terraform-aws-modules/terraform-aws-iam terraform-aws-modules/terraform-aws-iam

  • Stars
    star
    779
  • Rank 58,364 (Top 2 %)
  • Language HCL
  • License
    Apache License 2.0
  • Created about 7 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
terraform-aws-modules/terraform-aws-iam
github

terraform-aws-modules

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Terraform module to create AWS IAM resources πŸ‡ΊπŸ‡¦

AWS Identity and Access Management (IAM) Terraform module

SWUbanner

Features

  1. Cross-account access. Define IAM roles using iam_assumable_role or iam_assumable_roles submodules in "resource AWS accounts (prod, staging, dev)" and IAM groups and users using iam-group-with-assumable-roles-policy submodule in "IAM AWS Account" to setup access controls between accounts. See iam-group-with-assumable-roles-policy example for more details.
  2. Individual IAM resources (users, roles, policies). See usage snippets and examples listed below.

Usage

iam-account:

module "iam_account" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-account"

  account_alias = "awesome-company"

  minimum_password_length = 37
  require_numbers         = false
}

iam-assumable-role:

module "iam_assumable_role" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"

  trusted_role_arns = [
    "arn:aws:iam::307990089504:root",
    "arn:aws:iam::835367859851:user/anton",
  ]

  create_role = true

  role_name         = "custom"
  role_requires_mfa = true

  custom_role_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonCognitoReadOnly",
    "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",
  ]
  number_of_custom_role_policy_arns = 2
}

iam-assumable-role-with-oidc:

module "iam_assumable_role_with_oidc" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"

  create_role = true

  role_name = "role-with-oidc"

  tags = {
    Role = "role-with-oidc"
  }

  provider_url = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"

  role_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
  ]
  number_of_role_policy_arns = 1
}

iam-assumable-role-with-saml:

module "iam_assumable_role_with_saml" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-saml"

  create_role = true

  role_name = "role-with-saml"

  tags = {
    Role = "role-with-saml"
  }

  provider_id = "arn:aws:iam::235367859851:saml-provider/idp_saml"

  role_policy_arns = [
    "arn:aws:iam::aws:policy/ReadOnlyAccess"
  ]
  number_of_role_policy_arns = 1
}

iam-assumable-roles:

module "iam_assumable_roles" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles"

  trusted_role_arns = [
    "arn:aws:iam::307990089504:root",
    "arn:aws:iam::835367859851:user/anton",
  ]

  create_admin_role = true

  create_poweruser_role = true
  poweruser_role_name   = "developer"

  create_readonly_role       = true
  readonly_role_requires_mfa = false
}

iam-assumable-roles-with-saml:

module "iam_assumable_roles_with_saml" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles-with-saml"

  create_admin_role = true

  create_poweruser_role = true
  poweruser_role_name   = "developer"

  create_readonly_role = true

  provider_id   = "arn:aws:iam::235367859851:saml-provider/idp_saml"
}

iam-eks-role:

module "iam_eks_role" {
  source      = "terraform-aws-modules/iam/aws//modules/iam-eks-role"

  role_name   = "my-app"

  cluster_service_accounts = {
    "cluster1" = ["default:my-app"]
    "cluster2" = [
      "default:my-app",
      "canary:my-app",
    ]
  }

  tags = {
    Name = "eks-role"
  }

  role_policy_arns = {
    AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
  }
}

iam-github-oidc-provider:

module "iam_github_oidc_provider" {
  source    = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-provider"

  tags = {
    Environment = "test"
  }
}

iam-github-oidc-role:

module "iam_github_oidc_role" {
  source    = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"

