diff --git a/modules/security_identity_compliance/iam-role/LICENSE b/modules/security_identity_compliance/iam-role/LICENSE new file mode 100644 index 0000000..b64d22a --- /dev/null +++ b/modules/security_identity_compliance/iam-role/LICENSE @@ -0,0 +1,12 @@ +BSD Zero Clause License + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR +OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. \ No newline at end of file diff --git a/modules/security_identity_compliance/iam-role/README.md b/modules/security_identity_compliance/iam-role/README.md new file mode 100644 index 0000000..efceea4 --- /dev/null +++ b/modules/security_identity_compliance/iam-role/README.md @@ -0,0 +1,64 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Modules + +No modules. + +## Example + +```hcl +module "role1" { + source = ".../SecurityIdentityCompliance/iam-role" + + role-name = "${local.resource_prefix}-${var.application}-role1" + description = "IAM role for ${var.application}" + trusted-entity = "ec2.amazonaws.com" + create-instance-profile = true + + managed-policy-arns = [ + "arn:aws:iam::aws:policy/ReadOnlyAccess" + ] +} +``` + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | +| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| create-instance-profile | Determines whether instance profile will be created | `bool` | `false` | no | +| description | Description of IAM role | `string` | n/a | yes | +| inline-policy | Inline policy content | `string` | `null` | no | +| inline-policy-name | Inline policy name | `string` | `null` | no | +| managed-policy-arns | List of managed policies to be attached to role | `list(string)` | `null` | no | +| path | Path of IAM role. Defaults to /Customer/ | `string` | `"/Customer/"` | no | +| role-name | Name of IAM role | `string` | n/a | yes | +| trusted-entity | AWS service allowed to assume this role | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| instance-profile-arn | ARN of IAM instance profile | +| name | Name of IAM role | +| profile-name | Name of IAM instance profile | +| role-arn | IAM role ARN | + +--- +## Authorship +This module was developed by xpk. diff --git a/modules/security_identity_compliance/iam-role/main.tf b/modules/security_identity_compliance/iam-role/main.tf new file mode 100644 index 0000000..8c4eead --- /dev/null +++ b/modules/security_identity_compliance/iam-role/main.tf @@ -0,0 +1,34 @@ +resource "aws_iam_instance_profile" "this" { + count = var.create-instance-profile ? 1 : 0 + name = "${var.role-name}-profile" + role = aws_iam_role.this.name + path = var.path +} + +resource "aws_iam_role" "this" { + name = var.role-name + description = var.description + assume_role_policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : [ + var.trusted-entity + ] + }, + "Action" : "sts:AssumeRole" + } + ] + } + ) + managed_policy_arns = var.managed-policy-arns + force_detach_policies = true + path = var.path + inline_policy { + name = var.inline-policy-name + policy = var.inline-policy + } +} \ No newline at end of file diff --git a/modules/security_identity_compliance/iam-role/outputs.tf b/modules/security_identity_compliance/iam-role/outputs.tf new file mode 100644 index 0000000..c325bea --- /dev/null +++ b/modules/security_identity_compliance/iam-role/outputs.tf @@ -0,0 +1,19 @@ +output "profile-name" { + description = "Name of IAM instance profile" + value = aws_iam_instance_profile.this[*].name +} + +output "role-arn" { + description = "IAM role ARN" + value = aws_iam_role.this.arn +} + +output "name" { + description = "Name of IAM role" + value = aws_iam_role.this.name +} + +output "instance-profile-arn" { + description = "ARN of IAM instance profile" + value = aws_iam_instance_profile.this.*.arn +} \ No newline at end of file diff --git a/modules/security_identity_compliance/iam-role/variables.tf b/modules/security_identity_compliance/iam-role/variables.tf new file mode 100644 index 0000000..d2e4dae --- /dev/null +++ b/modules/security_identity_compliance/iam-role/variables.tf @@ -0,0 +1,44 @@ +variable "create-instance-profile" { + description = "Determines whether instance profile will be created" + type = bool + default = false +} + +variable "description" { + description = "Description of IAM role" + type = string +} + +variable "managed-policy-arns" { + description = "List of managed policies to be attached to role" + type = list(string) + default = null +} + +variable role-name { + description = "Name of IAM role" + type = string +} + +variable path { + description = "Path of IAM role. Defaults to /Customer/" + type = string + default = "/Customer/" +} + +variable inline-policy-name { + description = "Inline policy name" + type = string + default = null +} + +variable inline-policy { + description = "Inline policy content" + type = string + default = null +} + +variable trusted-entity { + description = "AWS service allowed to assume this role" + type = string +} \ No newline at end of file