Terraform modules to set up a few regularly used IAM resources.
Adds a role and instance profile for KMS access.
- [
kms_key_arn]: String(required): The ARN of the KMS key - [
environment]: String(required): How do you want to call your environment, this is helpful if you have more than 1 VPC.
- [
role_arn]: String: The Amazon Resource Name (ARN) specifying the role. - [
role_unique_id]: String: The stable and unique string identifying the role. - [
profile_id]: String: The instance profile's ID. - [
profile_arn]: String: The ARN assigned by AWS to the instance profile. - [
profile_name]: String: The instance profile's name. - [
policy_id]: String: The role policy ID. - [
policy_name]: String: The name of the policy. - [
policy_policy]: String: The policy document attached to the role. - [
policy_role]: String: The role to which this policy applies.
module "packer_role" {
source = "github.com/skyscrapers/terraform-iam//kms_role"
kms_key_arn = "${aws_kms_key.kms_key.arn}"
environment = "staging"
}Creates an IAM policy that allows usage of a KMS key.
- [
kms_key_arn]: String(required): The ARN of the KMS key - [
environment]: String(required): How do you want to call your environment, this is helpful if you have more than 1 VPC.
- [
iam_policy_id]: String: The generated policy id. - [
iam_policy_arn]: String: The generated policy ARN. - [
iam_policy_name]: String: The generated policy name.
module "packer_policy" {
source = "github.com/skyscrapers/terraform-iam//kms_policy"
kms_key_arn = "${aws_kms_key.kms_key.arn}"
environment = "staging"
}Adds a role and instance profile.
- [
project]: String(required): The name of the project. This is helpful if you have more than 1 project - [
environment]: String(required): How do you want to call your environment, this is helpful if you have more than 1 VPC. - [
function]: String(required): The function of that instance_profile. - [
aws_iam_role_policy]: String: The iam_role_policy for that instance. - [
aws_iam_role]: String(required): the iam_role for that profile.
- [
iam_id]: String: The role profile ID.
module "iam" {
source = "github.com/skyscrapers/terraform-iam//instance_profile?ref=27b7525e0b6bfaf1eb034daf941a8f44b052b904"
project = "${var.project}"
environment = "${var.environment}"
function = "${var.app_name}"
aws_iam_role = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Effect": "Allow",
"Resource": "${module.sqs.sqs_arn}"
}
]
}
EOF
}Add a role that can be attached to codedeploy deployment groups
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| region | Region where codedeploy will run in | string | "eu-west-1" |
no |
| Name | Description |
|---|---|
| role_arn | The Amazon Resource Name (ARN) specifying the role. |
| role_name | The name of the role. |
| role_unique_id | The stable and unique string identifying the role. |
module "codedeploy_role" {
source = "github.com/skyscrapers/terraform-iam//codedeploy_role"
region = "eu-west-1"
}
- [
user_names]: List(string)(required): List of users that needs to be created - [
pgp_key]: String(required): Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt the password for safe transport to the user.
- [
unique_ids]: List of the unique IDs assigned by AWS to the users - [
passwords]: List of the encrypted passwords, base64 encoded. An encrypted password may be decrypted using:terraform output password | base64 --decode | keybase pgp decrypt - [
arns]: List of the ARNs assigned by AWS to the users
module "iam_users" {
source = "github.com/skyscrapers/terraform-iam//user"
user_names = ["user1", "user2", "user3"]
pgp_key = "keybase:user"
}Add a role that can be attached to packer iam role to access the codedeploy s3 bucket to install the agent
- [
region]: String: The region of the codedeploy agent s3 bucket default to us-east-1
- [
iam_policy_arn]: String: The Amazon Resource Name (ARN) of the policy created. - [
iam_policy_name]: String: The name of the policy created. - [
iam_policy_id]: String: The id of the policy created.
module "packer_role" {
source = "github.com/skyscrapers/terraform-iam//kms_role"
kms_key_arn = "${aws_kms_key.kms_key.arn}"
environment = "staging"
}
module "codedeploy_packer_policy" {
source = "github.com/skyscrapers/terraform-iam//codedeploy_packer_policy"
}
resource "aws_iam_role_policy_attachment" "codedeploy_policy_attach_packer" {
role = "${module.packer_role.role_name}"
policy_arn = "${module.codedeploy_packer_policy.iam_policy_arn}"
}
Add a role that can be used by cloudcheckr to collect data and stats
- [
external_id]: String: The external_id provided in the cloudcheckr console
- [
role_arn]: String: The Amazon Resource Name (ARN) of the role created.
module "cloudcheckr_role" {
source = "github.com/skyscrapers/terraform-iam//cloudcheckr_role"
external_id = "..."
}Creates an IAM policy that allows sending metrics to CloudWatch. You must attach that policy to a role, user or group.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Name to differentiate the policy name. Name will be autogenerated if omitted | string |
null |
no |
| Name | Description |
|---|---|
| iam_policy_arn | ARN of the Cloudwatch monitoring IAM policy |
| iam_policy_id | ID of the Cloudwatch monitoring IAM policy |
| iam_policy_name | Name of the Cloudwatch monitoring IAM policy |
module "iam_monitoring" {
source = "github.com/skyscrapers/terraform-iam//cloudwatch_monitoring_policy"
name = "my_project"
}
resource "aws_iam_role_policy_attachment" "cloudwatch_policy" {
role = aws_iam_role.my_role.name
policy_arn = module.iam_monitoring.iam_policy_arn
}Creates an IAM policy that allows usage of a Packer with AWS EC2 EBS volumes.
- [
packer_policy_id]: String: The generated policy id. - [
packer_policy_arn]: String: The generated policy ARN. - [
packer_policy_name]: String: The generated policy name.
module "packer_policy" {
source = "github.com/skyscrapers/terraform-iam//packer_policy"
}Creates an IAM user to be used to automate Terraform in CI. This terraform user will have admin access to the AWS account.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| environment | The environment where this user is deployed to. If not set or left empty, it'll fallback to terraform.workspace |
string | `` | no |
| pgp_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists. Will be used to encrypt the secret access key of the created user |
string | - | yes |
| Name | Description |
|---|---|
| access_key_id | Access Key Id of the created terraform user |
| secret_access_key | The encrypted Secret Access Key of the created terraform user, base64 encoded |
| user_arn | The ARN assigned by AWS for this user |
| user_name | The user's name |
| user_path | Path in which the user is created |
| user_unique_id | The unique ID assigned by AWS |
module "terraform_ci_user" {
source = "github.com/skyscrapers/terraform-iam//terraform_ci"
pgp_key = "keybase:some_person_that_exists"
}Creates some base IAM roles:
adminwithAdministratorAccesspolicy attachedrowithReadOnlyAccesspolicy attached
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_role_principal_ids | List of AWS principal ids (or ARNs) that'll be allowed to assume the admin role in the ops account | list | - | yes |
| readonly_role_principal_ids | List of AWS principal ids (or ARNs) that'll be allowed to assume the readonly role in the ops account | list | - | yes |
| roles_path | Path of the roles created | string | /ops/ | no |
| Name | Description |
|---|---|
| admin_role_arn | Admin role ARN |
| ro_role_arn | Readonly role ARN |
module "base_roles" {
source = "github.com/skyscrapers/terraform-iam//base_roles"
readonly_role_principal_ids = ["109034686754"]
admin_role_principals_arns = ["arn:aws:iam::109034686754:role/something"]
}