  # This should be updated to suit your organization, repository, references/branches, etc.
  subjects = ["terraform-aws-modules/terraform-aws-iam:*"]

  policies = {
    S3ReadOnly = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
  }

  tags = {
    Environment = "test"
  }
}

iam-group-with-assumable-roles-policy:

module "iam_group_with_assumable_roles_policy" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-assumable-roles-policy"

  name = "production-readonly"

  assumable_roles = [
    "arn:aws:iam::835367859855:role/readonly"  # these roles can be created using `iam_assumable_roles` submodule
  ]

  group_users = [
    "user1",
    "user2"
  ]
}

iam-group-with-policies:

module "iam_group_with_policies" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies"

  name = "superadmins"

  group_users = [
    "user1",
    "user2"
  ]

  attach_iam_self_management_policy = true

  custom_group_policy_arns = [
    "arn:aws:iam::aws:policy/AdministratorAccess",
  ]

  custom_group_policies = [
    {
      name   = "AllowS3Listing"
      policy = data.aws_iam_policy_document.sample.json
    }
  ]
}

iam-policy:

module "iam_policy" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"

  name        = "example"
  path        = "/"
  description = "My example policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

iam-read-only-policy:

module "iam_read_only_policy" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-read-only-policy"

  name        = "example"
  path        = "/"
  description = "My example read-only policy"

  allowed_services = ["rds", "dynamo", "health"]
}

iam-role-for-service-accounts-eks:

module "vpc_cni_irsa" {
  source      = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"

  role_name   = "vpc-cni"

  attach_vpc_cni_policy = true
  vpc_cni_enable_ipv4   = true

  oidc_providers = {
    main = {
      provider_arn               = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
      namespace_service_accounts = ["kube-system:aws-node"]
    }
  }

  tags = {
    Name = "vpc-cni-irsa"
  }
}

iam-user:

module "iam_user" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-user"

  name          = "vasya.pupkin"
  force_destroy = true

  pgp_key = "keybase:test"

  password_reset_required = false
}

IAM Best Practices

AWS published IAM Best Practices and this Terraform module was created to help with some of points listed there:

  1. Create Individual IAM Users

Use iam-user module module to manage IAM users.

  1. Use AWS Defined Policies to Assign Permissions Whenever Possible

Use iam-assumable-roles module to create IAM roles with managed policies to support common tasks (admin, poweruser or readonly).

  1. Use Groups to Assign Permissions to IAM Users

Use iam-group-with-assumable-roles-policy module to manage IAM groups of users who can assume roles. Use iam-group-with-policies module to manage IAM groups of users where specified IAM policies are allowed.

  1. Configure a Strong Password Policy for Your Users

Use iam-account module to set password policy for your IAM users.

  1. Enable MFA for Privileged Users

Use iam-assumable-roles module to create IAM roles that require MFA.

  1. Delegate by Using Roles Instead of by Sharing Credentials

iam-assumable-role, iam-assumable-roles, iam-assumable-roles-with-saml and iam-group-with-assumable-roles-policy modules provide complete set of functionality required for this.

  1. Use Policy Conditions for Extra Security

iam-assumable-roles module can be configured to require valid MFA token when different roles are assumed (for example, admin role requires MFA, but readonly - does not).

  1. Create IAM Policies

Use iam-policy module module to manage IAM policy. Use iam-read-only-policy module module to manage IAM read-only policies.

Examples

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus

More Repositories

1

terraform-aws-eks

Terraform module to create Amazon Elastic Kubernetes (EKS) resources πŸ‡ΊπŸ‡¦
HCL
4,372
star
2

terraform-aws-vpc

Terraform module to create AWS VPC resources πŸ‡ΊπŸ‡¦
HCL
2,949
star
3

terraform-aws-lambda

Terraform module, which takes care of a lot of AWS Lambda/serverless tasks (build dependencies, packages, updates, deployments) in countless combinations πŸ‡ΊπŸ‡¦
HCL
899
star
4

