Creates single IAM role which can be assumed by trusted resources.
Trusted resources can be any IAM ARNs - typically, AWS accounts and users.
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.0 |
| Name | Version |
|---|---|
| aws | >= 4.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_instance_profile.this | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.admin | resource |
| aws_iam_role_policy_attachment.custom | resource |
| aws_iam_role_policy_attachment.poweruser | resource |
| aws_iam_role_policy_attachment.readonly | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_role | data source |
| aws_iam_policy_document.assume_role_with_mfa | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_role_policy_arn | Policy ARN to use for admin role | string |
"arn:aws:iam::aws:policy/AdministratorAccess" |
no |
| allow_self_assume_role | Determines whether to allow the role to be assume itself | bool |
false |
no |
| attach_admin_policy | Whether to attach an admin policy to a role | bool |
false |
no |
| attach_poweruser_policy | Whether to attach a poweruser policy to a role | bool |
false |
no |
| attach_readonly_policy | Whether to attach a readonly policy to a role | bool |
false |
no |
| create_instance_profile | Whether to create an instance profile | bool |
false |
no |
| create_role | Whether to create a role | bool |
false |
no |
| custom_role_policy_arns | List of ARNs of IAM policies to attach to IAM role | list(string) |
[] |
no |
| custom_role_trust_policy | A custom role trust policy | string |
"" |
no |
| force_detach_policies | Whether policies should be detached from this role when destroying | bool |
false |
no |
| max_session_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number |
3600 |
no |
| mfa_age | Max age of valid MFA (in seconds) for roles which require MFA | number |
86400 |
no |
| number_of_custom_role_policy_arns | Number of IAM policies to attach to IAM role | number |
null |
no |
| poweruser_role_policy_arn | Policy ARN to use for poweruser role | string |
"arn:aws:iam::aws:policy/PowerUserAccess" |
no |
| readonly_role_policy_arn | Policy ARN to use for readonly role | string |
"arn:aws:iam::aws:policy/ReadOnlyAccess" |
no |
| role_description | IAM Role description | string |
"" |
no |
| role_name | IAM role name | string |
"" |
no |
| role_name_prefix | IAM role name prefix | string |
null |
no |
| role_path | Path of IAM role | string |
"/" |
no |
| role_permissions_boundary_arn | Permissions boundary ARN to use for IAM role | string |
"" |
no |
| role_requires_mfa | Whether role requires MFA | bool |
true |
no |
| role_sts_externalid | STS ExternalId condition values to use with a role (when MFA is not required) | any |
[] |
no |
| tags | A map of tags to add to IAM role resources | map(string) |
{} |
no |
| trusted_role_actions | Actions of STS | list(string) |
[ |
no |
| trusted_role_arns | ARNs of AWS entities who can assume these roles | list(string) |
[] |
no |
| trusted_role_services | AWS Services that can assume these roles | list(string) |
[] |
no |
| Name | Description |
|---|---|
| iam_instance_profile_arn | ARN of IAM instance profile |
| iam_instance_profile_id | IAM Instance profile's ID. |
| iam_instance_profile_name | Name of IAM instance profile |
| iam_instance_profile_path | Path of IAM instance profile |
| iam_role_arn | ARN of IAM role |
| iam_role_name | Name of IAM role |
| iam_role_path | Path of IAM role |
| iam_role_unique_id | Unique ID of IAM role |
| role_requires_mfa | Whether IAM role requires MFA |
| role_sts_externalid | STS ExternalId condition value to use with a role |