Skip to content

Set up IAM for GCC 2.0 custom roles to do role switching or assume roles for CLI access

License

Notifications You must be signed in to change notification settings

GovTechSG/terraform-aws-cloud-assume-role

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

terraform-aws-cloud-assume-role

Creates a custom role for which you assume through your GCC2.0 cloud assume role

module 'role-gcc' {
  group_names = ["gpcgr"]

  # Run `aws iam list-roles --query "Roles[?starts_with(RoleName, 'AWSReservedSSO_agency_assume_local')].[RoleId]" --output text`"
  agency_assume_local_role_id = "AXXXXXXXXXXXX"

  attach_policies = {
    "read-only-access" : "arn:aws:iam::aws:policy/ReadOnlyAccess",
  }

  managed_policies = {
    myPolicy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "events:List*",
        "events:Describe*",
        "events:Get*",
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "MISC"
    }
  ]
}
EOF}

  techpass_email_addresses = [
    "your_techpass_email@tech.gov.sg",
  ]

  # Using external_id https://aws.amazon.com/blogs/apn/securely-using-external-id-for-accessing-aws-accounts-owned-by-others/
  external_id = "some_external_id"

  # Will not create if empty, if need custom policy, use the EOF syntax
  custom_policy = ""

  description = "great power comes great responsibility role"
  name = "gpcgr"
}

Requirements

No requirements.

Providers

Name Version
aws n/a

Modules

No modules.

Resources

Name Type
aws_iam_policy.policy resource
aws_iam_role.iam_role resource
aws_iam_role_policy_attachment.attach_custom_policy resource
aws_iam_role_policy_attachment.attach_policy resource
aws_caller_identity.current data source
aws_iam_policy_document.iam_trusted data source
aws_iam_policy_document.trusted_accounts data source

Inputs

Name Description Type Default Required
agency_assume_local_role_id your agency_assume_local role_id, use aws iam list-roles --query "Roles[?starts_with(RoleName, 'AWSReservedSSO_agency_assume_local')].[RoleId]" --output text string n/a yes
attach_policies map(string) of existing policies to attach map(string) {} no
aws_region aws region string n/a yes
custom_policy custom policy to be applied to role using the EOF syntax string "" no
description description of the role string n/a yes
external_id external id condition for assume role string "" no
max_session_duration maximum duration in seconds for role, between 1 to 12 hours number 3600 no
name name of the role in aws console string n/a yes
path path of the role in aws console string "/" no
techpass_email_addresses list of TechPass users' email addresses to allow use of this role list(string) [] no

Outputs

Name Description
arn arn of the role
create_date date which the role was created
custom_policy_arn ARN of the custom policy
custom_policy_id id of the custom policy
custom_policy_name name of the custom policy
description description of the role
id id of the role
name name of the role
role_session_duration maximum duration a role can be assume for
unique_id unique id of the role

About

Set up IAM for GCC 2.0 custom roles to do role switching or assume roles for CLI access

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages