Terraform module to create IAM role. Currently following functionality is supported:
- List of ARNs and services that are allowed to assume this role (allow_arn, allow_service)
- List of roles that this role is allowed to assume (assume_role)
- List of S3 buckets that this role is allowed to read/write (s3_read, s3_write)
- List of managed policies that this role can attach (policy_managed)
- List of custom policy files that this role can use (policy_file)
- Specified inline policy that this role can use (policy_inline)
- Arbitrary number of tags (tags)
module "iam_role" {
source = "../"
name = "dp-dl-test"
path = "/netf/"
allow_arn = [
"arn:aws:iam::1234567890:user/netf"
]
assume_role = [
"arn:aws:iam::1234567890:role/test-role",
]
s3_read = [
"dp-datalake-test-bucket"
]
tags = {
Platform = "DP"
Project = "test"
Owner = "test"
Environment = "datalake"
}
}Remember to add KMS access policy after adding s3_read/s3_write
- KMS decrypt (s3_read)
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:eu-west-1:ACCOUNT_ID:key/KEY_UUID"
]
}
- KMS encrypt (s3_write)
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:eu-west-1:ACCOUNT_NO:key/KEY_UUID"
]
}
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allow_arn | list(string) | [] |
no | |
| allow_service | string | "" |
no | |
| assume_role | list(string) | [] |
no | |
| dynamodb_tables | list(string) | [] |
no | |
| enabled | bool | "true" |
no | |
| external_id | string | "" |
no | |
| max_session_duration | string | "3600" |
no | |
| name | string | "" |
no | |
| path | string | "/" |
no | |
| policy_file | list(string) | [] |
no | |
| policy_inline | string | "" |
no | |
| policy_managed | list(string) | [] |
no | |
| s3_read | list(string) | [] |
no | |
| s3_write | list(string) | [] |
no | |
| tags | map(string) | {} |
no |
| Name | Description |
|---|---|
| id | |
| instance_profile_id | |
| role_arn |