batcave-tf-irsa

Requirements

Name	Version
terraform	>= 1.0
aws	>= 4.0

Providers

Name	Version
aws	>= 4.0

Modules

No modules.

Resources

Name	Type
aws_iam_policy.cloudwatch	resource
aws_iam_policy.dynamodb	resource
aws_iam_policy.ec2	resource
aws_iam_policy.s3	resource
aws_iam_policy.secrets-manager	resource
aws_iam_policy.sops	resource
aws_iam_policy.sqs_read_write	resource
aws_iam_policy.tags	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.cloudwatch	resource
aws_iam_role_policy_attachment.dynamodb	resource
aws_iam_role_policy_attachment.ec2	resource
aws_iam_role_policy_attachment.insights_policy	resource
aws_iam_role_policy_attachment.s3_policy	resource
aws_iam_role_policy_attachment.secrets-manager	resource
aws_iam_role_policy_attachment.sops	resource
aws_iam_role_policy_attachment.sqs_read_write	resource
aws_iam_role_policy_attachment.tags	resource
aws_iam_role_policy_attachment.this	resource
aws_iam_policy_document.cloudwatch	data source
aws_iam_policy_document.dynamodb	data source
aws_iam_policy_document.ec2	data source
aws_iam_policy_document.s3	data source
aws_iam_policy_document.secrets-manager	data source
aws_iam_policy_document.sops	data source
aws_iam_policy_document.sqs_read_write	data source
aws_iam_policy_document.tags	data source
aws_iam_policy_document.this	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
app_name	App name (ie. Flux, Velero, etc.)	string	""	no
asm_secret_arns	ARNs of secrets in AWS secrets manager (ASM) to add to policy	list(string)	[]	no
assume_role_condition_test	Name of the IAM condition operator to evaluate when assuming the role	string	"StringEquals"	no
attach_cloudwatch_policy	Determines whether to attach the cloudwatch permissions to the role	bool	false	no
attach_dynamodb_policy	Determines whether to attach the dynamodb policy to the role	bool	false	no
attach_ec2_policy	Determines whether to attach the ec2 permissions to the role	bool	false	no
attach_insights_policy	Determines whether to attach the CloudWatch Insights policy to the role	bool	false	no
attach_s3_policy	Determines whether to attach the S3 to the role	bool	false	no
attach_secretsmanager_policy	Determines whether to attach the secrets manager permissions to the role	bool	false	no
attach_sops_policy	Determines whether to attach the SOPS policy to the role	bool	false	no
attach_tags_policy	Determines whether to attach the tags permissions to the role	bool	false	no
create_role	Whether to create a role	bool	true	no
dynamodb_arn	Dynamodb table to allow access to	string	""	no
force_detach_policies	Whether policies should be detached from this role when destroying	bool	true	no
max_session_duration	Maximum CLI/API session duration in seconds between 3600 and 43200	number	null	no
oidc_providers	Map of OIDC providers where each provider map should contain the provider, provider_arn, and namespace_service_accounts	any	{ "one": { "namespace_service_accounts": [ "default:default" ], "provider_arn": "" } }	no
policy_name_prefix	IAM policy name prefix	string	"AmazonEKS_"	no
role_description	IAM Role description	string	null	no
role_name	Name of IAM role	string	"vpc-cni"	no
role_path	Path of IAM role	string	"/delegatedadmin/developer/"	no
role_permissions_boundary_arn	Permissions boundary ARN to use for IAM role	string	"arn:aws:iam::373346310182:policy/cms-cloud-admin/developer-boundary-policy"	no
role_policy_arns	ARNs of any policies to attach to the IAM role	map(string)	{}	no
s3_bucket_arns	List of S3 Bucket ARNs to allow access to	list(string)	[ "" ]	no
sops_arn	SOPS ARN to allow access to	string	""	no
sqs_read_write_arns	List of SQS ARNs to allow read/write access to	list(string)	[]	no
tags	A map of tags to add the the IAM role	map(any)	{}	no

Outputs

Name	Description
iam_role_arn	ARN of IAM role
iam_role_name	Name of IAM role
iam_role_path	Path of IAM role
iam_role_unique_id	Unique ID of IAM role