Skip to content

Latest commit

 

History

History

roles

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
data
data
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
terraform.tfvars
terraform.tfvars
 
 
variables.tf
variables.tf
 
 

README.md

Roles

This example creates policies and various different roles.

Overview

Roles must be assumed. The AWS resource which is allowed to assume a specific role has to be defined on a per role base via its trust_policy_file.

  • When using the policies key, respective policies must be defined in var.policies.

Examples

Note: The following examples only shows the creation of a single role each. You can however create as many roles as desired. Also re-arranging them within the list will not trigger terraform to change or destroy resources as they're internally stored in a map (rather than a list) by their role names as keys (See module's locals.tf for transformation).

Role assumed by another role

The following defined role has administrator access on the provisioned AWS account.

terraform.tfvars

roles = [
  {
    name                 = "ROLE-ADMIN"
    path                 = null
    desc                 = null
    trust_policy_file    = "data/trust-policies/admin.json"
    permissions_boundary = null
    policies             = []
    inline_policies      = []
    policy_arns          = ["arn:aws:iam::aws:policy/AdministratorAccess"]
  },
]

The following trust policy allows to assume the above defined role, from a role named LOGIN-ADMIN in the AWS account 1234567890.

data/trust-policies/admin.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": [
          "arn:aws:iam::1234567890:role/federation/LOGIN-ADMIN"
        ]
      },
      "Condition": {}
    }
  ]
}

Usage

To run this example you need to execute:

$ terraform init
$ terraform plan
$ terraform apply

Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources.

Requirements

No requirements.

Providers

No provider.

Inputs

Name Description Type Default Required
policies A list of dictionaries defining all policies. 
list(object({
    name = string      # Name of the policy
    path = string      # Defaults to 'var.policy_path' if variable is set to null
    desc = string      # Defaults to 'var.policy_desc' if variable is set to null
    file = string      # Path to json or json.tmpl file of policy
    vars = map(string) # Policy template variables {key: val, ...}
  }))
 [] no
roles A list of dictionaries defining all roles. 
list(object({
    name                 = string       # Name of the role
    path                 = string       # Defaults to 'var.role_path' if variable is set to null
    desc                 = string       # Defaults to 'var.role_desc' if variable is set to null
    trust_policy_file    = string       # Path to file of trust/assume policy
    permissions_boundary = string       # ARN to a policy used as permissions boundary (or null/empty)
    policies             = list(string) # List of names of policies (must be defined in var.policies)
    policy_arns          = list(string) # List of existing policy ARN's
    inline_policies = list(object({
      name = string      # Name of the inline policy
      file = string      # Path to json or json.tmpl file of policy
      vars = map(string) # Policy template variables {key = val, ...}
    }))
  }))
 [] no

Outputs

Name Description
policies Created customer managed IAM policies
roles Created roles