{"id":18624798,"url":"https://github.com/opszero/terraform-aws-iam","last_synced_at":"2025-10-15T13:29:35.216Z","repository":{"id":39869934,"uuid":"409840992","full_name":"opszero/terraform-aws-iam","owner":"opszero","description":null,"archived":false,"fork":false,"pushed_at":"2025-09-16T08:05:40.000Z","size":171,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-09-16T09:32:36.293Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://opszero.com","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opszero.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":"SUPPORT","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["abhiyerra"],"custom":["https://www.opszero.com"]}},"created_at":"2021-09-24T05:19:16.000Z","updated_at":"2025-09-16T08:05:43.000Z","dependencies_parsed_at":"2024-02-27T21:31:39.033Z","dependency_job_id":"ef30bbd8-d72d-4c80-97e4-2018717fdf42","html_url":"https://github.com/opszero/terraform-aws-iam","commit_stats":null,"previous_names":["opszero/terraform-aws-iam"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/opszero/terraform-aws-iam","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-iam","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-iam/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-iam/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-iam/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opszero","download_url":"https://codeload.github.com/opszero/terraform-aws-iam/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opszero%2Fterraform-aws-iam/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279083098,"owners_count":26099564,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-15T02:00:07.814Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T04:31:06.286Z","updated_at":"2025-10-15T13:29:35.158Z","avatar_url":"https://github.com/opszero.png","language":"HCL","funding_links":["https://github.com/sponsors/abhiyerra","https://www.opszero.com"],"categories":[],"sub_categories":[],"readme":"# MrMgr (AWS IAM)\n\nConfigures AWS IAM users, groups, OIDC.\n\n## Usage\n\nThis belongs within the [infrastructure as code](https://github.com/opszero/template-infra).\n\n```\n# iam/main.tf\n\nprovider \"aws\" {\n  profile = \"opszero\"\n  region  = \"us-east-1\"\n}\n\nterraform {\n  backend \"s3\" {\n    bucket  = \"opszero-opszero-terraform-tfstate\"\n    region  = \"us-east-1\"\n    profile = \"opszero\"\n    encrypt = \"true\"\n\n    key     = \"iam\"\n  }\n}\n\nresource \"aws_iam_policy\" \"deployer\" {\n  name        = \"github-deployer-policy\"\n  description = \"Github Deployer\"\n\n  policy = \u003c\u003cEOT\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"ecr:*\"\n            ],\n            \"Resource\": \"*\"\n        },\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"eks:DescribeCluster\",\n                \"eks:ListClusters\"\n            ],\n            \"Resource\": \"*\"\n        }\n    ]\n}\nEOT\n}\n\nmodule \"opszero-eks\" {\n  source = \"github.com/opszero/terraform-aws-mrmgr\"\n\n  github = {\n    \"deployer\" = {\n      org = \"opszero\"\n      repos = [\n        \"terraform-aws-mrmgr\"\n      ]\n      policy_arns = [\n        aws_iam_policy.deployer.arn\n      ]\n    }\n  }\n\n  groups = {\n    \"Backend\" = {\n      policy_arns = [\n        aws_iam_policy.deployer.arn,\n        \"arn:${local.partition}:iam::aws:policy/IAMSelfManageServiceSpecificCredentials\",\n        \"arn:${local.partition}:iam::aws:policy/IAMUserChangePassword\",\n      ]\n      enable_mfa = false\n      enable_self_management = true # Optional\n    }\n  }\n\n  users = {\n    \"opszero\" = {\n      \"groups\" = [\n        \"Backend\"\n      ]\n    },\n  }\n}\n```\n\n```\n# environments/\u003cnameofenv\u003e/main.tf\n\nmodule \"opszero-eks\" {\n  source = \"github.com/opszero/terraform-aws-kubespot\"\n\n  ...