Skip to content

Latest commit

 

History

History

iam-role

README.md

iam-role

This module creates following resources.

  • aws_iam_role
  • aws_iam_role_policy (optional)
  • aws_iam_role_policy_attachment (optional)
  • aws_iam_instance_profile (optional)

Notes

If possible, always use PGP encryption to prevent Terraform from keeping unencrypted password and access secret key in state file.

Keybase

When pgp_key is specified as keybase:username, make sure that that user has already uploaded public key to keybase.io. For example, user with username test has done it properly and you can verify it here.

Requirements

Name Version
terraform >= 1.5
aws >= 3.45

Providers

Name Version
aws 5.24.0

Modules

Name Source Version
resource_group tedilabs/misc/aws//modules/resource-group ~> 0.10.0

Resources

Name Type
aws_iam_instance_profile.this resource
aws_iam_role.this resource
aws_iam_role_policy.assume_role resource
aws_iam_role_policy.inline resource
aws_iam_role_policy_attachment.managed resource
aws_caller_identity.this data source
aws_iam_policy_document.assume_role data source
aws_iam_policy_document.trusted_entities data source
aws_iam_policy_document.trusted_iam_entity_policies data source
aws_iam_policy_document.trusted_oidc_provider_policies data source
aws_iam_policy_document.trusted_saml_provider_policies data source
aws_iam_policy_document.trusted_service_policies data source
aws_partition.this data source

