Skip to content

Latest commit

 

History

History
91 lines (77 loc) · 9.51 KB

README.md

File metadata and controls

91 lines (77 loc) · 9.51 KB

iam-assumable-roles

Creates predefined IAM roles (admin, poweruser and readonly) which can be assumed by trusted resources.

Trusted resources can be any IAM ARNs - typically, AWS accounts and users.

Requirements

Name Version
terraform >= 1.0
aws >= 4.0

Providers

Name Version
aws >= 4.0

Modules

No modules.

Resources

Name Type
aws_iam_role.admin resource
aws_iam_role.poweruser resource
aws_iam_role.readonly resource
aws_iam_role_policy_attachment.admin resource
aws_iam_role_policy_attachment.poweruser resource
aws_iam_role_policy_attachment.readonly resource
aws_caller_identity.current data source
aws_iam_policy_document.assume_role data source
aws_iam_policy_document.assume_role_with_mfa data source
aws_partition.current data source

Inputs

Name Description Type Default Required
admin_role_name IAM role with admin access string "admin" no
admin_role_path Path of admin IAM role string "/" no
admin_role_permissions_boundary_arn Permissions boundary ARN to use for admin role string "" no
admin_role_policy_arns List of policy ARNs to use for admin role list(string) 
[
  "arn:aws:iam::aws:policy/AdministratorAccess"
]
 no
admin_role_requires_mfa Whether admin role requires MFA bool true no
admin_role_tags A map of tags to add to admin role resource. map(string) {} no
allow_self_assume_role Determines whether to allow the role to be assume itself bool false no
create_admin_role Whether to create admin role bool false no
create_poweruser_role Whether to create poweruser role bool false no
create_readonly_role Whether to create readonly role bool false no
force_detach_policies Whether policies should be detached from this role when destroying bool false no
max_session_duration Maximum CLI/API session duration in seconds between 3600 and 43200 number 3600 no
mfa_age Max age of valid MFA (in seconds) for roles which require MFA number 86400 no
poweruser_role_name IAM role with poweruser access string "poweruser" no
poweruser_role_path Path of poweruser IAM role string "/" no
poweruser_role_permissions_boundary_arn Permissions boundary ARN to use for poweruser role string "" no
poweruser_role_policy_arns List of policy ARNs to use for poweruser role list(string) 
[
  "arn:aws:iam::aws:policy/PowerUserAccess"
]
 no
poweruser_role_requires_mfa Whether poweruser role requires MFA bool true no
poweruser_role_tags A map of tags to add to poweruser role resource. map(string) {} no
readonly_role_name IAM role with readonly access string "readonly" no
readonly_role_path Path of readonly IAM role string "/" no
readonly_role_permissions_boundary_arn Permissions boundary ARN to use for readonly role string "" no
readonly_role_policy_arns List of policy ARNs to use for readonly role list(string) 
[
  "arn:aws:iam::aws:policy/ReadOnlyAccess"
]
 no
readonly_role_requires_mfa Whether readonly role requires MFA bool true no
readonly_role_tags A map of tags to add to readonly role resource. map(string) {} no
trusted_role_arns ARNs of AWS entities who can assume these roles list(string) [] no
trusted_role_services AWS Services that can assume these roles list(string) [] no

Outputs

Name Description
admin_iam_role_arn ARN of admin IAM role
admin_iam_role_name Name of admin IAM role
admin_iam_role_path Path of admin IAM role
admin_iam_role_requires_mfa Whether admin IAM role requires MFA
admin_iam_role_unique_id Unique ID of IAM role
poweruser_iam_role_arn ARN of poweruser IAM role
poweruser_iam_role_name Name of poweruser IAM role
poweruser_iam_role_path Path of poweruser IAM role
poweruser_iam_role_requires_mfa Whether poweruser IAM role requires MFA
poweruser_iam_role_unique_id Unique ID of IAM role
readonly_iam_role_arn ARN of readonly IAM role
readonly_iam_role_name Name of readonly IAM role
readonly_iam_role_path Path of readonly IAM role
readonly_iam_role_requires_mfa Whether readonly IAM role requires MFA
readonly_iam_role_unique_id Unique ID of IAM role