terraform-aws-rds

Terraform module to create AWS RDS resources πŸ‡ΊπŸ‡¦
HCL
879
star
5

terraform-aws-ec2-instance

Terraform module to create AWS EC2 instance(s) resources πŸ‡ΊπŸ‡¦
HCL
751
star
6

terraform-aws-security-group

Terraform module to create AWS Security Group resources πŸ‡ΊπŸ‡¦
HCL
563
star
7

terraform-aws-ecs

Terraform module to create AWS ECS resources πŸ‡ΊπŸ‡¦
HCL
555
star
8

terraform-aws-atlantis

Terraform module to deploy Atlantis on AWS Fargate πŸ‡ΊπŸ‡¦
HCL
519
star
9

terraform-aws-s3-bucket

Terraform module to create AWS S3 resources πŸ‡ΊπŸ‡¦
HCL
511
star
10

terraform-aws-notify-slack

Terraform module to create AWS resources for sending notifications to Slack πŸ‡ΊπŸ‡¦
Python
466
star
11

terraform-aws-alb

Terraform module to create AWS Application/Network Load Balancer (ALB/NLB) resources πŸ‡ΊπŸ‡¦
HCL
433
star
12

terraform-aws-rds-aurora

Terraform module to create AWS RDS Aurora resources πŸ‡ΊπŸ‡¦
HCL
384
star
13

terraform-aws-autoscaling

Terraform module to create AWS Auto Scaling resources πŸ‡ΊπŸ‡¦
HCL
292
star
14

terraform-aws-pricing

Terraform module which calculates price of AWS infrastructure (from Terraform state and plan) πŸ‡ΊπŸ‡¦
HCL
183
star
15

terraform-aws-acm

Terraform module to create AWS ACM resources πŸ‡ΊπŸ‡¦
HCL
182
star
16

terraform-aws-cloudwatch

Terraform module to create AWS Cloudwatch resources πŸ‡ΊπŸ‡¦
HCL
163
star
17

terraform-aws-elb

Terraform module to create AWS ELB resources πŸ‡ΊπŸ‡¦
HCL
148
star
18

terraform-aws-apigateway-v2

Terraform module to create AWS API Gateway v2 (HTTP/WebSocket) πŸ‡ΊπŸ‡¦
HCL
146
star
19

terraform-aws-eventbridge

Terraform module to create AWS EventBridge resources πŸ‡ΊπŸ‡¦
HCL
142
star
20

terraform-aws-transit-gateway

Terraform module to create AWS Transit Gateway resources πŸ‡ΊπŸ‡¦
HCL
141
star
21

terraform-aws-route53

Terraform module to create AWS Route53 resources πŸ‡ΊπŸ‡¦
HCL
126
star
22

terraform-aws-cloudfront

Terraform module to create AWS CloudFront resources πŸ‡ΊπŸ‡¦
HCL
119
star
23

terraform-aws-vpn-gateway

Terraform module to create AWS VPN gateway resources πŸ‡ΊπŸ‡¦
HCL
111
star
24

terraform-aws-dynamodb-table

Terraform module to create AWS DynamoDB resources πŸ‡ΊπŸ‡¦
HCL
100
star
25

terraform-aws-sns

Terraform module to create AWS SNS resources πŸ‡ΊπŸ‡¦
HCL
95
star
26

terraform-aws-sqs

Terraform module to create AWS SQS resources πŸ‡ΊπŸ‡¦
HCL
92
star
27

terraform-aws-key-pair

Terraform module to create AWS EC2 key pair resources πŸ‡ΊπŸ‡¦
HCL
83
star
28

terraform-aws-redshift

Terraform module to create AWS Redshift resources πŸ‡ΊπŸ‡¦
HCL
81
star
29

meta

Meta-configurations for repositories, teams, files in terraform-aws-modules organization πŸ‡ΊπŸ‡¦
HCL
76
star
30

terraform-aws-solutions

Set of standalone and reusable AWS/DevOps solutions implemented as Terraform modules πŸ‡ΊπŸ‡¦
HCL
75
star
31

terraform-aws-step-functions

Terraform module to create AWS Step Functions πŸ‡ΊπŸ‡¦
HCL
70
star
32

terraform-aws-dms

Terraform module to create AWS DMS (Database Migration Service) resources πŸ‡ΊπŸ‡¦
HCL
62
star
33

