Skip to content
This repository has been archived by the owner on Sep 27, 2024. It is now read-only.

CMS-Enterprise/batcave-tf-irsa

Repository files navigation

batcave-tf-irsa

Requirements

Name Version
terraform >= 1.0
aws >= 4.0

Providers

Name Version
aws >= 4.0

Modules

No modules.

Resources

Name Type
aws_iam_policy.cloudwatch resource
aws_iam_policy.dynamodb resource
aws_iam_policy.ec2 resource
aws_iam_policy.s3 resource
aws_iam_policy.secrets-manager resource
aws_iam_policy.sops resource
aws_iam_policy.sqs_read_write resource
aws_iam_policy.tags resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.cloudwatch resource
aws_iam_role_policy_attachment.dynamodb resource
aws_iam_role_policy_attachment.ec2 resource
aws_iam_role_policy_attachment.insights_policy resource
aws_iam_role_policy_attachment.s3_policy resource
aws_iam_role_policy_attachment.secrets-manager resource
aws_iam_role_policy_attachment.sops resource
aws_iam_role_policy_attachment.sqs_read_write resource
aws_iam_role_policy_attachment.tags resource
aws_iam_role_policy_attachment.this resource
aws_iam_policy_document.cloudwatch data source
aws_iam_policy_document.dynamodb data source
aws_iam_policy_document.ec2 data source
aws_iam_policy_document.s3 data source
aws_iam_policy_document.secrets-manager data source
aws_iam_policy_document.sops data source
aws_iam_policy_document.sqs_read_write data source
aws_iam_policy_document.tags data source
aws_iam_policy_document.this data source
aws_partition.current data source

Inputs

Name Description Type Default Required
app_name App name (ie. Flux, Velero, etc.) string "" no
asm_secret_arns ARNs of secrets in AWS secrets manager (ASM) to add to policy list(string) [] no
assume_role_condition_test Name of the IAM condition operator to evaluate when assuming the role string "StringEquals" no
attach_cloudwatch_policy Determines whether to attach the cloudwatch permissions to the role bool false no
attach_dynamodb_policy Determines whether to attach the dynamodb policy to the role bool false no
attach_ec2_policy Determines whether to attach the ec2 permissions to the role bool false no
attach_insights_policy Determines whether to attach the CloudWatch Insights policy to the role bool false no
attach_s3_policy Determines whether to attach the S3 to the role bool false no
attach_secretsmanager_policy Determines whether to attach the secrets manager permissions to the role bool false no
attach_sops_policy Determines whether to attach the SOPS policy to the role bool false no
attach_tags_policy Determines whether to attach the tags permissions to the role bool false no
create_role Whether to create a role bool true no
dynamodb_arn Dynamodb table to allow access to string "" no
force_detach_policies Whether policies should be detached from this role when destroying bool true no
max_session_duration Maximum CLI/API session duration in seconds between 3600 and 43200 number null no
oidc_providers Map of OIDC providers where each provider map should contain the provider, provider_arn, and namespace_service_accounts any
{
"one": {
"namespace_service_accounts": [
"default:default"
],
"provider_arn": ""
}
}
no
policy_name_prefix IAM policy name prefix string "AmazonEKS_" no
role_description IAM Role description string null no
role_name Name of IAM role string "vpc-cni" no
role_path Path of IAM role string "/delegatedadmin/developer/" no
role_permissions_boundary_arn Permissions boundary ARN to use for IAM role string "arn:aws:iam::373346310182:policy/cms-cloud-admin/developer-boundary-policy" no
role_policy_arns ARNs of any policies to attach to the IAM role map(string) {} no
s3_bucket_arns List of S3 Bucket ARNs to allow access to list(string)
[
""
]
no
sops_arn SOPS ARN to allow access to string "" no
sqs_read_write_arns List of SQS ARNs to allow read/write access to list(string) [] no
tags A map of tags to add the the IAM role map(any) {} no

Outputs

Name Description
iam_role_arn ARN of IAM role
iam_role_name Name of IAM role
iam_role_path Path of IAM role
iam_role_unique_id Unique ID of IAM role