Skip to content
This repository has been archived by the owner on Dec 31, 2020. It is now read-only.
/ terraform-aws-iam-roles Public archive

This Terraform module creates an arbitrary number of IAM roles and policies/trusts to attach.

License

MIT license
2 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cytopia/terraform-aws-iam-roles

BranchesTags

Repository files navigation

Terraform module: AWS IAM

Build Status Tag Terraform License

This Terraform module can create an arbitrary number of IAM users, roles and policies. Roles can additionally be created with inline policies or policy ARN's attached and with trusted entities defined as JSON or templatable json files files. Users can also additionally be created with inline policies or policy ARN's attached as well as their access key rotation can be fully managed.

Deprecation Warning

This repository is deprecated as all IAM features have been integrated into: github.com/cytopia/terraform-aws-iam

Important note

When creating an IAM user with an Inactive access key it is initially created with access key set to Active. You will have to run it a second time in order to deactivate the access key. This is either an issue with the terraform resource aws_iam_access_key or with the AWS api itself.

Usage

Assumeable roles

module "iam_roles" {
  source = "github.com/cytopia/terraform-aws-iam-roles?ref=v2.0.0"

  # List of policies to create
  policies = [
    {
      name = "ro-billing"
      path = "/assume/human/"
      desc = "Provides read-only access to billing"
      file = "policies/ro-billing.json"
      vars = {}
    },
  ]

  # List of users to manage
  users = [
    {
      name                 = "admin"
      path                 = null
      access_keys          = []
      permissions_boundary = null
      policies             = []
      inline_policies      = []
      policy_arns = [
        "arn:aws:iam::aws:policy/AdministratorAccess",
      ]
    },
    {
      name        = "developer"
      path        = null
      access_keys = [
        {
          name    = "key-1"
          pgp_key = ""
          status  = "Active"
        }
      ]
      permissions_boundary = "arn:aws:iam::aws:policy/PowerUserAccess"
      policies    = [
        "rds-authenticate",
      ]
      inline_policies = []
      policy_arns     = []
    },
  ]

  # List of roles to manage
  roles = [
    {
      name                 = "ROLE-ADMIN"
      path                 = ""
      desc                 = ""
      trust_policy_file    = "trust-policies/admin.json"
      permissions_boundary = null
      policies             = []
      inline_policies      = []
      policy_arns = [
        "arn:aws:iam::aws:policy/AdministratorAccess",
      ]
    },
    {
      name                 = "ROLE-DEV"
      path                 = ""
      desc                 = ""
      trust_policy_file    = "trust-policies/dev.json"
      permissions_boundary = "arn:aws:iam::aws:policy/PowerUserAccess"
      policies = [
        "ro-billing",
      ]
      inline_policies = []
      policy_arns = [
        "arn:aws:iam::aws:policy/PowerUserAccess",
      ]
    },
  ]

}

trust-policies/admin.json

Defines the permissions (Authorization)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": [
          "arn:aws:iam::1234567:role/federation/LOGIN-ADMIN"
        ]
      },
      "Condition": {}
    }
  ]
}

trust-policies/dev.json

Defines the permissions (Authorization)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": [
          "arn:aws:iam::1234567:role/federation/LOGIN-DEV",
          "arn:aws:iam::1234567:role/federation/LOGIN-ADMIN"
        ]
      },
      "Condition": {}
    }
  ]
}

policies/ro-billing.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BillingReadOnly",
      "Effect": "Allow",
      "Action": [
        "account:ListRegions",
        "aws-portal:View*",
        "awsbillingconsole:View*",
        "budgets:View*",
        "ce:Get*",
        "cur:Describe*",
        "pricing:Describe*",
        "pricing:Get*"
      ],
      "Resource": "*"
    }
  ]
}

Requirements

Name Version
terraform >= 0.12.6

Providers

Name Version
aws n/a

Inputs

Name Description Type Default Required
roles A list of dictionaries defining all roles. 
list(object({
    name                 = string       # Name of the role
    path                 = string       # Defaults to 'var.role_path' variable is set to null
    desc                 = string       # Defaults to 'var.role_desc' variable is set to null
    trust_policy_file    = string       # Path to file of trust/assume policy
    permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)
    policies             = list(string) # List of names of policies (must be defined in var.policies)
    inline_policies      = list(object({
      name = string      # Name of the inline policy
      file = string      # Path to json or json.tmpl file of policy
      vars = map(string) # Policy template variables {key = val, ...}
    }))
    policy_arns = list(string) # List of existing policy ARN's
  }))
 n/a yes
users A list of dictionaries defining all users. 
list(object({
    name = string # Name of the user
    path = string # Defaults to 'var.user_path' variable is set to null
    access_keys = list(object({
      name    = string # IaC identifier for first or second IAM access key (not used on AWS)
      pgp_key = string # Leave empty for non or provide a b64-enc pubkey or keybase username
      status  = string # 'Active' or 'Inactive'
    }))
    permissions_boundary = string # ARN to a policy used as permissions boundary (or null/empty)
    policies = list(string)       # List of names of policies (must be defined in var.policies)
    inline_policies = list(object({
      name = string      # Name of the inline policy
      file = string      # Path to json or json.tmpl file of policy
      vars = map(string) # Policy template variables {key = val, ...}
    }))
    policy_arns = list(string) # List of existing policy ARN's
  }))
 n/a yes
policies A list of dictionaries defining all policies. 
list(object({
    name = string      # Name of the policy
    path = string      # Defaults to 'var.policy_path' variable is set to null
    desc = string      # Defaults to 'var.policy_desc' variable is set to null
    file = string      # Path to json or json.tmpl file of policy
    vars = map(string) # Policy template variables {key: val, ...}
  }))
 [] no
policy_desc The default description of the policy. string "Managed by Terraform" no
policy_path The default path under which to create the policy if not specified in the policies list. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company's organizational structure. string "/" no
role_desc The description of the role. string "Managed by Terraform" no
role_force_detach_policies Specifies to force detaching any policies the role has before destroying it. bool true no
role_max_session_duration The maximum session duration (in seconds) that you want to set for the specified role. This setting can have a value from 1 hour to 12 hours specified in seconds. string "3600" no
role_path The path under which to create the role. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company's organizational structure. string "/" no
tags Key-value mapping of tags for the IAM role or user. map(any) {} no
user_path The path under which to create the user. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company's organizational structure. string "/" no

Outputs

Name Description
debug_local_policies The transformed policy map
debug_local_role_inline_policies The transformed role inline policy map
debug_local_role_policies The transformed role policy map
debug_local_role_policy_arns The transformed role policy arns map
debug_local_user_access_keys The transformed user access key map
debug_local_user_inline_policies The transformed user inline policy map
debug_local_user_policies The transformed user policy map
debug_local_user_policy_arns The transformed user policy arns map
debug_var_policies The transformed policy map
debug_var_roles The defined roles list
debug_var_users The defined users list
policies Created customer managed IAM policies
role_inline_policy_attachments Attached role inline IAM policies
role_policy_arn_attachments Attached role IAM policy arns
role_policy_attachments Attached role customer managed IAM policies
roles Created IAM roles
user_inline_policy_attachments Attached user inline IAM policies
user_policy_arn_attachments Attached user IAM policy arns
user_policy_attachments Attached user customer managed IAM policies
users Created IAM users

Authors

Module managed by cytopia.

License

MIT License

Copyright (c) 2018 cytopia

About

This Terraform module creates an arbitrary number of IAM roles and policies/trusts to attach.

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases

5 tags

Packages

No packages published

Languages