https://github.com/govtechsg/terraform-aws-cloud-assume-role
Set up IAM for GCC 2.0 custom roles to do role switching or assume roles for CLI access
https://github.com/govtechsg/terraform-aws-cloud-assume-role
Last synced: 3 months ago
JSON representation
Set up IAM for GCC 2.0 custom roles to do role switching or assume roles for CLI access
- Host: GitHub
- URL: https://github.com/govtechsg/terraform-aws-cloud-assume-role
- Owner: GovTechSG
- License: mit
- Created: 2023-05-22T08:41:34.000Z (about 3 years ago)
- Default Branch: master
- Last Pushed: 2023-07-01T10:12:24.000Z (almost 3 years ago)
- Last Synced: 2025-07-19T17:47:57.355Z (11 months ago)
- Language: HCL
- Size: 17.6 KB
- Stars: 0
- Watchers: 9
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# terraform-aws-cloud-assume-role
Creates a custom role for which you assume through your GCC2.0 cloud assume role
```hcl
module 'role-gcc' {
group_names = ["gpcgr"]
# Run `aws iam list-roles --query "Roles[?starts_with(RoleName, 'AWSReservedSSO_agency_assume_local')].[RoleId]" --output text`"
agency_assume_local_role_id = "AXXXXXXXXXXXX"
attach_policies = {
"read-only-access" : "arn:aws:iam::aws:policy/ReadOnlyAccess",
}
managed_policies = {
myPolicy = <
## Requirements
No requirements.
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | n/a |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_iam_policy.managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.attach_custom_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.attach_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.iam_trusted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.trusted_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [agency\_assume\_local\_role\_id](#input\_agency\_assume\_local\_role\_id) | your agency\_assume\_local role\_id, use `aws iam list-roles --query "Roles[?starts_with(RoleName, 'AWSReservedSSO_agency_assume_local')].[RoleId]" --output text` | `string` | n/a | yes |
| [attach\_policies](#input\_attach\_policies) | map(string) of existing policies to attach | `map(string)` | `{}` | no |
| [aws\_region](#input\_aws\_region) | aws region | `string` | n/a | yes |
| [custom\_policy](#input\_custom\_policy) | custom policy to be applied to role using the EOF syntax | `string` | `""` | no |
| [description](#input\_description) | description of the role | `string` | n/a | yes |
| [external\_id](#input\_external\_id) | external id condition for assume role | `string` | `""` | no |
| [managed\_policies](#input\_managed\_policies) | Custom polices to be created managed policies (not inline). | `map(string)` | `{}` | no |
| [max\_session\_duration](#input\_max\_session\_duration) | maximum duration in seconds for role, between 1 to 12 hours | `number` | `3600` | no |
| [name](#input\_name) | name of the role in aws console | `string` | n/a | yes |
| [path](#input\_path) | path of the role in aws console | `string` | `"/"` | no |
| [permissions\_boundary](#input\_permissions\_boundary) | ARN of permissions boundary policy to attach to role | `string` | `""` | no |
| [source\_ip\_addresses](#input\_source\_ip\_addresses) | Only allow assume role coming from specific IPs, this rule is disabled if the list is empty. | `list(string)` | `[]` | no |
| [tags](#input\_tags) | A mapping of tags to assign to the resource | `map(string)` | `{}` | no |
| [techpass\_email\_addresses](#input\_techpass\_email\_addresses) | list of TechPass users' email addresses to allow use of this role | `list(string)` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| [arn](#output\_arn) | arn of the role |
| [create\_date](#output\_create\_date) | date which the role was created |
| [custom\_policy\_arn](#output\_custom\_policy\_arn) | ARN of the custom policy |
| [custom\_policy\_id](#output\_custom\_policy\_id) | id of the custom policy |
| [custom\_policy\_name](#output\_custom\_policy\_name) | name of the custom policy |
| [description](#output\_description) | description of the role |
| [id](#output\_id) | id of the role |
| [name](#output\_name) | name of the role |
| [role\_session\_duration](#output\_role\_session\_duration) | maximum duration a role can be assume for |
| [unique\_id](#output\_unique\_id) | unique id of the role |