xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: update iam-role module to support assume role policy

Browse Source
This commit is contained in:
xpk 2024-09-27 10:45:20 +08:00
parent 8052a71995
commit 0d9b7d704b
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
4 changed files with 52 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
modules/security_identity_compliance/iam-role/README.md
View File

@ -1,35 +1,23 @@
<!-- This readme file is generated with terraform-docs --> <!-- This readme file is generated with terraform-docs -->
Inline policy for IAM role is not supported by this module. Use managed policies instead.
## Requirements ## Requirements
No requirements. | Name | Version |
|------|---------|
| terraform | >= 1.3.0 |
| aws | >= 5.4.0 |
## Providers ## Providers
| Name | Version | | Name | Version |
|------|---------| |------|---------|
| aws | n/a | | aws | >= 5.4.0 |
## Modules ## Modules
No modules. No modules.
## Example
```hcl
module "role1" {
source = ".../SecurityIdentityCompliance/iam-role"
role-name = "${local.resource_prefix}-${var.application}-role1"
description = "IAM role for ${var.application}"
trusted-entity = "ec2.amazonaws.com"
create-instance-profile = true
managed-policy-arns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
}
```
## Resources ## Resources
| Name | Type | | Name | Type |
@ -41,14 +29,13 @@ module "role1" {
| Name | Description | Type | Default | Required | | Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:| |------|-------------|------|---------|:--------:|
| assume-role-policy | The actual assume role policy if trusted-entity is not provided. | `string` | `null` | no |
| create-instance-profile | Determines whether instance profile will be created | `bool` | `false` | no | | create-instance-profile | Determines whether instance profile will be created | `bool` | `false` | no |
| description | Description of IAM role | `string` | n/a | yes | | description | Description of IAM role | `string` | n/a | yes |
| inline-policy | Inline policy content | `string` | `null` | no |
| inline-policy-name | Inline policy name | `string` | `null` | no |
| managed-policy-arns | List of managed policies to be attached to role | `list(string)` | `null` | no | | managed-policy-arns | List of managed policies to be attached to role | `list(string)` | `null` | no |
| path | Path of IAM role. Defaults to /Customer/ | `string` | `"/Customer/"` | no | | path | Path of IAM role. Defaults to /Customer/ | `string` | `"/Customer/"` | no |
| role-name | Name of IAM role | `string` | n/a | yes | | role-name | Name of IAM role | `string` | n/a | yes |
| trusted-entity | AWS service allowed to assume this role | `string` | n/a | yes | | trusted-entity | AWS service allowed to assume this role. Either this or assume-role-policy must be provided. | `string` | n/a | yes |
## Outputs ## Outputs
@ -61,4 +48,4 @@ module "role1" {
--- ---
## Authorship ## Authorship
This module was developed by xpk. This module was developed by xpk.

36
modules/security_identity_compliance/iam-role/main.tf
View File

@ -1,14 +1,6 @@
resource "aws_iam_instance_profile" "this" { # Assume role policy can be provided as-is, or built using the trusted-entity variable
count = var.create-instance-profile ? 1 : 0 locals {
name = "${var.role-name}-profile" assume-role-policy = var.assume-role-policy != null ? var.assume-role-policy : jsonencode(
role = aws_iam_role.this.name
path = var.path
}
resource "aws_iam_role" "this" {
name = var.role-name
description = var.description
assume_role_policy = jsonencode(
{ {
"Version" : "2012-10-17", "Version" : "2012-10-17",
"Statement" : [ "Statement" : [
@ -24,11 +16,25 @@ resource "aws_iam_role" "this" {
] ]
} }
) )
}
resource "aws_iam_instance_profile" "this" {
count = var.create-instance-profile ? 1 : 0
name = "${var.role-name}-profile"
role = aws_iam_role.this.name
path = var.path
}
resource "aws_iam_role" "this" {
name = var.role-name
description = var.description
assume_role_policy = local.assume-role-policy
managed_policy_arns = var.managed-policy-arns managed_policy_arns = var.managed-policy-arns
force_detach_policies = true force_detach_policies = true
path = var.path path = var.path
inline_policy { # disable use of inline policy
name = var.inline-policy-name # inline_policy {
policy = var.inline-policy # name = var.inline-policy-name
} # policy = var.inline-policy
# }
} }

9
modules/security_identity_compliance/iam-role/provider.tf Normal file
View File

@ -0,0 +1,9 @@
terraform {
required_version = ">= 1.3.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.4.0"
}
}
}

30
modules/security_identity_compliance/iam-role/variables.tf
View File

@ -15,30 +15,24 @@ variable "managed-policy-arns" {
default = null default = null
} }
variable role-name { variable "role-name" {
description = "Name of IAM role" description = "Name of IAM role"
type = string type = string
} }
variable path { variable "path" {
description = "Path of IAM role. Defaults to /Customer/" description = "Path of IAM role. Defaults to /Customer/"
type = string type = string
default = "/Customer/" default = "/Customer/"
} }
variable inline-policy-name { variable "trusted-entity" {
description = "Inline policy name" description = "AWS service allowed to assume this role. Either this or assume-role-policy must be provided."
type = string type = string
default = null
} }
variable inline-policy { variable "assume-role-policy" {
description = "Inline policy content" description = "The actual assume role policy if trusted-entity is not provided."
type = string type = string
default = null default = null
}
variable trusted-entity {
description = "AWS service allowed to assume this role"
type = string
} }