\n\n  sso_roles = {\n    admin_roles = [\n      \"arn:${local.partition}:iam::1234567789101:role/github-deployer\"\n    ]\n    readonly_roles = []\n    dev_roles = []\n    monitoring_roles = []\n  }\n\n  ...\n}\n\n\n```\n\n## Users\n\nUsers will be created _without_ a login profile. This means the user will exist\nbut will not have a password to login with. Login profiles and credentials will\nbe managed via console manually (to prevent automated disruption of everyone).\n\nWhen removing a user, first disable console access.\n\nUsers without MFA will have no privilege within the system. In order to have\naccess to AWS users will need to attach a MFA device to their account.\n\n- Log in via console\n- Select \"My Security Credentials\"\n- Choose \"Assign MFA device\"\n- Use a virtual MFA device\n- Enter two consecutive MFA codes from your 2FA app\n- Sign out\n- Sign in with MFA\n\n### List Existing Users\n\n```bash\naws --profile \u003cprofile\u003e iam list-attached-user-policies --user-name \u003cusername\u003e| jq '.AttachedPolicies[].PolicyArn'\n```\n\n## Groups\n\n# OIDC\n\nOIDC Deployer allows us to access resources within another piece of\ninfrastructure through the use of OpenID. Check below for examples oh how dto do\ndeployments.\n\n### Github\n\nExample configuration for deploying to an EKS cluster without the need for AWS\nAccess Keys.\n\n```terraform\nresource \"aws_iam_policy\" \"deployer\" {\n  name        = \"github-deployer-policy\"\n  description = \"Github Deployer\"\n\n  policy = \u003c\u003cEOT\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"ecr:*\"\n            ],\n            \"Resource\": \"*\"\n        },\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"eks:DescribeCluster\",\n                \"eks:ListClusters\"\n            ],\n            \"Resource\": \"*\"\n        }\n    ]\n}\nEOT\n}\n\nmodule \"iam\" {\n  source = \"github.com/opszero/mrmgr//modules/aws\"\n\n  github = {\n    \"deployer\" = {\n      org = \"opszero\"\n      repos = [\n        \"mrmgr\"\n      ]\n      policy_arns = [\n        aws_iam_policy.deployer.arn\n      ]\n    }\n  }\n}\n\n```\n\nkubespot\n\n```terraform\nmodule \"opszero-eks\" {\n  source = \"github.com/opszero/terraform-aws-kubespot\"\n\n  ...\n\n  sso_roles = {\n    admin_roles = [\n      \"arn:${local.partition}:iam::1234567789101:role/github-deployer\"\n    ]\n    readonly_roles = []\n    dev_roles = []\n    monitoring_roles = []\n  }\n\n  ...\n}\n\n```\n\neksdeploy.yml\n\n```yaml\n---\non:\n  push:\n    branches:\n      - develop\n      - master\n\nname: Deploy to Amazon EKS\n\njobs:\n  deploy:\n    name: Deploy\n    runs-on: ubuntu-latest\n    permissions: # Important to add.\n      contents: read\n      id-token: write\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v2\n      - name: Configure AWS credentials\n        uses: aws-actions/configure-aws-credentials@v1\n        with:\n          role-to-assume: arn:${local.partition}:iam::1234567789101:role/github-deployer\n          aws-region: us-east-1\n      - name: Login to Amazon ECR\n        id: login-ecr\n        uses: aws-actions/amazon-ecr-login@v1\n      - name: Build, tag, and push image to Amazon ECR\n        id: build-image\n        env:\n          ECR_REGISTRY: 1234567789101.dkr.ecr.us-east-1.amazonaws.com\n          ECR_REPOSITORY: mrmgr\n          IMAGE_TAG: ${{ github.sha }}\n        run: |\n          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .