Code Monkey home page Code Monkey logo

terraform-aws-iam-cross-acct-src's Introduction

End of Life notice

This module is no longer in active development because we have switched from role-chaining to direct role assumption. See the terraform-layout-example for our implementation.

This module creates an IAM role based on the iam_role_name variable. This should correspond 1:1 with an IAM group though you will need to associate the role with the group outside of this module.

Optional: If you specify destination_account_ids and destination_group_role, the module will create an IAM policy granting the IAM role permission to assume destination_group_role in the destination_account_ids. If destination_account_ids and destination_group_role are not provided, this module will create an IAM role, but will not attach an IAM policy to it.

An additional IAM policy should be defined locally in this account for any permissions this group may have in the source account and assigned to the role defined here.

This module also defaults to enforcing MFA as a requirement for role assumption.

Philosophical note: There should be a single account in your AWS organization that manages users and groups. In that account, there will be a 1:1 mapping to a group and a role. This module creates that role. The main purpose of this role will be to manage AssumeRole permissions to multiple other accounts in this AWS organization that have corresponding roles to this group. The role defined in this module should be one of those roles that can be assumed by the role in the original user management account.

Usage

module "aws_iam_src_user_group_role" {
  source = "trussworks/iam-cross-acct-src/aws"
  version = "1.0.0"
  iam_role_name = "group-name"
  destination_account_ids = ["account-id"]
  destination_account_role_name = "group-name"
}

Example usage with cross-account role assumption permission

data "aws_partition" "current" {}

module "infra_group_role" {
  source = "trussworks/iam-cross-acct-src/aws"
  version = "1.0.0"
  destination_account_ids = ["ACCOUNT-ID-1", "ACCOUNT-ID-2"]
  destination_group_role = "infra"
}

# Module for user group creation. Does not create users.
module "infra_group" {
  source  = "trussworks/iam-user-group/aws"
  version = "1.0.1"

  user_list     = ["user1", "user2", "user3"]
  allowed_roles = [module.infra_group_role.arn]
  iam_role_name    = "infra"
}

# Additional policy for local account management
resource "aws_iam_role_policy_attachment" "infra_local_policy_attatchment" {
  role = module.infra_group_role.name
  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/PowerUserAccess"
}

Example usage without cross-account role assumption permission or mfa requirement

data "aws_partition" "current" {}

module "infra_group_role" {
  source = "trussworks/iam-cross-acct-src/aws"
  version = "1.0.0"
  require_mfa = false
}

# Module for user group creation. Does not create users.
module "infra_group" {
  source  = "trussworks/iam-user-group/aws"
  version = "1.0.1"

  user_list     = ["user1", "user2", "user3"]
  allowed_roles = [module.infra_group_role.arn]
  iam_role_name    = "infra"
}

# Additional policy for local account management
resource "aws_iam_role_policy_attachment" "infra_local_policy_attatchment" {
  role = module.infra_group_role.name
  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/PowerUserAccess"
}

Requirements

Name Version
terraform ~> 0.12.0
aws ~> 2.70

Providers

Name Version
aws ~> 2.70

Inputs

Name Description Type Default Required
destination_account_ids The account ids where the target role the call is assuming resides. list [] no
destination_group_role The name of the role in the account to be assumed. Again, this should correspond to a group. string "" no
iam_role_name The name for the role. Conceptually, this should correspond to a group. string n/a yes
require_mfa Whether the created policy will include MFA. bool true no

Outputs

Name Description
iam_role_arn The arn for the created role.
iam_role_name The name for the created role.

terraform-aws-iam-cross-acct-src's People

Contributors

chrisgilmerproj avatar eeeady avatar jsclarridge avatar kilbergr avatar mdawn avatar rpdelaney avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.