This module creates following resources.
aws_iam_role
aws_iam_role_policy
(optional)aws_iam_role_policy_attachment
(optional)aws_iam_instance_profile
(optional)
If possible, always use PGP encryption to prevent Terraform from keeping unencrypted password and access secret key in state file.
When pgp_key
is specified as keybase:username
, make sure that that user has already uploaded public key to keybase.io. For example, user with username test
has done it properly and you can verify it here.
Name | Version |
---|---|
terraform | >= 1.5 |
aws | >= 3.45 |
Name | Version |
---|---|
aws | 5.24.0 |
Name | Source | Version |
---|---|---|
resource_group | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
Name | Type |
---|---|
aws_iam_instance_profile.this | resource |
aws_iam_role.this | resource |
aws_iam_role_policy.assume_role | resource |
aws_iam_role_policy.inline | resource |
aws_iam_role_policy_attachment.managed | resource |
aws_caller_identity.this | data source |
aws_iam_policy_document.assume_role | data source |
aws_iam_policy_document.trusted_entities | data source |
aws_iam_policy_document.trusted_iam_entity_policies | data source |
aws_iam_policy_document.trusted_oidc_provider_policies | data source |
aws_iam_policy_document.trusted_saml_provider_policies | data source |
aws_iam_policy_document.trusted_service_policies | data source |
aws_partition.this | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
name | (Required) Desired name for the IAM role. | string |
n/a | yes |
assumable_roles | (Optional) List of IAM roles ARNs which can be assumed by the role. | list(string) |
[] |
no |
conditions | (Required) A list of required conditions to assume the role. Each item of conditions is defined below.(Required) key - The key to match a condition for when a policy is in effect.(Required) condition - The condition operator to match the condition keys and values in the policy against keys and values in the request context. Examples: StringEquals , StringLike .(Required) values - A list of allowed values of the key to match a condition with condition operator. |
list(object({ |
[] |
no |
description | (Optional) The description of the role. | string |
"Managed by Terraform." |
no |
force_detach_policies | (Optional) Specifies to force detaching any policies the role has before destroying it. Defaults to false . |
bool |
false |
no |
inline_policies | (Optional) Map of inline IAM policies to attach to IAM role. (name => policy ). |
map(string) |
{} |
no |
instance_profile | (Optional) A configuration for instance profile. instance_profile is defined below.(Optional) enabled - Whether to create instance profile. Defaults to false .(Optional) name - The name of the instance profile. If omitted, Terraform will assign a ame name with the role.(Optional) path - The path to the instance profile. Defaults to / .(Optional) tags - A map of tags to add to the instance profile. |
object({ |
{} |
no |
max_session_duration | (Optional) Maximum session duration (in seconds) that you want to set for the specified role. Valid value is from 1 hour (3600 ) to 12 hours (43200 ). Defaults to 3600 . |
number |
3600 |
no |
module_tags_enabled | (Optional) Whether to create AWS Resource Tags for the module informations. | bool |
true |
no |
path | (Optional) Desired path for the IAM role. | string |
"/" |
no |
permissions_boundary | (Optional) The ARN of the policy that is used to set the permissions boundary for the role. | string |
null |
no |
policies | (Optional) List of IAM policies ARNs to attach to IAM role. | list(string) |
[] |
no |
resource_group_description | (Optional) The description of Resource Groupolicy. | string |
"Managed by Terraform." |
no |
resource_group_enabled | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | bool |
true |
no |
resource_group_name | (Optional) The name of Resource Groupolicy. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws . |
string |
"" |
no |
tags | (Optional) A map of tags to add to all resources. | map(string) |
{} |
no |
trusted_iam_entity_policies | (Optional) A configuration for trusted iam entity policies. Each item of trusted_iam_entity_policies is defined below.(Required) iam_entities - A list of ARNs of AWS IAM entities who can assume the role.(Optional) conditions - A list of required conditions to assume the role via IAM entities.(Required) key - The key to match a condition for when a policy is in effect.(Required) condition - The condition operator to match the condition keys and values in the policy against keys and values in the request context. Examples: StringEquals , StringLike .(Required) values - A list of allowed values of the key to match a condition with condition operator.(Optional) mfa - A configuration of MFA requirement.(Optional) required - Whether to require MFA to assume role. Defaults to false .(Optional) ttl - Max age of valid MFA (in seconds) for roles which require MFA. Defaults to 86400 (24 hours).(Optional) effective_date - Allow to assume IAM role only after a specific date and time.(Optional) expiration_date - Allow to assume IAM role only before a specific date and time.(Optional) source_ip_whitelist - A list of source IP addresses or CIDRs allowed to assume IAM role from.(Optional) source_ip_blacklist - A list of source IP addresses or CIDRs not allowed to assume IAM role from. |
