Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/skyscrapers/terraform-iam

Terraform IAM Modules
https://github.com/skyscrapers/terraform-iam

aws iam terraform terraform-iam-modules terraform-modules

Last synced: about 1 year ago
JSON representation

Terraform IAM Modules

Awesome Lists containing this project

README 

          



# terraform-iam



Terraform modules to set up a few regularly used IAM resources.



## kms_role



Adds a role and instance profile for KMS access.



### Available variables



* [`kms_key_arn`]: String(required): The ARN of the KMS key

* [`environment`]: String(required): How do you want to call your environment, this is helpful if you have more than 1 VPC.



### Output



* [`role_arn`]: String: The Amazon Resource Name (ARN) specifying the role.

* [`role_unique_id`]: String: The stable and unique string identifying the role.

* [`profile_id`]: String: The instance profile's ID.

* [`profile_arn`]: String: The ARN assigned by AWS to the instance profile.

* [`profile_name`]: String: The instance profile's name.

* [`policy_id`]: String: The role policy ID.

* [`policy_name`]: String:  The name of the policy.

* [`policy_policy`]: String: The policy document attached to the role.

* [`policy_role`]: String: The role to which this policy applies.



### Example



```tf

  module "packer_role" {

    source      = "github.com/skyscrapers/terraform-iam//kms_role"

    kms_key_arn = "${aws_kms_key.kms_key.arn}"

    environment = "staging"

  }

```



## kms_policy



Creates an IAM policy that allows usage of a KMS key.



### Available variables



* [`kms_key_arn`]: String(required): The ARN of the KMS key

* [`environment`]: String(required): How do you want to call your environment, this is helpful if you have more than 1 VPC.



### Output



* [`iam_policy_id`]: String: The generated policy id.

* [`iam_policy_arn`]: String: The generated policy ARN.

* [`iam_policy_name`]: String: The generated policy name.



### Example



```tf

  module "packer_policy" {

    source      = "github.com/skyscrapers/terraform-iam//kms_policy"

    kms_key_arn = "${aws_kms_key.kms_key.arn}"

    environment = "staging"

  }

```



## instance_profile



Adds a role and instance profile.



### Available variables



* [`project`]: String(required): The name of the project. This is helpful if you have more than 1 project

* [`environment`]: String(required): How do you want to call your environment, this is helpful if you have more than 1 VPC.

* [`function`]: String(required): The function of that instance_profile.

* [`aws_iam_role_policy`]: String: The iam_role_policy for that instance.

* [`aws_iam_role`]: String(required): the iam_role for that profile.



### Output



* [`iam_id`]: String: The role profile ID.



### Example



```tf

module "iam" {

  source      = "github.com/skyscrapers/terraform-iam//instance_profile?ref=27b7525e0b6bfaf1eb034daf941a8f44b052b904"

  project     = "${var.project}"

  environment = "${var.environment}"

  function    = "${var.app_name}"



  aws_iam_role = < [aws](#provider\_aws) | n/a |



### Modules



No modules.



### Resources



| Name | Type |

|------|------|

| [aws_ssoadmin_account_assignment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |

| [aws_ssoadmin_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |

| [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |

| [aws_ssoadmin_permission_set_inline_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |

| [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.eks_viewer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_identitystore_group.groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |



### Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [permission\_sets](#input\_permission\_sets) | n/a | 
map(object({
    description      = string
    group            = string
    managed_policies = list(string)
    inline_policies  = list(string)
    eks_access       = bool
    account_ids      = list(string)
  }))
 | n/a | yes |

|  [sso\_instance\_arn](#input\_sso\_instance\_arn) | n/a | `string` | n/a | yes |

|  [sso\_instance\_id](#input\_sso\_instance\_id) | n/a | `string` | n/a | yes |

|  [default\_ps\_session\_duration](#input\_default\_ps\_session\_duration) | n/a | `string` | `"PT8H"` | no |



### Outputs



| Name | Description |

|------|-------------|

|  [account\_assignments](#output\_account\_assignments) | n/a |

|  [permission\_set\_arns](#output\_permission\_set\_arns) | n/a |



### Example



```tf

data "aws_ssoadmin_instances" "main" {}



module "sso_config" {

  source = "github.com/skyscrapers/terraform-iam//sso"



  permission_sets = {

    Developer = {

      description = "Non-privileged developer users"

      group       = "Developers"

      eks_access  = true

      managed_policies = [

        "arn:aws:iam::aws:policy/ViewOnlyAccess"

      ]

      inline_policies = [

        data.aws_iam_policy_document.s3_access.json

      ]

      account_ids = [

        "012345678912",

        "987654321098",

      ]

    }

    ...

  }

  sso_instance_arn = tolist(data.aws_ssoadmin_instances.main.arns)[0]

  sso_instance_id  = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]

}

```



From the above:



* `group` maps to the SSO group where this Permission Set applies. See section below about important [Design considerations](#design-considerations)

* `eks_access`: if the Permission Set is going to be mapped into K8s RBAC, it needs to have read access to the EKS AWS service. This flag ensures that

* `managed_policies`: list of AWS managed policies ARNs

* `inline_policies`: list of policies to assign inline to the Permission Set. These must be references to policies defined as `aws_iam_policy_document` data sources. Note that a Permission Set can only have a single inline policy, but you can define multiple here since there's some logic inside the Terraform module that will merge them into a single one

* `account_ids`: the AWS account ids where to apply the Permission Set with the assigned group



### Design considerations



For each Permission Set that is assigned to an account, AWS SSO creates an IAM role in that account. For example, if the `Developer` Permission Set is used in an account for one or more groups, AWS will create an IAM role named `AWSReservedSSO_Developer_1234567890...` in that account.



We user IAM roles in each of the infrastructure accounts to authenticate to Kubernetes (EKS) clusters, and these roles are mapped to internal k8s groups that are then used to assign different RBAC permissions.



To be able to grant meaningful RBAC permissions in K8s to users, the used IAM roles must identify the group the user belongs to. This is why we made the decision to map each SSO group to a single Permission Set with the same name. This way the information of the group a user belongs to is carried over to the K8s authorization level, and the correct RBAC permissions can be assigned to each group.