A Terraform module to bootstrap the creation of an IAM Role in an AWS Account when new accounts are created within AWS Organizations.
This module creates a new IAM role, attaches an AWS-managed permission policy, and sets the trust policy to the provided JSON-formatted string.
This module uses CloudWatch Events to identify when new accounts are added or invited to an AWS Organization, and triggers a Lambda function to create the IAM role.
To set up and run tests against the Terraform configuration:
# Start up LocalStack, a mock AWS stack:
make localstack/up
# Run the tests:
make terraform/pytest
# Shut down LocalStack and clean up docker images:
make localstack/clean
| Name | Version |
|---|---|
| terraform | >= 0.12 |
| Name | Version |
|---|---|
| aws | n/a |
| random | n/a |
| Name | Type |
|---|---|
| aws_iam_policy_document.lambda | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| assume_role_name | Name of IAM role to assume the target account (case sensitive) | string |
n/a | yes |
| role_name | Name of the IAM role to create in the target account (case sensitive) | string |
n/a | yes |
| role_permission_policy | AWS-managed permission policy name to attach to the role (case sensitive) | string |
n/a | yes |
| trust_policy_json | JSON-formatted string containing the role trust policy | string |
n/a | yes |
| log_level | Log level of the lambda output, one of: debug, info, warning, error, critical | string |
"info" |
no |
| tags | Tags that are passed to resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| aws_cloudwatch_event_rule | The cloudwatch event rule object |
| aws_cloudwatch_event_target | The cloudWatch event target object |
| aws_lambda_permission_events | The lambda permission object for cloudwatch event triggers |
| lambda | The lambda module object |