A Terraform module to help set the trust policy on a specified role when new accounts are added or invited to an AWS Organization.
When creating a new account via AWS Organizations, an admin role is created in the account with a trust policy that allows the master account to assume it. If your identity principals are in the master account, this is fine. You will be able to assume role into the new account with no problem.
However, when you use a different account for your identity principals, those principals will not have permission to assume role into the new account's admin role because the trust policy will not allow your identity account to assume the role.
This module uses CloudWatch Events to identify when new accounts are added or invited to an AWS Organization, and triggers a Lambda function that will assume role into the account and update the trust policy.
If you prefer CloudFormation, a CloudFormation template is provided that does the same thing as the Terraform module. To deploy it, first create the package, then deploy it:
aws cloudformation package --template new_account_trust_policy.yaml --output-template-file package.yaml --s3-bucket <your-s3-bucket>
aws cloudformation deploy --profile mock-dev --template package.yaml --capabilities CAPABILITY_IAM --stack-name <stack-name> --parameter-overrides AssumeRoleName=<role-to-assume> UpdateRoleName=<role-to-update> TrustPolicy=<trust-policy-to-apply>To set up and run tests:
# Ensure the dependencies are installed on your system.
make python/deps
make pytest/deps
# Start up a mock AWS stack:
make mockstack/up
# Run unit tests:
make docker/run target=pytest/lambda/tests
# Run the tests:
make mockstack/pytest/lambda
# Shut down the mock AWS stack and clean up docker images:
make mockstack/clean
| Name | Version |
|---|---|
| terraform | >= 1.3 |
| aws | >= 4.9 |
| external | >= 1.0 |
| local | >= 1.0 |
| null | >= 2.0 |
| Name | Version |
|---|---|
| aws | >= 4.9 |
| random | n/a |
| Name | Type |
|---|---|
| aws_iam_policy_document.lambda | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| assume_role_name | Name of the IAM role to assume in the target account (case sensitive) | string |
n/a | yes |
| trust_policy | JSON string representing the trust policy to apply to the role being updated | string |
n/a | yes |
| update_role_name | Name of the IAM role to update in the target account (case sensitive) | string |
n/a | yes |
| event_types | Event types that will trigger this lambda | set(string) |
[ |
no |
| lambda | Map of any additional arguments for the upstream lambda module. See https://github.com/terraform-aws-modules/terraform-aws-lambda | object({ |
{} |
no |
| log_level | Log level of the lambda output, one of: debug, info, warning, error, critical | string |
"info" |
no |
| tags | Tags that are passed to resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| aws_cloudwatch_event_rule | The cloudwatch event rule object |
| aws_cloudwatch_event_target | The cloudWatch event target object |
| aws_lambda_permission_events | The lambda permission object for cloudwatch event triggers |
| lambda | The lambda module object |