Skip to content

uhussaindyson/terraform-aws-iam

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

175 Commits
.github/workflows
.github/workflows
 
 
examples
examples
 
 
modules
modules
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.releaserc.json
.releaserc.json
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

AWS Identity and Access Management (IAM) Terraform module

Features

  1. Cross-account access. Define IAM roles using iam_assumable_role or iam_assumable_roles submodules in "resource AWS accounts (prod, staging, dev)" and IAM groups and users using iam-group-with-assumable-roles-policy submodule in "IAM AWS Account" to setup access controls between accounts. See iam-group-with-assumable-roles-policy example for more details.
  2. Individual IAM resources (users, roles, policies). See usage snippets and examples listed below.

Usage

iam-account:

module "iam_account" { source = "terraform-aws-modules/iam/aws//modules/iam-account" version = "~> 4" account_alias = "awesome-company" minimum_password_length = 37 require_numbers = false }

iam-assumable-role:

module "iam_assumable_role" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" version = "~> 4" trusted_role_arns = [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/anton", ] create_role = true role_name = "custom" role_requires_mfa = true custom_role_policy_arns = [ "arn:aws:iam::aws:policy/AmazonCognitoReadOnly", "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess", ] number_of_custom_role_policy_arns = 2 }

iam-assumable-role-with-oidc:

module "iam_assumable_role_with_oidc" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "~> 4" create_role = true role_name = "role-with-oidc" tags = { Role = "role-with-oidc" } provider_url = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8" role_policy_arns = [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", ] number_of_role_policy_arns = 1 }

iam-assumable-role-with-saml:

module "iam_assumable_role_with_saml" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-saml" version = "~> 4" create_role = true role_name = "role-with-saml" tags = { Role = "role-with-saml" } provider_id = "arn:aws:iam::235367859851:saml-provider/idp_saml" role_policy_arns = [ "arn:aws:iam::aws:policy/ReadOnlyAccess" ] number_of_role_policy_arns = 1 }

iam-assumable-roles:

module "iam_assumable_roles" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles" version = "~> 4" trusted_role_arns = [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/anton", ] create_admin_role = true create_poweruser_role = true poweruser_role_name = "developer" create_readonly_role = true readonly_role_requires_mfa = false }

iam-assumable-roles-with-saml:

module "iam_assumable_roles_with_saml" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles-with-saml" version = "~> 4" create_admin_role = true create_poweruser_role = true poweruser_role_name = "developer" create_readonly_role = true provider_id = "arn:aws:iam::235367859851:saml-provider/idp_saml" }

iam-eks-role:

module "iam_eks_role" { source = "terraform-aws-modules/iam/aws//modules/iam-eks-role" version = "~> 4" role_name = "my-app" cluster_service_accounts = { "cluster1" = ["default:my-app"] "cluster2" = [ "default:my-app", "canary:my-app", ] } tags = { Name = "eks-role" } role_policy_arns = [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", ] }

iam-group-with-assumable-roles-policy:

module "iam_group_with_assumable_roles_policy" { source = "terraform-aws-modules/iam/aws//modules/iam-group-with-assumable-roles-policy" version = "~> 4" name = "production-readonly" assumable_roles = [ "arn:aws:iam::835367859855:role/readonly" # these roles can be created using `iam_assumable_roles` submodule ] group_users = [ "user1", "user2" ] }

iam-group-with-policies:

module "iam_group_with_policies" { source = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies" version = "~> 4" name = "superadmins" group_users = [ "user1", "user2" ] attach_iam_self_management_policy = true custom_group_policy_arns = [ "arn:aws:iam::aws:policy/AdministratorAccess", ] custom_group_policies = [ { name = "AllowS3Listing" policy = data.aws_iam_policy_document.sample.json } ] }

iam-policy:

module "iam_policy" { source = "terraform-aws-modules/iam/aws//modules/iam-policy" version = "~> 4" name = "example" path = "/" description = "My example policy" policy = <<EOF {  "Version": "2012-10-17",  "Statement": [  {  "Action": [  "ec2:Describe*"  ],  "Effect": "Allow",  "Resource": "*"  }  ] } EOF }

iam-read-only-policy:

module "iam_read_only_policy" { source = "terraform-aws-modules/iam/aws//modules/iam-read-only-policy" version = "~> 4" name = "example" path = "/" description = "My example read-only policy" allowed_services = ["rds", "dynamo", "health"] }

iam-role-for-service-accounts-eks:

module "vpc_cni_irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" version = "~> 4" role_name = "vpc-cni" attach_vpc_cni_policy = true vpc_cni_enable_ipv4 = true oidc_providers = { main = { provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D" namespace_service_accounts = ["default:my-app", "canary:my-app"] } } tags = { Name = "vpc-cni-irsa" } }

iam-user:

module "iam_user" { source = "terraform-aws-modules/iam/aws//modules/iam-user" version = "~> 4" name = "vasya.pupkin" force_destroy = true pgp_key = "keybase:test" password_reset_required = false }

IAM Best Practices

AWS published IAM Best Practices and this Terraform module was created to help with some of points listed there:

1. Create Individual IAM Users

Use iam-user module module to manage IAM users.

2. Use AWS Defined Policies to Assign Permissions Whenever Possible

Use iam-assumable-roles module to create IAM roles with managed policies to support common tasks (admin, poweruser or readonly).

3. Use Groups to Assign Permissions to IAM Users

Use iam-group-with-assumable-roles-policy module to manage IAM groups of users who can assume roles.

Use iam-group-with-policies module to manage IAM groups of users where specified IAM policies are allowed.

4. Configure a Strong Password Policy for Your Users

Use iam-account module to set password policy for your IAM users.

5. Enable MFA for Privileged Users

Terraform can't configure MFA for the user. It is only possible via AWS Console and AWS CLI.

6. Delegate by Using Roles Instead of by Sharing Credentials

iam-assumable-role, iam-assumable-roles, iam-assumable-roles-with-saml and iam-group-with-assumable-roles-policy modules provide complete set of functionality required for this.

7. Use Policy Conditions for Extra Security

iam-assumable-roles module can be configured to require valid MFA token when different roles are assumed (for example, admin role requires MFA, but readonly - does not).

8. Create IAM Policies

Use iam-policy module module to manage IAM policy.

Use iam-read-only-policy module module to manage IAM read-only policies.

Examples

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

About

Terraform module which creates IAM resources on AWS

registry.terraform.io/modules/terraform-aws-modules/iam/aws

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

73 tags

Packages

No packages published

Languages

  • HCL 100.0%