Terraform modules to set up a few regularly used IAM resources.
Adds a role and instance profile for KMS access.
- [
kms_key_arn
]: String(required): The ARN of the KMS key - [
environment
]: String(required): How do you want to call your environment, this is helpful if you have more than 1 VPC.
- [
role_arn
]: String: The Amazon Resource Name (ARN) specifying the role. - [
role_unique_id
]: String: The stable and unique string identifying the role. - [
profile_id
]: String: The instance profile's ID. - [
profile_arn
]: String: The ARN assigned by AWS to the instance profile. - [
profile_name
]: String: The instance profile's name. - [
policy_id
]: String: The role policy ID. - [
policy_name
]: String: The name of the policy. - [
policy_policy
]: String: The policy document attached to the role. - [
policy_role
]: String: The role to which this policy applies.
module "packer_role" {
source = "github.com/skyscrapers/terraform-iam//kms_role"
kms_key_arn = "${aws_kms_key.kms_key.arn}"
environment = "staging"
}
Creates an IAM policy that allows usage of a KMS key.
- [
kms_key_arn
]: String(required): The ARN of the KMS key - [
environment
]: String(required): How do you want to call your environment, this is helpful if you have more than 1 VPC.
- [
iam_policy_id
]: String: The generated policy id. - [
iam_policy_arn
]: String: The generated policy ARN. - [
iam_policy_name
]: String: The generated policy name.
module "packer_policy" {
source = "github.com/skyscrapers/terraform-iam//kms_policy"
kms_key_arn = "${aws_kms_key.kms_key.arn}"
environment = "staging"
}
Adds a role and instance profile.
- [
project
]: String(required): The name of the project. This is helpful if you have more than 1 project - [
environment
]: String(required): How do you want to call your environment, this is helpful if you have more than 1 VPC. - [
function
]: String(required): The function of that instance_profile. - [
aws_iam_role_policy
]: String: The iam_role_policy for that instance. - [
aws_iam_role
]: String(required): the iam_role for that profile.
- [
iam_id
]: String: The role profile ID.
module "iam" {
source = "github.com/skyscrapers/terraform-iam//instance_profile?ref=27b7525e0b6bfaf1eb034daf941a8f44b052b904"
project = "${var.project}"
environment = "${var.environment}"
function = "${var.app_name}"
aws_iam_role = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Effect": "Allow",
"Resource": "${module.sqs.sqs_arn}"
}
]
}
EOF
}
Add a role that can be attached to codedeploy deployment groups
/
- [
role_arn
]: String: The Amazon Resource Name (ARN) specifying the role.
module "codedeploy_role" {
source = "github.com/skyscrapers/terraform-iam//codedeploy_role"
region = "eu-west-1"
}
- [
user_names
]: List(required): List of users that needs to be created- A list member is a map that must have the key 'name'
- A list member map may also set 'pgp_key', 'user_path', 'force_destroy', 'password_reset_required' (default is "true")
- [
pgp_key
]: String(required): Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username - [
user_path
]: String(optional): Set the path of the entity (default is "/") - [
force_destroy
]: String(optional): Destroy the user if set to "true" (default is "false")
- [
unique_id
]: The unique ID assigned by AWS - [
passwords
]: The encrypted password, base64 encoded - [
arns
]: The ARN assigned by AWS for this user
module "iam_users" {
source = "github.com/skyscrapers/terraform-iam//user"
user_names = [
{name = "user1"},
{name = "user2", user_path = "/ops/"},
{name = "user3", pgp_key = "keybase:user3"}
]
pgp_key = "keybase:user"
force_destroy = "true"
user_path = "/dev/"
}
Add a role that can be attached to packer iam role to access the codedeploy s3 bucket to install the agent
- [
region
]: String: The region of the codedeploy agent s3 bucket default to us-east-1
- [
iam_policy_arn
]: String: The Amazon Resource Name (ARN) of the policy created. - [
iam_policy_name
]: String: The name of the policy created. - [
iam_policy_id
]: String: The id of the policy created.
module "packer_role" {
source = "github.com/skyscrapers/terraform-iam//kms_role"
kms_key_arn = "${aws_kms_key.kms_key.arn}"
environment = "staging"
}
module "codedeploy_packer_policy" {
source = "github.com/skyscrapers/terraform-iam//codedeploy_packer_policy"
}
resource "aws_iam_role_policy_attachment" "codedeploy_policy_attach_packer" {
role = "${module.packer_role.role_name}"
policy_arn = "${module.codedeploy_packer_policy.iam_policy_arn}"
}
Add a role that can be used by cloudcheckr to collect data and stats
- [
external_id
]: String: The external_id provided in the cloudcheckr console
- [
role_arn
]: String: The Amazon Resource Name (ARN) of the role created.
module "cloudcheckr_role" {
source = "github.com/skyscrapers/terraform-iam//cloudcheckr_role"
external_id = "..."
}
Adding role for cloudwatch monitoring to allow instance to send custom metrics
- [
instance_role
]: String(required): The name of the instance role to attach the policies to. - [
app
]: String(optional): The name of the application to be used in role name. - [
project
]: String(optional): The name of the project to be used in role name. - [
environment
]: String(optional): The name of the enviroment to be used in role name.
module "iam-monitoring" {
source = "github.com/skyscrapers/terraform-iam//cloudwatch_monitoring_role"
environment = "${terraform.workspace}"
project = "${var.project}"
app = "api"
instance_role = "${aws_iam_role.role.name}"
}
Creates an IAM policy that allows usage of a Packer with AWS EC2 EBS volumes.
- [
packer_policy_id
]: String: The generated policy id. - [
packer_policy_arn
]: String: The generated policy ARN. - [
packer_policy_name
]: String: The generated policy name.
module "packer_policy" {
source = "github.com/skyscrapers/terraform-iam//packer_policy"
}