NEW: iam-role terraform module

2024-09-26 09:10:20 +08:00 · 2024-09-26 09:10:20 +08:00 · 8052a71995
commit 8052a71995
parent 52cc5dae19
5 changed files with 173 additions and 0 deletions
--- a/modules/security_identity_compliance/iam-role/LICENSE
+++ b/modules/security_identity_compliance/iam-role/LICENSE
@ -0,0 +1,12 @@
+BSD Zero Clause License
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
--- a/modules/security_identity_compliance/iam-role/README.md
+++ b/modules/security_identity_compliance/iam-role/README.md
@ -0,0 +1,64 @@
+<!-- This readme file is generated with terraform-docs -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Modules
+
+No modules.
+
+## Example
+
+```hcl
+module "role1" {
+  source = ".../SecurityIdentityCompliance/iam-role"
+
+  role-name               = "${local.resource_prefix}-${var.application}-role1"
+  description             = "IAM role for ${var.application}"
+  trusted-entity          = "ec2.amazonaws.com"
+  create-instance-profile = true
+
+  managed-policy-arns = [
+    "arn:aws:iam::aws:policy/ReadOnlyAccess"
+  ]
+}
+```
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| create-instance-profile | Determines whether instance profile will be created | `bool` | `false` | no |
+| description | Description of IAM role | `string` | n/a | yes |
+| inline-policy | Inline policy content | `string` | `null` | no |
+| inline-policy-name | Inline policy name | `string` | `null` | no |
+| managed-policy-arns | List of managed policies to be attached to role | `list(string)` | `null` | no |
+| path | Path of IAM role. Defaults to /Customer/ | `string` | `"/Customer/"` | no |
+| role-name | Name of IAM role | `string` | n/a | yes |
+| trusted-entity | AWS service allowed to assume this role | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| instance-profile-arn | ARN of IAM instance profile |
+| name | Name of IAM role |
+| profile-name | Name of IAM instance profile |
+| role-arn | IAM role ARN |
+ 
+---
+## Authorship
+This module was developed by xpk.
--- a/modules/security_identity_compliance/iam-role/main.tf
+++ b/modules/security_identity_compliance/iam-role/main.tf
@ -0,0 +1,34 @@
+resource "aws_iam_instance_profile" "this" {
+  count = var.create-instance-profile ? 1 : 0
+  name  = "${var.role-name}-profile"
+  role  = aws_iam_role.this.name
+  path  = var.path
+}
+
+resource "aws_iam_role" "this" {
+  name                  = var.role-name
+  description           = var.description
+  assume_role_policy    = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : [
+              var.trusted-entity
+            ]
+          },
+          "Action" : "sts:AssumeRole"
+        }
+      ]
+    }
+  )
+  managed_policy_arns   = var.managed-policy-arns
+  force_detach_policies = true
+  path                  = var.path
+  inline_policy {
+    name   = var.inline-policy-name
+    policy = var.inline-policy
+  }
+}
--- a/modules/security_identity_compliance/iam-role/outputs.tf
+++ b/modules/security_identity_compliance/iam-role/outputs.tf
@ -0,0 +1,19 @@
+output "profile-name" {
+  description = "Name of IAM instance profile"
+  value       = aws_iam_instance_profile.this[*].name
+}
+
+output "role-arn" {
+  description = "IAM role ARN"
+  value       = aws_iam_role.this.arn
+}
+
+output "name" {
+  description = "Name of IAM role"
+  value       = aws_iam_role.this.name
+}
+
+output "instance-profile-arn" {
+  description = "ARN of IAM instance profile"
+  value       = aws_iam_instance_profile.this.*.arn
+}
--- a/modules/security_identity_compliance/iam-role/variables.tf
+++ b/modules/security_identity_compliance/iam-role/variables.tf
@ -0,0 +1,44 @@
+variable "create-instance-profile" {
+  description = "Determines whether instance profile will be created"
+  type        = bool
+  default     = false
+}
+
+variable "description" {
+  description = "Description of IAM role"
+  type        = string
+}
+
+variable "managed-policy-arns" {
+  description = "List of managed policies to be attached to role"
+  type        = list(string)
+  default     = null
+}
+
+variable role-name {
+  description = "Name of IAM role"
+  type = string
+}
+
+variable path {
+  description = "Path of IAM role. Defaults to /Customer/"
+  type = string
+  default = "/Customer/"
+}
+
+variable inline-policy-name {
+  description = "Inline policy name"
+  type = string
+  default = null
+}
+
+variable inline-policy {
+  description = "Inline policy content"
+  type = string
+  default = null
+}
+
+variable trusted-entity {
+  description = "AWS service allowed to assume this role"
+  type = string
+}