role

AWS IAM OIDC Trust Role

Description

This module creates an two IAM roles with trust relationships to an OIDC provider. One role is read-only and the other is read-write. The read-only role is intended to be used by CI/CD pipelines to validate pull requests and changes, where as the read-write role applies the changes on the merge to main. In all cases the consumer must pass a IAM boundary policy to ensure that the roles are not able to escalate their permissions, or make changes to critical resources.

Update Documentation

The terraform-docs utility is used to generate this README. Follow the below steps to update:

1. Make changes to the .terraform-docs.yml file
2. Fetch the terraform-docs binary (https://terraform-docs.io/user-guide/installation/)
3. Run terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .

Requirements

Name	Version
terraform	>= 1.0

Providers

Name	Version
aws	n/a

Modules

No modules.

Resources

Name	Type
aws_iam_policy.tfstate_apply	resource
aws_iam_policy.tfstate_plan	resource
aws_iam_policy.tfstate_remote	resource
aws_iam_role.ro	resource
aws_iam_role.rw	resource
aws_iam_role.sr	resource
aws_iam_role_policy_attachment.ro	resource
aws_iam_role_policy_attachment.rw	resource
aws_iam_role_policy_attachment.tfstate_apply	resource
aws_iam_role_policy_attachment.tfstate_plan	resource
aws_iam_role_policy_attachment.tfstate_remote	resource
aws_caller_identity.current	data source
aws_iam_openid_connect_provider.this	data source
aws_iam_policy_document.base	data source
aws_iam_policy_document.dynamo	data source
aws_iam_policy_document.ro	data source
aws_iam_policy_document.rw	data source
aws_iam_policy_document.sr	data source
aws_iam_policy_document.tfstate_apply	data source
aws_iam_policy_document.tfstate_plan	data source
aws_iam_policy_document.tfstate_remote	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
additional_audiences	Additional audiences to be allowed in the OIDC federation mapping	list(string)	[]	no
common_provider	The name of a common OIDC provider to be used as the trust for the role	string	""	no
custom_provider	An object representing an aws_iam_openid_connect_provider resource	object({ url = string audiences = list(string) subject_reader_mapping = string subject_branch_mapping = string subject_tag_mapping = string })	null	no
description	Description of the role being created	string	n/a	yes
force_detach_policies	Flag to force detachment of policies attached to the IAM role.	bool	null	no
name	Name of the role to create	string	n/a	yes
permission_boundary_arn	The ARN of the policy that is used to set the permissions boundary for the IAM role	string	null	no
protected_branch	The name of the protected branch under which the read-write role can be assumed	string	"main"	no
protected_tag	The name of the protected tag under which the read-write role can be assume	string	"*"	no
read_only_inline_policies	Inline policies map with policy name as key and json as value.	map(string)	{}	no
read_only_max_session_duration	The maximum session duration (in seconds) that you want to set for the specified role	number	null	no
read_only_policy_arns	List of IAM policy ARNs to attach to the read-only role	list(string)	[]	no
read_write_inline_policies	Inline policies map with policy name as key and json as value.	map(string)	{}	no
read_write_max_session_duration	The maximum session duration (in seconds) that you want to set for the specified role	number	null	no
read_write_policy_arns	List of IAM policy ARNs to attach to the read-write role	list(string)	[]	no
repository	List of repositories to be allowed i nthe OIDC federation mapping	string	n/a	yes
role_path	Path under which to create IAM role.	string	null	no
shared_repositories	List of repositories to provide read access to the remote state	list(string)	[]	no
tags	Tags to apply resoures created by this module	map(string)	{}	no

Outputs

Name	Description
read_only	n/a
read_write	n/a
state_reader	n/a

Requirements

Name	Version
terraform	>= 1.0

Providers

Name	Version
aws	n/a

Modules

No modules.

Resources

Name	Type
aws_iam_role.ro	resource
aws_iam_role.rw	resource
aws_iam_role.sr	resource
aws_iam_role_policy.inline_policies_ro	resource
aws_iam_role_policy.inline_policies_rw	resource
aws_iam_role_policy.tfstate_apply_rw	resource
aws_iam_role_policy.tfstate_plan_ro	resource
aws_iam_role_policy_attachment.ro	resource
aws_iam_role_policy_attachment.rw	resource
aws_caller_identity.current	data source
aws_iam_openid_connect_provider.this	data source
aws_iam_policy_document.base	data source
aws_iam_policy_document.dynamo	data source
aws_iam_policy_document.ro	data source
aws_iam_policy_document.rw	data source
aws_iam_policy_document.sr	data source
aws_iam_policy_document.tfstate_apply	data source
aws_iam_policy_document.tfstate_plan	data source
aws_iam_policy_document.tfstate_remote	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
description	Description of the role being created	string	n/a	yes
name	Name of the role to create	string	n/a	yes
repository	List of repositories to be allowed in the OIDC federation mapping	string	n/a	yes
tags	Tags to apply resoures created by this module	map(string)	n/a	yes
account_id	The AWS account ID to create the role in	string	null	no
additional_audiences	Additional audiences to be allowed in the OIDC federation mapping	list(string)	[]	no
common_provider	The name of a common OIDC provider to be used as the trust for the role	string	"github"	no
custom_provider	An object representing an aws_iam_openid_connect_provider resource	object({ url = string audiences = list(string) subject_reader_mapping = string subject_branch_mapping = string subject_env_mapping = string subject_tag_mapping = string })	null	no
default_inline_policies	Inline policies map with policy name as key and json as value, attached to both read-only and read-write roles	map(string)	{}	no
default_managed_policies	List of IAM managed policy ARNs to attach to this role/s, both read-only and read-write	list(string)	[]	no
force_detach_policies	Flag to force detachment of policies attached to the IAM role.	bool	null	no
permission_boundary	The name of the policy that is used to set the permissions boundary for the IAM role	string	null	no
permission_boundary_arn	The full ARN of the permission boundary to attach to the role	string	null	no
protected_by	The branch, environment and/or tag to protect the role against	object({ branch = optional(string) environment = optional(string) tag = optional(string) })	{ "branch": "main", "environment": "production", "tag": "*" }	no
read_only_inline_policies	Inline policies map with policy name as key and json as value.	map(string)	{}	no
read_only_max_session_duration	The maximum session duration (in seconds) that you want to set for the specified role	number	null	no
read_only_policy_arns	List of IAM policy ARNs to attach to the read-only role	list(string)	[]	no
read_write_inline_policies	Inline policies map with policy name as key and json as value.	map(string)	{}	no
read_write_max_session_duration	The maximum session duration (in seconds) that you want to set for the specified role	number	null	no
read_write_policy_arns	List of IAM policy ARNs to attach to the read-write role	list(string)	[]	no
region	The region in which the role will be used (defaulting to the provider region)	string	null	no
repository_uuid	Repository UUID. You can get it in the repository settings in the OpenID connect provider.	string	null	no
role_path	Path under which to create IAM role.	string	null	no
shared_repositories	List of repositories to provide read access to the remote state	list(string)	[]	no
tf_state_suffix	A suffix for the terraform statefile, e.g. -<tf_state_suffix>.tfstate	string	""	no
workspace_name	The name of the workspace.	string	null	no
workspace_uuid	Workspace UUID. You can get it in the repository settings in the OpenID connect provider. Don't include the brackets and make sure it is lower cased.	string	null	no

Outputs

Name	Description
read_only	n/a
read_write	n/a
state_reader	n/a