Terraform module for managing AWS IAM
In the following example we will create:
- 1 Role
- 1 Role Policy
- 1 Policy
- 1 User
- 1 User Policy
- 1 Group
- 1 Group Policy
In the next example we will attach a policy that either exists or will be created in a different step
module "iam" {
source = "github.com/ulfox/terraform-aws-iam.git?ref=v0.0.1"
region = "eu-north-1"
profile = "sres"
role_name = [
"someRole",
]
role_description = [
"someDescription",
]
role_assume_role_policy = [
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : [
"ec2.amazonaws.com"
]
},
"Action" : "sts:AssumeRole"
}
]
},
]
role_tags = [
{
"Name" = "someNmae"
}
]
role_policy = [
{
"Version" : "2012-10-17",
"Statement" : [
{
"Action" : [
"sts:GetCallerIdentity"
],
"Resource" : "*",
"Effect" : "Allow"
}
]
}
]
profile_name = ["someProfileName"]
policy = [
{
"Version" : "2012-10-17",
"Statement" : [
{
"Action" : [
"sts:GetCallerIdentity"
],
"Resource" : "*",
"Effect" : "Allow"
}
]
},
]
group_name = ["someGroupName"]
group_policy = [
{
"Version" : "2012-10-17",
"Statement" : [
{
"Action" : [
"sts:GetCallerIdentity"
],
"Resource" : "*",
"Effect" : "Allow"
}
]
},
]
user_name = ["someUserA"]
user_path = ["/"]
user_policy_name = [
"somePolicyName",
]
user_policy = [
{
"Version" : "2012-10-17",
"Statement" : [
{
"Action" : [
"sts:GetCallerIdentity"
],
"Resource" : "*",
"Effect" : "Allow"
}
]
},
]
user_group_membership_groups = ["someGroupName"]
}
Attaching a new managed policy to a role
- 1 Role Policy Attachment
Note: The policy can also be created and attached to the role on creation (see first example)
module "iam_policy_attachment" {
source = "github.com/ulfox/terraform-aws-iam.git?ref=v0.0.1"
region = "eu-north-1"
profile = "sres"
role_policy_attachment_name = [
module.iam.policy_name[0]
]
role_policy_attachment_role_arn = [
module.iam.role_arn[0]
]
}
Name | Version |
---|---|
aws | >= 2.28.1 |
Name | Version |
---|---|
aws | >= 2.28.1 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
group_name | The group's name | list(string) |
[] |
no |
group_name_prefix | Creates a unique name beginning with the specified prefix | list(string) |
[] |
no |
group_path | Path in which to create the group | list(string) |
[] |
no |
group_policy | The policy document | any |
null |
no |
group_policy_attachment_group_arn | The ARN of the policy you want to apply | list(string) |
[] |
no |
group_policy_attachment_name | The group the policy should be applied to | list(string) |
[] |
no |
group_policy_name | The name of the policy | list(string) |
[] |
no |
policy | The policy document | any |
null |
no |
policy_description | Description of the IAM policy | list(string) |
[] |
no |
policy_enabled | Enable IAM Policy | bool |
false |
no |
policy_name | The name of the policy | list(string) |
[] |
no |
policy_name_prefix | Creates a unique name beginning with the specified prefix | list(string) |
[] |
no |
policy_path | Path in which to create the policy | list(string) |
[] |
no |
profile | the AWS profile | string |
n/a | yes |
profile_name | The profile's name | list(string) |
[] |
no |
profile_name_prefix | Creates a unique name beginning with the specified prefix | list(string) |
[] |
no |
profile_path | Path in which to create the profile | list(string) |
[] |
no |
region | the AWS region in which resources are created | string |
n/a | yes |
role_assume_role_policy | The policy that grants an entity permission to assume the role | any |
null |
no |
role_description | The description of the role | list(string) |
[] |
no |
role_enabled | Enable IAM Role | bool |
false |
no |
role_force_detach_policies | Specifies to force detaching any policies the role has before destroying it | list(bool) |
[ |
no |
role_name | The name of the role | list(string) |
[] |
no |
role_name_prefix | Creates a unique name beginning with the specified prefix | list(string) |
[] |
no |
role_path | The path to the role | list(string) |
[] |
no |
role_policy | The inline policy document. This is a JSON formatted string | any |
null |
no |
role_policy_attachment_name | The role the policy should be applied to | list(string) |
[] |
no |
role_policy_attachment_role_arn | The ARN of the policy you want to apply | list(string) |
[] |
no |
role_policy_name | The name of the role policy | list(string) |
[] |
no |
role_policy_name_prefix | reates a unique name beginning with the specified prefix. Conflicts with name. | list(string) |
[] |
no |
role_policy_role_name | The IAM role to attach to the policy | list(string) |
[] |
no |
role_tags | Key-value map of tags for the IAM role | list(map(string)) |
null |
no |
user_force_destroy | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices | list(bool) |
[] |
no |
user_name | The name of the user | list(string) |
[] |
no |
user_path | The path to the user | list(string) |
[] |
no |
user_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the user | list(string) |
[] |
no |
user_policy | The policy document | any |
null |
no |
user_policy_attachment_arn | The ARN of the policy you want to apply | list(string) |
[] |
no |
user_policy_attachment_name | The user the policy should be applied to | list(string) |
[] |
no |
user_policy_id | IAM user to which to attach this policy | list(string) |
[] |
no |
user_policy_name | The policy name of the user | list(string) |
[] |
no |
user_policy_name_prefix | The policy name prefix of the user | list(string) |
[] |
no |
user_tags | Key-value map of tags for the IAM user | list(map(string)) |
[] |
no |
Name | Description |
---|---|
aws_iam_group_policy_arn | The ARN of the policy you want to apply |
aws_iam_group_policy_attachment | The group the policy should be applied to |
group_arn | The group arn |
group_id | The group id |
group_name | The group name |
group_policy | The group to which the policy applies |
group_policy_document | The policy document |
group_policy_id | The group policy id |
group_policy_name | The policy name |
group_unique_id | The group unique id |
policy_arn | The policy arn |
policy_attachment_id | The policy attachment id |
policy_attachment_name | The policy attachment name |
policy_description | The policy description |
policy_document | The policy document |
policy_id | The policy id |
policy_name | The policy name |
policy_path | The policy path |
profile_arn | The profile arn |
profile_id | The profile id |
profile_name | The profile name |
profile_path | The profile path |
profile_role | The profile role |
role_arn | The role arn |
role_description | The role description |
role_id | The role id |
role_name | The role name |
role_policy_document | The policy document |
role_policy_id | The policy id |
role_policy_name | The policy name |
role_policy_role | The policy role |
role_unique_id | The role unique id |
user_arn | The user's arn |
user_name | The user's name |
user_policy_id | The user policy ID, in the form of user_name:user_policy_name |
user_policy_name | The name of the policy |
user_unique_id | The user's unique id |