\n          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG\n      - name: Release Develop\n        if: ${{ github.ref == 'refs/heads/develop' }}\n        env:\n          ECR_REGISTRY: 1234567789101.dkr.ecr.us-east-1.amazonaws.com\n          ECR_REPOSITORY: mrmgr\n          IMAGE_TAG: ${{ github.sha }}\n        run: |\n          aws eks update-kubeconfig --name mrmgr-develop\n          helm upgrade --install mrmgr charts/mrmgr \\\n            -f ./charts/develop.yaml \\\n            --set image.repository=$ECR_REGISTRY/$ECR_REPOSITORY \\\n            --set image.tag=$IMAGE_TAG \\\n```\n\n### Gitlab\n\nExample configuration for deploying to AWS without the need for AWS\nAccess Keys. To list EKS cluster via GitLab Pipelines without using AWS credentials. You can also attach other policies to this IAM role.\n\n```bash\nresource \"aws_iam_policy\" \"deployer\" {\n  name        = \"gitlab-deployer-policy\"\n  description = \"GitLab Deployer\"\n\n  policy = \u003c\u003cEOT\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"ecr:*\"\n            ],\n            \"Resource\": \"*\"\n        },\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"eks:DescribeCluster\",\n                \"eks:ListClusters\"\n            ],\n            \"Resource\": \"*\"\n        }\n    ]\n}\nEOT\n}\n\nmodule \"iam\" {\n  source = \"github.com/opszero/mrmgr//modules/aws\"\n\n  gitlab = {\n    \"deployer\" = {\n      iam_role_name = \"gitlab_oidc_role\"\n      audience      = \"https://gitlab.com\"\n      gitlab_url    = \"https://gitlab.com\"\n      match_field   = \"sub\"\n      match_value = [\n        \"project_path:opszero/mrmgr:ref_type:branch:ref:main\"\n      ]\n      policy_arns = [\n        aws_iam_policy.deployer.arn\n      ]\n    }\n  }\n}\n```\n\n.gitlab_ci.yml\n\n```\nvariables:\n  REGION: us-east-1\n  ROLE_ARN:  arn:${local.partition}:iam::${AWS_ACCOUNT_ID}:role/gitlab_role\n\nimage:\n  name: amazon/aws-cli:latest\n  entrypoint:\n    - '/usr/bin/env'\n\nassume role:\n    script:\n        - \u003e\n          STS=($(aws sts assume-role-with-web-identity\n          --role-arn ${ROLE_ARN}\n          --role-session-name \"GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}\"\n          --web-identity-token $CI_JOB_JWT_V2\n          --duration-seconds 3600\n          --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'\n          --output text))\n        - export AWS_ACCESS_KEY_ID=\"${STS[0]}\"\n        - export AWS_SECRET_ACCESS_KEY=\"${STS[1]}\"\n        - export AWS_SESSION_TOKEN=\"${STS[2]}\"\n        - export AWS_REGION=\"$REGION\"\n        - aws sts get-caller-identity\n        - aws eks list-clusters\n\n```\n\n#### GitLab CI Outputs\n\n![gitlabci_output](https://raw.githubusercontent.com/thaunghtike-share/mytfdemo/main/aws_console_outputs_photos/opszero.png)\n\n## BitBucket\n\n```bash\nmodule \"mrmgr\" {\n  source = \"github.com/opszero/terraform-aws-mrmgr\"\n\n  bitbucket = {\n    \"deployer\" = {\n      subjects = [\n        \"{REPOSITORY_UUID}[:{ENVIRONMENT_UUID}]:{STEP_UUID}\"\n      ]\n      policy_json = [\n        aws_iam_policy.deployer.json\n      ]\n    }\n  }\n```\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | n/a |\n| \u003ca name=\"provider_tls\"\u003e\u003c/a\u003e [tls](#provider\\_tls) | n/a |\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_bitbucket\"\u003e\u003c/a\u003e [bitbucket](#input\\_bitbucket) | Terraform object to create IAM OIDC identity provider in AWS to integrate with Bitbucket | `map` | `{}` | no |\n| \u003ca name=\"input_github\"\u003e\u003c/a\u003e [github](#input\\_github) | Terraform object to create IAM OIDC identity provider in AWS to integrate with github actions | `map` | `{}` | no |\n| \u003ca name=\"input_gitlab\"\u003e\u003c/a\u003e [gitlab](#input\\_gitlab) | Terraform object to create IAM OIDC identity provider in AWS to integrate with gitlab CI | `map` | `{}` | no |\n| \u003ca name=\"input_groups\"\u003e\u003c/a\u003e [groups](#input\\_groups) | Terraform object to create AWS IAM groups with custom IAM policies | `map` | `{}` | no |\n| \u003ca name=\"input_management_account\"\u003e\u003c/a\u003e [management\\_account](#input\\_management\\_account) | Is this an AWS management account that has child