module "cross_account_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "cross-account-data-access"
policy_type = "iam"
allowed_services = ["s3", "kms", "sts"]
resource_restrictions = {
s3 = [
"arn:aws:s3:::shared-data-bucket-prod",
"arn:aws:s3:::shared-data-bucket-prod/*"
]
kms = [
"arn:aws:kms:us-east-1:111122223333:key/shared-key-id"
]
sts = [
"arn:aws:iam::111122223333:role/DataAccessRole"
]
}
}
# Role that can assume cross-account access
resource "aws_iam_role" "cross_account" {
name = "cross-account-data-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::444455556666:root"
}
Action = "sts:AssumeRole"
Condition = {
StringEquals = {
"sts:ExternalId" = "secure-external-id"
}
}
}]
})
}
resource "aws_iam_role_policy_attachment" "cross_account" {
role = aws_iam_role.cross_account.name
policy_arn = module.cross_account_policy.policy_arn
}