This module creates a group named after the "group_name" variable intended to contain IAM users defined in the "user_list".
The group has a policy that only allows the assumption of the IAM roles defined in the "allowed_roles" variable.
NOTE: So far you must use this in conjunction with the module "trussworks/mfa/aws" to enforce mfa of the group this module creates.
Philosophical note: these groups should map 1:1 to IAM roles defined in your Terraform files. These should be defined in a separate module that could be reused in different accounts across your AWS org. So you may have multiple allowed roles with the same name across your accounts as a variable.
module "aws_iam_user_group" {
source = "trussworks/iam-user-group/aws"
version = "2.0.0"
user_list = ["user1", "user2"]
group_name = "group-name"
allowed_roles = []
}locals {
user_list = ["user1", "user2"]
force_destroy = true
}
resource "aws_iam_user" "user" {
for_each = toset(local.user_list)
name = each.value
}
module "aws_iam_user_group" {
source = "trussworks/iam-user-group/aws"
version = "2.0.0"
user_list = values(aws_iam_user.user)[*].name
group_name = "group-name"
allowed_roles = []
}| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 3.0 |
| Name | Version |
|---|---|
| aws | >= 3.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_group.user_group | resource |
| aws_iam_group_membership.user_group | resource |
| aws_iam_group_policy_attachment.assume_role_policy_attachment | resource |
| aws_iam_policy.assume_role_policy | resource |
| aws_iam_policy_document.assume_role_policy_doc | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_roles | The roles that this group is allowed to assume. | list(string) |
n/a | yes |
| group_name | The name of the group to be created. | string |
n/a | yes |
| user_list | List of IAM users to add to the group. | list(string) |
[] |
no |
| Name | Description |
|---|---|
| group_name | The name of the created group. |