Terraform module to create IAM role. Currently following functionality is supported:
- List of ARNs and services that are allowed to assume this role (allow_arn, allow_service)
- List of roles that this role is allowed to assume (assume_role)
- List of S3 buckets that this role is allowed to read/write (s3_read, s3_write)
- List of managed policies that this role can attach (policy_managed)
- List of custom policy files that this role can use (policy_file)
- Specified inline policy that this role can use (policy_inline)
- Arbitrary number of tags (tags)
module "iam_role" {
source = "../"
name = "dp-dl-test"
path = "/netf/"
allow_arn = [
"arn:aws:iam::1234567890:user/netf"
]
assume_role = [
"arn:aws:iam::1234567890:role/test-role",
]
s3_read = [
"dp-datalake-test-bucket"
]
tags = {
Platform = "DP"
Project = "test"
Owner = "test"
Environment = "datalake"
}
}
Remember to add KMS access policy after adding s3_read/s3_write
- KMS decrypt (s3_read)
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:eu-west-1:ACCOUNT_ID:key/KEY_UUID"
]
}
- KMS encrypt (s3_write)
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:eu-west-1:ACCOUNT_NO:key/KEY_UUID"
]
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
allow_arn | list(string) | [] |
no | |
allow_service | string | "" |
no | |
assume_role | list(string) | [] |
no | |
dynamodb_tables | list(string) | [] |
no | |
enabled | bool | "true" |
no | |
external_id | string | "" |
no | |
max_session_duration | string | "3600" |
no | |
name | string | "" |
no | |
path | string | "/" |
no | |
policy_file | list(string) | [] |
no | |
policy_inline | string | "" |
no | |
policy_managed | list(string) | [] |
no | |
s3_read | list(string) | [] |
no | |
s3_write | list(string) | [] |
no | |
tags | map(string) | {} |
no |
Name | Description |
---|---|
id | |
instance_profile_id | |
role_arn |