Creates predefined IAM roles (admin, poweruser and readonly) which can be assumed by trusted resources using SAML Federated Users.
Creating IAM SAML Identity Providers Enabling SAML 2.0 Federated Users to Access the AWS Management Console
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.0 |
| Name | Version |
|---|---|
| aws | >= 4.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_role.admin | resource |
| aws_iam_role.poweruser | resource |
| aws_iam_role.readonly | resource |
| aws_iam_role_policy_attachment.admin | resource |
| aws_iam_role_policy_attachment.poweruser | resource |
| aws_iam_role_policy_attachment.readonly | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_role_with_saml | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_role_name | IAM role with admin access | string |
"admin" |
no |
| admin_role_path | Path of admin IAM role | string |
"/" |
no |
| admin_role_permissions_boundary_arn | Permissions boundary ARN to use for admin role | string |
"" |
no |
| admin_role_policy_arns | List of policy ARNs to use for admin role | list(string) |
[ |
no |
| admin_role_tags | A map of tags to add to admin role resource. | map(string) |
{} |
no |
| allow_self_assume_role | Determines whether to allow the role to be assume itself | bool |
false |
no |
| aws_saml_endpoint | AWS SAML Endpoint | string |
"https://signin.aws.amazon.com/saml" |
no |
| create_admin_role | Whether to create admin role | bool |
false |
no |
| create_poweruser_role | Whether to create poweruser role | bool |
false |
no |
| create_readonly_role | Whether to create readonly role | bool |
false |
no |
| force_detach_policies | Whether policies should be detached from this role when destroying | bool |
false |
no |
| max_session_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number |
3600 |
no |
| poweruser_role_name | IAM role with poweruser access | string |
"poweruser" |
no |
| poweruser_role_path | Path of poweruser IAM role | string |
"/" |
no |
| poweruser_role_permissions_boundary_arn | Permissions boundary ARN to use for poweruser role | string |
"" |
no |
| poweruser_role_policy_arns | List of policy ARNs to use for poweruser role | list(string) |
[ |
no |
| poweruser_role_tags | A map of tags to add to poweruser role resource. | map(string) |
{} |
no |
| provider_id | ID of the SAML Provider. Use provider_ids to specify several IDs. | string |
"" |
no |
| provider_ids | List of SAML Provider IDs | list(string) |
[] |
no |
| readonly_role_name | IAM role with readonly access | string |
"readonly" |
no |
| readonly_role_path | Path of readonly IAM role | string |
"/" |
no |
| readonly_role_permissions_boundary_arn | Permissions boundary ARN to use for readonly role | string |
"" |
no |
| readonly_role_policy_arns | List of policy ARNs to use for readonly role | list(string) |
[ |
no |
| readonly_role_tags | A map of tags to add to readonly role resource. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| admin_iam_role_arn | ARN of admin IAM role |
| admin_iam_role_name | Name of admin IAM role |
| admin_iam_role_path | Path of admin IAM role |
| admin_iam_role_unique_id | Unique ID of IAM role |
| poweruser_iam_role_arn | ARN of poweruser IAM role |
| poweruser_iam_role_name | Name of poweruser IAM role |
| poweruser_iam_role_path | Path of poweruser IAM role |
| poweruser_iam_role_unique_id | Unique ID of IAM role |
| readonly_iam_role_arn | ARN of readonly IAM role |
| readonly_iam_role_name | Name of readonly IAM role |
| readonly_iam_role_path | Path of readonly IAM role |
| readonly_iam_role_unique_id | Unique ID of IAM role |