https://github.com/trussworks/terraform-aws-iam-user-group
Creates an IAM group with users where the group is only allowed to assume roles defined.
https://github.com/trussworks/terraform-aws-iam-user-group
aws aws-iam terraform terraform-modules
Last synced: 6 months ago
JSON representation
Creates an IAM group with users where the group is only allowed to assume roles defined.
- Host: GitHub
- URL: https://github.com/trussworks/terraform-aws-iam-user-group
- Owner: trussworks
- License: bsd-3-clause
- Created: 2019-09-11T00:34:20.000Z (about 6 years ago)
- Default Branch: main
- Last Pushed: 2023-11-02T17:53:08.000Z (almost 2 years ago)
- Last Synced: 2024-10-31T13:23:53.219Z (11 months ago)
- Topics: aws, aws-iam, terraform, terraform-modules
- Language: HCL
- Homepage: https://registry.terraform.io/modules/trussworks/iam-user-group
- Size: 36.1 KB
- Stars: 4
- Watchers: 9
- Forks: 7
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
This module creates a group named after the "group_name" variable intended to contain IAM users defined in the "user_list".
The group has a policy that only allows the assumption of the IAM roles defined in the "allowed_roles" variable.
__NOTE__: So far you must use this in conjunction with the module "trussworks/mfa/aws" to enforce mfa of the group this module creates.
__Philosophical note__: these groups should map 1:1 to IAM roles defined in your Terraform files. These should be defined in a separate module that could be reused in different accounts across your AWS org. So you may have multiple allowed roles with the same name across your accounts as a variable.
## Usage
```hcl
module "aws_iam_user_group" {
source = "trussworks/iam-user-group/aws"
version = "2.0.0"
user_list = ["user1", "user2"]
group_name = "group-name"
allowed_roles = []
}
```
## Usage example
```hcl
locals {
user_list = ["user1", "user2"]
force_destroy = true
}
resource "aws_iam_user" "user" {
for_each = toset(local.user_list)
name = each.value
}
module "aws_iam_user_group" {
source = "trussworks/iam-user-group/aws"
version = "2.0.0"
user_list = values(aws_iam_user.user)[*].name
group_name = "group-name"
allowed_roles = []
}
```
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
| [aws](#requirement\_aws) | >= 3.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 3.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_iam_group.user_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
| [aws_iam_group_membership.user_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
| [aws_iam_group_policy_attachment.assume_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
| [aws_iam_policy.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy_document.assume_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [allowed\_roles](#input\_allowed\_roles) | The roles that this group is allowed to assume. | `list(string)` | n/a | yes |
| [group\_name](#input\_group\_name) | The name of the group to be created. | `string` | n/a | yes |
| [user\_list](#input\_user\_list) | List of IAM users to add to the group. | `list(string)` | `[]` | no |
## Outputs
| Name | Description |
|------|-------------|
| [group\_name](#output\_group\_name) | The name of the created group. |