list(object({ |
[] |
no |
trusted_oidc_provider_policies | (Optional) A configuration for trusted OIDC identity provider policies. Each item of trusted_oidc_provider_policies is defined below.(Required) url - The URL of the OIDC identity provider. If the provider is not common, the corresponding IAM OIDC Provider should be created before. Supported common OIDC providers are accounts.google.com , cognito-identity.amazonaws.com , graph.facebook.com , www.amazon.com .(Optional) conditions - A list of required conditions to assume the role via OIDC providers.(Required) key - The OIDC key to match a condition for when a policy is in effect.(Required) condition - The condition operator to match the condition keys and values in the policy against keys and values in the request context. Examples: StringEquals , StringLike .(Required) values - A list of allowed values of OIDC key to match a condition with condition operator.(Optional) effective_date - Allow to assume IAM role only after a specific date and time.(Optional) expiration_date - Allow to assume IAM role only before a specific date and time.(Optional) source_ip_whitelist - A list of source IP addresses or CIDRs allowed to assume IAM role from.(Optional) source_ip_blacklist - A list of source IP addresses or CIDRs not allowed to assume IAM role from. |
list(object({ |
[] |
no |
trusted_saml_provider_policies | (Optional) A configuration for trusted SAML identity provider policies. Each item of trusted_saml_provider_policies is defined below.(Required) name - The name of the SAML identity provider.(Optional) conditions - A list of required conditions to assume the role via SAML providers.(Required) key - The SAML key to match a condition for when a policy is in effect.(Required) condition - The condition operator to match the condition keys and values in the policy against keys and values in the request context. Examples: StringEquals , StringLike .(Required) values - A list of allowed values of SAML key to match a condition with condition operator.(Optional) effective_date - Allow to assume IAM role only after a specific date and time.(Optional) expiration_date - Allow to assume IAM role only before a specific date and time.(Optional) source_ip_whitelist - A list of source IP addresses or CIDRs allowed to assume IAM role from.(Optional) source_ip_blacklist - A list of source IP addresses or CIDRs not allowed to assume IAM role from. |
list(object({ |
[] |
no |
trusted_service_policies | (Optional) A configuration for trusted service policies. Each item of trusted_service_policies is defined below.(Required) services - A list of AWS services that can assume the role.(Optional) conditions - A list of required conditions to assume the role via AWS services.(Required) key - The key to match a condition for when a policy is in effect.(Required) condition - The condition operator to match the condition keys and values in the policy against keys and values in the request context. Examples: StringEquals , StringLike .(Required) values - A list of allowed values of the key to match a condition with condition operator.(Optional) effective_date - Allow to assume IAM role only after a specific date and time.(Optional) expiration_date - Allow to assume IAM role only before a specific date and time.(Optional) source_ip_whitelist - A list of source IP addresses or CIDRs allowed to assume IAM role from.(Optional) source_ip_blacklist - A list of source IP addresses or CIDRs not allowed to assume IAM role from. |
list(object({ |
[] |
no |
trusted_session_tagging | (Optional) A configurations of session tags in AWS STS. trusted_session_tagging block as defined below.(Optional) enabled - Indicate whether you want to enable session tagging. Defaults to true .(Optional) allowed_tags - A map of tag key/values pairs to limit the tag keys and values that can be used as session tags.(Optional) allowed_transitive_tag_keys - A set of tag keys to limit the maximum set of transitive tags. |
object({ |
{} |
no |
trusted_source_identity | (Optional) A configurations of source identity in AWS STS. trusted_source_identity block as defined below.(Optional) enabled - Indicate whether you want to enable source identity configuration. Defaults to true .(Optional) allowed_identities - A set of identities to limit the maximum set of source identities. |
object({ |
{} |
no |
Name | Description |
---|---|
arn | The ARN assigned by AWS for this role. |
assumable_roles | List of ARNs of IAM roles which members of IAM role can assume. |
description | The description of the role. |
inline_policies | List of names of inline IAM polices which are attached to IAM role. |
instance_profile | The instance profile associated with the IAM Role.id - The instance profile's ID.arn - The ARN assigned by AWS for the instance profile.name - The name of the instance profile.path - The path to the instance profile.created_at - Creation timestamp of the instance profile. |
name | IAM Role name. |
policies | List of ARNs of IAM policies which are atached to IAM role. |
unique_id | The unique ID assigned by AWS. |