Inputs

Name Description Type Default Required
name (Required) Desired name for the IAM role. string n/a yes
assumable_roles (Optional) List of IAM roles ARNs which can be assumed by the role. list(string) [] no
conditions (Required) A list of required conditions to assume the role. Each item of conditions is defined below.
(Required) key - The key to match a condition for when a policy is in effect.
(Required) condition - The condition operator to match the condition keys and values in the policy against keys and values in the request context. Examples: StringEquals, StringLike.
(Required) values - A list of allowed values of the key to match a condition with condition operator.		 
list(object({
    key       = string
    condition = string
    values    = list(string)
  }))
 [] no
description (Optional) The description of the role. string "Managed by Terraform." no
force_detach_policies (Optional) Specifies to force detaching any policies the role has before destroying it. Defaults to false. bool false no
inline_policies (Optional) Map of inline IAM policies to attach to IAM role. (name => policy). map(string) {} no
instance_profile (Optional) A configuration for instance profile. instance_profile is defined below.
(Optional) enabled - Whether to create instance profile. Defaults to false.
(Optional) name - The name of the instance profile. If omitted, Terraform will assign a ame name with the role.
(Optional) path - The path to the instance profile. Defaults to /.
(Optional) tags - A map of tags to add to the instance profile.		 
object({
    enabled = optional(bool, false)
    name    = optional(string)
    path    = optional(string, "/")
    tags    = optional(map(string), {})
  })
 {} no
max_session_duration (Optional) Maximum session duration (in seconds) that you want to set for the specified role. Valid value is from 1 hour (3600) to 12 hours (43200). Defaults to 3600. number 3600 no
module_tags_enabled (Optional) Whether to create AWS Resource Tags for the module informations. bool true no
path (Optional) Desired path for the IAM role. string "/" no
permissions_boundary (Optional) The ARN of the policy that is used to set the permissions boundary for the role. string null no
policies (Optional) List of IAM policies ARNs to attach to IAM role. list(string) [] no
resource_group_description (Optional) The description of Resource Groupolicy. string "Managed by Terraform." no
resource_group_enabled (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. bool true no
resource_group_name (Optional) The name of Resource Groupolicy. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws. string "" no
tags (Optional) A map of tags to add to all resources. map(string) {} no
trusted_iam_entity_policies (Optional) A configuration for trusted iam entity policies. Each item of trusted_iam_entity_policies is defined below.
(Required) iam_entities - A list of ARNs of AWS IAM entities who can assume the role.
(Optional) conditions - A list of required conditions to assume the role via IAM entities.
(Required) key - The key to match a condition for when a policy is in effect.
(Required) condition - The condition operator to match the condition keys and values in the policy against keys and values in the request context. Examples: StringEquals, StringLike.
(Required) values - A list of allowed values of the key to match a condition with condition operator.
(Optional) mfa - A configuration of MFA requirement.
(Optional) required - Whether to require MFA to assume role. Defaults to false.
(Optional) ttl - Max age of valid MFA (in seconds) for roles which require MFA. Defaults to 86400 (24 hours).
(Optional) effective_date - Allow to assume IAM role only after a specific date and time.
(Optional) expiration_date - Allow to assume IAM role only before a specific date and time.
(Optional) source_ip_whitelist - A list of source IP addresses or CIDRs allowed to assume IAM role from.
(Optional) source_ip_blacklist - A list of source IP addresses or CIDRs not allowed to assume IAM role from.		 
list(object({
    iam_entities = list(string)
    conditions = optional(list(object({
      key       = string
      condition = string
      values    = list(string)
    })), [])
    mfa = optional(object({
      required = optional(bool, false)
      ttl      = optional(number, 24 * 60 * 60)
    }), {})
    effective_date      = optional(string)
    expiration_date     = optional(string)
    source_ip_whitelist = optional(list(string), [])
    source_ip_blacklist = optional(list(string), [])
  }))
 [] no
trusted_oidc_provider_policies (Optional) A configuration for trusted OIDC identity provider policies. Each item of trusted_oidc_provider_policies is defined below.
(Required) url - The URL of the OIDC identity provider. If the provider is not common, the corresponding IAM OIDC Provider should be created before. Supported common OIDC providers are accounts.google.com, cognito-identity.amazonaws.com, graph.facebook.com, www.amazon.com.
(Optional) conditions - A list of required conditions to assume the role via OIDC providers.
(Required) key - The OIDC key to match a condition for when a policy is in effect.
(Required) condition - The condition operator to match the condition keys and values in the policy against keys and values in the request context. Examples: StringEquals, StringLike.
(Required) values - A list of allowed values of OIDC key to match a condition with condition operator.
(Optional) effective_date - Allow to assume IAM role only after a specific date and time.
(Optional) expiration_date - Allow to assume IAM role only before a specific date and time.
(Optional) source_ip_whitelist - A list of source IP addresses or CIDRs allowed to assume IAM role from.
(Optional) source_ip_blacklist - A list of source IP addresses or CIDRs not allowed to assume IAM role from.		 
list(object({
    url = string
    conditions = optional(list(object({
      key       = string
      condition = string
      values    = list(string)
    })), [])
    effective_date      = optional(string)
    expiration_date     = optional(string)
    source_ip_whitelist = optional(list(string), [])
    source_ip_blacklist = optional(list(string), [])
  }))
 [] no
trusted_saml_provider_policies (Optional) A configuration for trusted SAML identity provider policies. Each item of trusted_saml_provider_policies is defined below.
(Required) name - The name of the SAML identity provider.
(Optional) conditions - A list of required conditions to assume the role via SAML providers.
(Required) key - The SAML key to match a condition for when a policy is in effect.
(Required) condition - The condition operator to match the condition keys and values in the policy against keys and values in the request context. Examples: StringEquals, StringLike.
(Required) values - A list of allowed values of SAML key to match a condition with condition operator.
(Optional) effective_date - Allow to assume IAM role only after a specific date and time.
(Optional) expiration_date - Allow to assume IAM role only before a specific date and time.
(Optional) source_ip_whitelist - A list of source IP addresses or CIDRs allowed to assume IAM role from.
(Optional) source_ip_blacklist - A list of source IP addresses or CIDRs not allowed to assume IAM role from.		 
list(object({
    name = string
    conditions = optional(list(object({
      key       = string
      condition = string
      values    = list(string)
    })), [])
    effective_date      = optional(string)
    expiration_date     = optional(string)
    source_ip_whitelist = optional(list(string), [])
    source_ip_blacklist = optional(list(string), [])
  }))
 [] no
trusted_service_policies (Optional) A configuration for trusted service policies. Each item of trusted_service_policies is defined below.
(Required) services - A list of AWS services that can assume the role.
(Optional) conditions - A list of required conditions to assume the role via AWS services.
(Required) key - The key to match a condition for when a policy is in effect.
(Required) condition - The condition operator to match the condition keys and values in the policy against keys and values in the request context. Examples: StringEquals, StringLike.
(Required) values - A list of allowed values of the key to match a condition with condition operator.
(Optional) effective_date - Allow to assume IAM role only after a specific date and time.
(Optional) expiration_date - Allow to assume IAM role only before a specific date and time.
(Optional) source_ip_whitelist - A list of source IP addresses or CIDRs allowed to assume IAM role from.
(Optional) source_ip_blacklist - A list of source IP addresses or CIDRs not allowed to assume IAM role from.		 
list(object({
    services = list(string)
    conditions = optional(list(object({
      key       = string
      condition = string
      values    = list(string)
    })), [])
    effective_date      = optional(string)
    expiration_date     = optional(string)
    source_ip_whitelist = optional(list(string), [])
    source_ip_blacklist = optional(list(string), [])
  }))
 [] no
trusted_session_tagging (Optional) A configurations of session tags in AWS STS. trusted_session_tagging block as defined below.
(Optional) enabled - Indicate whether you want to enable session tagging. Defaults to true.
(Optional) allowed_tags - A map of tag key/values pairs to limit the tag keys and values that can be used as session tags.
(Optional) allowed_transitive_tag_keys - A set of tag keys to limit the maximum set of transitive tags.		 
object({
    enabled                     = optional(bool, true)
    allowed_tags                = optional(map(set(string)), {})
    allowed_transitive_tag_keys = optional(set(string), [])
  })
 {} no
trusted_source_identity (Optional) A configurations of source identity in AWS STS. trusted_source_identity block as defined below.
(Optional) enabled - Indicate whether you want to enable source identity configuration. Defaults to true.
(Optional) allowed_identities - A set of identities to limit the maximum set of source identities.		 
object({
    enabled            = optional(bool, true)
    allowed_identities = optional(set(string), [])
  })
 {} no

Outputs

Name Description
arn The ARN assigned by AWS for this role.
assumable_roles List of ARNs of IAM roles which members of IAM role can assume.
description The description of the role.
inline_policies List of names of inline IAM polices which are attached to IAM role.
instance_profile The instance profile associated with the IAM Role.
id - The instance profile's ID.
arn - The ARN assigned by AWS for the instance profile.
name - The name of the instance profile.
path - The path to the instance profile.
created_at - Creation timestamp of the instance profile.
name IAM Role name.
policies List of ARNs of IAM policies which are atached to IAM role.
unique_id The unique ID assigned by AWS.