sudoblark.terraform.module.aws.iam_role

Terraform module to create N number of IAM roles. - repo managed by sudoblark.terraform.github

Developer documentation

The below documentation is intended to assist a developer with interacting with the Terraform module in order to add, remove or update functionality.

Pre-requisites

• terraform_docs

brew install terraform_docs

• tfenv

git clone https://github.com/tfutils/tfenv.git ~/.tfenv
echo 'export PATH="$HOME/.tfenv/bin:$PATH"' >> ~/.bash_profile

• Virtual environment with pre-commit installed

python3 -m venv venv
source venv/bin/activate
pip install pre-commit

Pre-commit hooks

This repository utilises pre-commit in order to ensure a base level of quality on every commit. The hooks may be installed as follows:

source venv/bin/activate
pip install pre-commit
pre-commit install
pre-commit run --all-files

Module documentation

The below documentation is intended to assist users in utilising the module, the main thing to note is the data structure section which outlines the interface by which users are expected to interact with the module itself, and the examples section which has examples of how to utilise the module.

Requirements

Name	Version
terraform	~> 1.5.0
aws	>= 5.61.0

Providers

Name	Version
aws	5.67.0

Modules

No modules.

Resources

Name	Type
aws_iam_policy.policy	resource
aws_iam_role.roles	resource
aws_iam_policy_document.assume_policies	data source
aws_iam_policy_document.attached_policies	data source

Inputs

Name	Description	Type	Default	Required
application_name	Name of the application utilising resource.	string	n/a	yes
environment	Which environment this is being instantiated in.	string	n/a	yes
raw_iam_roles	Data structure --------------- A list of dictionaries, where each dictionary has the following attributes: REQUIRED --------- - suffix : Suffix to use for the role name - iam_policy_statements : A list of dictionaries where each dictionary is an IAM statement defining permissions -- Each dictionary in this list must define the following attributes: --- sid: Friendly name for the policy, no spaces or special characters allowed --- actions: A list of IAM actions the role is allowed to perform --- resources: Which resource(s) the role may perform the above actions against --- conditions : An OPTIONAL list of dictionaries, which each defines: ---- test : Test condition for limiting the action ---- variable : Value to test ---- values : A list of strings, denoting what to test for OPTIONAL --------- - path : Path to create the role and policies under, defaults to "/" - assume_policy_principles : A list of dictionaries where each dictionary defines a principle allowed to assume the role. -- Each dictionary in this list must define the following attributes: --- type : A string defining what type the principle(s) is/are --- identifiers : A list of strings, where each string is an allowed principle --- conditions : An OPTIONAL list of dictionaries, which each defines: ---- test : Test condition for limiting the action ---- variable : Value to test ---- values : A list of strings, denoting what to test for Constraints --------------- - <var.environment>-<var.application_name>- has to be lower than 38 characters due to IAM role naming requirements. Cannot encode in variable validation as string interpolations are not allowed in variables.	list( object({ suffix = string, path = optional(string, "/"), iam_policy_statements = list( object({ sid = string, actions = list(string), resources = list(string), conditions = optional(list( object({ test : string, variable : string, values = list(string) }) ), []) }) ), assume_policy_principles = optional(list( object({ type = string, identifiers = list(string), conditions = optional(list( object({ test : string, variable : string, values = list(string) }) ), []) }) ), []) }) )	n/a	yes

Outputs

No outputs.

Data structure

Data structure
---------------
A list of dictionaries, where each dictionary has the following attributes:

REQUIRED
---------
- suffix                : Suffix to use for the role name
- iam_policy_statements : A list of dictionaries where each dictionary is an IAM statement defining permissions
-- Each dictionary in this list must define the following attributes:
--- sid: Friendly name for the policy, no spaces or special characters allowed
--- actions: A list of IAM actions the role is allowed to perform
--- resources: Which resource(s) the role may perform the above actions against
--- conditions    : An OPTIONAL list of dictionaries, which each defines:
---- test         : Test condition for limiting the action
---- variable     : Value to test
---- values       : A list of strings, denoting what to test for

OPTIONAL
---------
- path                  : Path to create the role and policies under, defaults to "/"

- assume_policy_principles : A list of dictionaries where each dictionary defines a principle allowed to assume the role.
-- Each dictionary in this list must define the following attributes:
--- type          : A string defining what type the principle(s) is/are
--- identifiers   : A list of strings, where each string is an allowed principle
--- conditions    : An OPTIONAL list of dictionaries, which each defines:
---- test         : Test condition for limiting the action
---- variable     : Value to test
---- values       : A list of strings, denoting what to test for


Constraints
---------------
- <var.environment>-<var.application_name>-<suffix> has
to be lower than 38 characters due to IAM role naming requirements. Cannot encode in variable validation as
string interpolations are not allowed in variables.

Examples

See examples folder for an example setup.