terraform-aws-rds-proxy

Terraform module to create AWS RDS Proxy resources πŸ‡ΊπŸ‡¦
HCL
56
star
34

terraform-aws-msk-kafka-cluster

Terraform module to create AWS MSK (Managed Streaming for Kafka) resources πŸ‡ΊπŸ‡¦
HCL
55
star
35

terraform-aws-datadog-forwarders

Terraform module to create resources on AWS to forward logs/metrics to Datadog πŸ‡ΊπŸ‡¦
HCL
53
star
36

terraform-aws-eks-pod-identity

Terraform module to create AWS EKS Pod Identity resources πŸ‡ΊπŸ‡¦
HCL
52
star
37

terraform-aws-appsync

Terraform module to create AWS AWS AppSync resources πŸ‡ΊπŸ‡¦
HCL
50
star
38

terraform-aws-kms

Terraform module to create AWS KMS resources πŸ‡ΊπŸ‡¦
HCL
49
star
39

terraform-aws-ecr

Terraform module to create AWS ECR resources πŸ‡ΊπŸ‡¦
HCL
49
star
40

terraform-aws-managed-service-grafana

Terraform module to create AWS Managed Service for Grafana (AMG) resources πŸ‡ΊπŸ‡¦
HCL
36
star
41

terraform-aws-batch

Terraform module to create AWS Batch resources πŸ‡ΊπŸ‡¦
HCL
35
star
42

terraform-aws-app-runner

Terraform module to create AWS App Runner resources πŸ‡ΊπŸ‡¦
HCL
32
star
43

terraform-aws-secrets-manager

Terraform module to create AWS Secrets Manager resources πŸ‡ΊπŸ‡¦
HCL
28
star
44

terraform-aws-appconfig

Terraform module to create AWS AppConfig resources πŸ‡ΊπŸ‡¦
HCL
27
star
45

terraform-aws-managed-service-prometheus

Terraform module to create AWS Managed Service for Prometheus (AMP) resources πŸ‡ΊπŸ‡¦
HCL
26
star
46

terraform-aws-efs

Terraform module to create AWS EFS resources πŸ‡ΊπŸ‡¦
HCL
24
star
47

terraform-aws-emr

Terraform module to create AWS EMR resources πŸ‡ΊπŸ‡¦
HCL
23
star
48

.github

Meta-GitHub repository for all terraform-aws-modules repositories πŸ‡ΊπŸ‡¦
22
star
49

terraform-aws-ssm-parameter

Terraform module to create AWS SSM Parameter resources πŸ‡ΊπŸ‡¦
HCL
20
star
50

terraform-aws-s3-object

Terraform module which creates S3 object resources on AWS
HCL
17
star
51

terraform-aws-ebs-optimized

Terraform module to determine if an instance can be flagged for EBS optimization
HCL
17
star
52

terraform-aws-customer-gateway

Terraform module to create AWS Customer Gateway resources πŸ‡ΊπŸ‡¦
HCL
17
star
53

terraform-aws-global-accelerator

Terraform module to create AWS Global Accelerator resources πŸ‡ΊπŸ‡¦
HCL
16
star
54

terraform-aws-memory-db

Terraform module to create AWS MemoryDB resources πŸ‡ΊπŸ‡¦
HCL
16
star
55

terraform-aws-opensearch

Terraform module to create AWS OpenSearch resources πŸ‡ΊπŸ‡¦
HCL
15
star
56

terraform-aws-elasticache

Terraform module to create AWS ElastiCache resources πŸ‡ΊπŸ‡¦
HCL
12
star
57

terraform-aws-network-firewall

Terraform module to create AWS Network Firewall resources πŸ‡ΊπŸ‡¦
HCL
12
star
58

terraform-aws-fsx

Terraform module to create AWS FSx resources πŸ‡ΊπŸ‡¦
HCL
4
star
59

atlantis-demo

Demo repository for Atlantis
3
star