From 4100d268262c1190f64eb228cfd94a84a695c283 Mon Sep 17 00:00:00 2001
From: Josh Brand <jbrand@hashicorp.com>
Date: Tue, 7 Mar 2023 17:22:55 -0500
Subject: [PATCH] Add extra IAM permissions for demo user creation during e2e
 tests (#3059)

These statements got nixed in the account migration, this policy should be applied to OSS (non-doormat) projects that need IAM access for testing
---
 enos/ci/service-user-iam/main.tf | 41 ++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/enos/ci/service-user-iam/main.tf b/enos/ci/service-user-iam/main.tf
index b59bb6b77f..202162be40 100644
--- a/enos/ci/service-user-iam/main.tf
+++ b/enos/ci/service-user-iam/main.tf
@@ -256,3 +256,44 @@ data "aws_iam_policy_document" "aws_nuke_policy_document" {
     resources = ["*"]
   }
 }
+
+resource "aws_iam_policy" "demo_user" {
+  count       = local.is_ent ? 0 : 1 // only create a policy for the OSS repositories
+  name        = "BoundaryDemoPermissionsBoundary"
+  path        = "/"
+  description = "Used to allow temporary IAM user creation for end-to-end tests"
+  policy      = data.aws_iam_policy_document.demo_user_policy_document.json
+}
+
+data "aws_iam_policy_document" "demo_user_policy_document" {
+  statement {
+    sid = "DemoUserEC2Permissions"
+    actions = [
+      "ec2:DescribeInstances*"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid = "DemoUserIAMPermissions"
+    actions = [
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:ListAccessKeys",
+      "iam:UpdateAccessKey"
+    ]
+    resources = ["arn:aws:iam::147451547303:user/&{aws:username}"]
+
+  }
+  statement {
+    sid       = "ExplicitDeny"
+    effect    = "Deny"
+    resources = ["*"]
+    not_actions = [
+      "ec2:DescribeInstances",
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:ListAccessKeys",
+      "iam:UpdateAccessKey"
+    ]
+  }
+}