/modules/iam-group-with-policies/policies.tf index 42f76647..016e20c7 100644 --- a/modules/iam-group-with-policies/policies.tf +++ b/modules/iam-group-with-policies/policies.tf @@ -35,7 +35,10 @@ data "aws_iam_policy_document" "iam_self_management" { "iam:GetUser" ] - resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] + resources = [ + "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", + "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}" + ] } statement { @@ -50,7 +53,10 @@ data "aws_iam_policy_document" "iam_self_management" { "iam:UpdateAccessKey" ] - resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] + resources = [ + "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", + "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}" + ] } statement { @@ -65,7 +71,10 @@ data "aws_iam_policy_document" "iam_self_management" { "iam:UploadSigningCertificate" ] - resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] + resources = [ + "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", + "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}" + ] } statement { @@ -81,7 +90,10 @@ data "aws_iam_policy_document" "iam_self_management" { "iam:UploadSSHPublicKey" ] - resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] + resources = [ + "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", + "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}" + ] } statement { @@ -97,7 +109,10 @@ data "aws_iam_policy_document" "iam_self_management" { "iam:UpdateServiceSpecificCredential" ] - resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] + resources = [ + "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", + "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}" + ] } statement { @@ -124,8 +139,10 @@ data "aws_iam_policy_document" "iam_self_management" { "iam:ResyncMFADevice" ] - resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"] - + resources = [ + "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}", + "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}" + ] } statement {