Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/cms-enterprise/batcave-tf-irsa

batCAVE IRSA Terraform module
https://github.com/cms-enterprise/batcave-tf-irsa
aws-iam batcave irsa terraform terraform-module
Last synced: 14 days ago
JSON representation
batCAVE IRSA Terraform module
Host: GitHub
URL: https://github.com/cms-enterprise/batcave-tf-irsa
Owner: CMS-Enterprise
License: other
Created: 2022-08-25T15:43:48.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2024-09-16T19:34:36.000Z (3 months ago)
Last Synced: 2024-09-17T00:49:19.163Z (3 months ago)
Topics: aws-iam, batcave, irsa, terraform, terraform-module
Language: HCL
Homepage: https://cloud.cms.gov/batcave-platform-service
Size: 29.3 KB
Stars: 0
Watchers: 7
Forks: 0
Open Issues: 2
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE.md
- Security: SECURITY.md
Awesome Lists containing this project

README

        # batcave-tf-irsa

## Requirements

| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.0 |

|  [aws](#requirement\_aws) | >= 4.0 |

## Providers

| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 4.0 |

## Modules

No modules.

## Resources

| Name | Type |

|------|------|

| [aws_iam_policy.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

| [aws_iam_policy.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

| [aws_iam_policy.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

| [aws_iam_policy.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

| [aws_iam_policy.secrets-manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

| [aws_iam_policy.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

| [aws_iam_policy.sqs_read_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

| [aws_iam_policy.tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |

| [aws_iam_role_policy_attachment.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_role_policy_attachment.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_role_policy_attachment.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_role_policy_attachment.insights_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_role_policy_attachment.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_role_policy_attachment.secrets-manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_role_policy_attachment.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_role_policy_attachment.sqs_read_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_role_policy_attachment.tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_policy_document.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.secrets-manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.sqs_read_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [app\_name](#input\_app\_name) | App name (ie. Flux, Velero, etc.) | `string` | `""` | no |

|  [asm\_secret\_arns](#input\_asm\_secret\_arns) | ARNs of secrets in AWS secrets manager (ASM) to add to policy | `list(string)` | `[]` | no |

|  [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |

|  [attach\_cloudwatch\_policy](#input\_attach\_cloudwatch\_policy) | Determines whether to attach the cloudwatch permissions to the role | `bool` | `false` | no |

|  [attach\_dynamodb\_policy](#input\_attach\_dynamodb\_policy) | Determines whether to attach the dynamodb policy to the role | `bool` | `false` | no |

|  [attach\_ec2\_policy](#input\_attach\_ec2\_policy) | Determines whether to attach the ec2 permissions to the role | `bool` | `false` | no |

|  [attach\_insights\_policy](#input\_attach\_insights\_policy) | Determines whether to attach the CloudWatch Insights policy to the role | `bool` | `false` | no |

|  [attach\_s3\_policy](#input\_attach\_s3\_policy) | Determines whether to attach the S3 to the role | `bool` | `false` | no |

|  [attach\_secretsmanager\_policy](#input\_attach\_secretsmanager\_policy) | Determines whether to attach the secrets manager permissions to the role | `bool` | `false` | no |

|  [attach\_sops\_policy](#input\_attach\_sops\_policy) | Determines whether to attach the SOPS policy to the role | `bool` | `false` | no |

|  [attach\_tags\_policy](#input\_attach\_tags\_policy) | Determines whether to attach the tags permissions to the role | `bool` | `false` | no |

|  [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no |

|  [dynamodb\_arn](#input\_dynamodb\_arn) | Dynamodb table to allow access to | `string` | `""` | no |

|  [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no |

|  [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no |

|  [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provider map should contain the `provider`, `provider_arn`, and `namespace_service_accounts` | `any` | 
{
  "one": {
    "namespace_service_accounts": [
      "default:default"
    ],
    "provider_arn": ""
  }
} | no |

|  [policy\_name\_prefix](#input\_policy\_name\_prefix) | IAM policy name prefix | `string` | `"AmazonEKS_"` | no |

|  [role\_description](#input\_role\_description) | IAM Role description | `string` | `null` | no |

|  [role\_name](#input\_role\_name) | Name of IAM role | `string` | `"vpc-cni"` | no |

|  [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/delegatedadmin/developer/"` | no |

|  [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `"arn:aws:iam::373346310182:policy/cms-cloud-admin/developer-boundary-policy"` | no |

|  [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no |

|  [s3\_bucket\_arns](#input\_s3\_bucket\_arns) | List of S3 Bucket ARNs to allow access to | `list(string)` | [
  ""
] | no |

|  [sops\_arn](#input\_sops\_arn) | SOPS ARN to allow access to | `string` | `""` | no |

|  [sqs\_read\_write\_arns](#input\_sqs\_read\_write\_arns) | List of SQS ARNs to allow read/write access to | `list(string)` | `[]` | no |

|  [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no |

## Outputs

| Name | Description |

|------|-------------|

|  [iam\_role\_arn](#output\_iam\_role\_arn) | ARN of IAM role |

|  [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role |

|  [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role |

|  [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role |