added terrafrom configs

000000000000/iam/roles/data.tf

@@ -0,0 +1,37 @@
+data "template_file" "policy_a" {
+  template = file("../../templates/role_a_policy.tpl")
+}
+
+data "template_file" "asume_role_policy" {
+  template = file("../../templates/asume_role_policy.tpl")
+  vars = {
+    prod_account_id = var.prod_account_id
+  }
+}
+
+data "template_file" "asume_role" {
+  template = file("../../templates/assume_role.tpl")
+}
+
+
+data "terraform_remote_state" "group_2" {
+  backend = "s3"
+
+  config = {
+    bucket  = "mytesting-tf-states"
+    profile = "terra"
+    region  = "eu-west-1"
+    key     = "000000000000/iam/users_and_groups/normal_users/terraform.tfstate"
+  }
+}
+
+data "terraform_remote_state" "group_1" {
+  backend = "s3"
+
+  config = {
+    bucket  = "mytesting-tf-states"
+    profile = "terra"
+    region  = "eu-west-1"
+    key     = "000000000000/iam/users_and_groups/cli_users/terraform.tfstate"
+  }
+}

000000000000/iam/roles/main.tf

@@ -0,0 +1,72 @@
+terraform {
+  backend "s3" {
+    profile = "terra"
+    bucket  = "mytesting-tf-states"
+    key     = "000000000000/iam/roles/terraform.tfstate"
+    region  = "eu-west-1"
+  }
+}
+
+##########################
+###"A" policy and role 
+##########################
+
+resource "aws_iam_policy" "role_a_policy" {
+  name        = "role_a_policy"
+  path        = "/service-role/"
+  description = "role_a_policy"
+
+  policy = data.template_file.policy_a.rendered
+}
+
+resource "aws_iam_role" "role_a" {
+  name = "role_a"
+
+  assume_role_policy  = data.template_file.asume_role.rendered
+  managed_policy_arns = [aws_iam_policy.role_a_policy.arn]
+}
+
+##########################
+###"B" policy and role 
+##########################
+
+resource "aws_iam_policy" "role_b_policy" {
+  name        = "role_b_policy"
+  path        = "/service-role/"
+  description = ""
+  policy      = data.template_file.asume_role_policy.rendered
+}
+
+
+resource "aws_iam_role" "role_b" {
+  name = "role_b"
+
+  assume_role_policy  = data.template_file.asume_role.rendered
+  managed_policy_arns = [aws_iam_policy.role_b_policy.arn]
+}
+
+#######################################
+### Creating Ec2 instance role for "B" 
+#######################################
+
+resource "aws_iam_instance_profile" "test_profile" {
+  name = "s3_profile"
+  role = aws_iam_role.role_b.name
+}
+
+####################################################
+### Attach "A" role policy to group 1 just for test
+####################################################
+
+resource "aws_iam_group_policy_attachment" "group_1" {
+  group      = data.terraform_remote_state.group_1.outputs.user_group_1_name
+  policy_arn = aws_iam_policy.role_a_policy.arn
+  depends_on = [aws_iam_policy.role_a_policy]
+}
+
+resource "aws_iam_group_policy_attachment" "group_2_role" {
+  group      = data.terraform_remote_state.group_2.outputs.user_group_2_name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+  depends_on = [aws_iam_policy.role_a_policy]
+}
+

000000000000/iam/roles/provider.tf

@@ -0,0 +1,4 @@
+provider "aws" {
+  region  = var.region
+  profile = "terra"
+} 

000000000000/iam/roles/variables.tf

@@ -0,0 +1,9 @@
+variable "region" {
+  type    = string
+  default = "eu-west-1"
+}
+
+variable "prod_account_id" {
+  type    = string
+  default = "184100688147"
+}