accounts? | `bool` | `false` | no |\n| \u003ca name=\"input_opszero_enabled\"\u003e\u003c/a\u003e [opszero\\_enabled](#input\\_opszero\\_enabled) | Deploy opsZero omyac cloudformation stack | `bool` | `false` | no |\n| \u003ca name=\"input_users\"\u003e\u003c/a\u003e [users](#input\\_users) | Terraform object to create AWS IAM users | `map` | `{}` | no |\n| \u003ca name=\"input_vanta_account_id\"\u003e\u003c/a\u003e [vanta\\_account\\_id](#input\\_vanta\\_account\\_id) | Vanta account id | `string` | `\"\"` | no |\n| \u003ca name=\"input_vanta_enabled\"\u003e\u003c/a\u003e [vanta\\_enabled](#input\\_vanta\\_enabled) | n/a | `bool` | `false` | no |\n| \u003ca name=\"input_vanta_external_id\"\u003e\u003c/a\u003e [vanta\\_external\\_id](#input\\_vanta\\_external\\_id) | Vanta external id | `string` | `\"\"` | no |\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_cloudformation_stack.opszero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource |\n| [aws_iam_policy.mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.vanta_child](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.vanta_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy_attachment.ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |\n| [aws_iam_role.vanta_auditor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role_policy_attachment.vanta_child](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.vanta_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.vanta_security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_iam_policy.SecurityAudit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |\n| [aws_iam_policy_document.ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.vanta_child](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.vanta_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |\n| [tls_certificate.github](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |\n## Outputs\n\nNo outputs.\n# 🚀 Built by opsZero!\n\n\u003ca href=\"https://opszero.com\"\u003e\u003cimg src=\"https://opszero.com/wp-content/uploads/2024/07/opsZero_logo_svg.svg\" width=\"300px\"/\u003e\u003c/a\u003e\n\nSince 2016 [opsZero](https://opszero.com) has been providing Kubernetes\nexpertise to companies of all sizes on any Cloud. With a focus on AI and\nCompliance we can say we seen it all whether SOC2, HIPAA, PCI-DSS, ITAR,\nFedRAMP, CMMC we have you and your customers covered.\n\nWe provide support to organizations in the following ways:\n\n- [Modernize or Migrate to Kubernetes](https://opszero.com/solutions/modernization/)\n- [Cloud Infrastructure with Kubernetes on AWS, Azure, Google Cloud, or Bare Metal](https://opszero.com/solutions/cloud-infrastructure/)\n- [Building AI and Data Pipelines on Kubernetes](https://opszero.com/solutions/ai/)\n- [Optimizing Existing Kubernetes Workloads](https://opszero.com/solutions/optimized-workloads/)\n\nWe do this with a high-touch support model where you:\n\n- Get access to us on Slack, Microsoft Teams or Email\n- Get 24/7 coverage of your infrastructure\n- Get an accelerated migration to Kubernetes\n\nPlease [schedule a call](https://calendly.com/opszero-llc/discovery) if you need support.\n\n\u003cbr/\u003e\u003cbr/\u003e\n\n\u003cdiv style=\"display: block\"\u003e\n  \u003cimg src=\"https://opszero.com/wp-content/uploads/2024/07/aws-advanced.png\" width=\"150px\" /\u003e\n  \u003cimg src=\"https://opszero.com/wp-content/uploads/2024/07/AWS-public-sector.png\" width=\"150px\" /\u003e\n  \u003cimg src=\"https://opszero.com/wp-content/uploads/2024/07/AWS-eks.png\" width=\"150px\" /\u003e\n\u003c/div\u003e","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopszero%2Fterraform-aws-iam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopszero%2Fterraform-aws-iam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopszero%2Fterraform-aws-iam/lists"}