Terraform module which creates AWS IAM resources.
Please refer to the AWS published IAM Best Practices for up to date guidance on IAM best practices.
Creates an account policy and account alias. Module instantiation is once per account.
module "iam_account" {
source = "terraform-aws-modules/iam/aws//modules/iam-account"
account_alias = "awesome-company"
max_password_age = 90
minimum_password_length = 24
require_uppercase_characters = true
require_lowercase_characters = true
require_numbers = true
require_symbols = true
password_reuse_prevention = 3
allow_users_to_change_password = true
}
Creates an IAM group with IAM policy attached that one or more users can be added to.
module "iam_group" {
source = "terraform-aws-modules/iam/aws//modules/iam-group"
name = "superadmins"
users = [
"user1",
"user2"
]
enable_self_management_permissions = true
permission_statements = [
{
sid = "AssumeRole"
actions = ["sts:AssumeRole"]
resources = ["arn:aws:iam::111111111111:role/admin"]
}
]
policies = {
AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess",
}
tags = {
Terraform = "true"
Environment = "dev"
}
}
Creates an OpenID connect provider. Useful for trusting external identity providers such as GitHub, Bitbucket, etc.
module "iam_oidc_provider" {
source = "terraform-aws-modules/iam/aws//modules/iam-oidc-provider"
url = "https://token.actions.githubusercontent.com"
tags = {
Terraform = "true"
Environment = "dev"
}
}
Creates an IAM policy that allows read-only access to the list of AWS services provided.
module "iam_read_only_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-read-only-policy"
name = "example"
path = "/"
description = "My example read-only policy"
allowed_services = ["rds", "dynamo", "health"]
tags = {
Terraform = "true"
Environment = "dev"
}
}
Creates an IAM role that is suitable for EKS IAM role for service accounts (IRSA) with a set of pre-defined policies for common EKS addons.
module "vpc_cni_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
name = "vpc-cni"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true
oidc_providers = {
this = {
provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
namespace_service_accounts = ["kube-system:aws-node"]
}
}
tags = {
Terraform = "true"
Environment = "dev"
}
}
Creates an IAM role that trusts an OpenID connect provider. Useful for trusting external identity providers such as GitHub, Bitbucket, etc.
module "iam_oidc_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-oidc-role"
enable_github_oidc = true
# This should be updated to suit your organization, repository, references/branches, etc.
oidc_subjects = ["terraform-aws-modules/terraform-aws-iam:*"]
policies = {
S3ReadOnly = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}
tags = {
Terraform = "true"
Environment = "dev"
}
}
Creates an IAM role that trusts a SAML provider. Useful for trusting external identity providers such as Okta, OneLogin, etc.
module "iam_role_saml" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-saml"
name = "example"
saml_provider_ids = ["arn:aws:iam::235367859851:saml-provider/idp_saml"]
policies = {
ReadOnlyAccess = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
tags = {
Terraform = "true"
Environment = "dev"
}
}
Creates an IAM role with a trust policy and (optional) IAM instance profile. Useful for service roles such as EC2, ECS, etc., or roles assumed across AWS accounts.
module "iam_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role"
name = "example"
assume_role_policy_statements = [
{
sid = "TrustRoleAndServiceToAssume"
principals = [{
type = "AWS"
identifiers = [
"arn:aws:iam::835367859851:user/anton",
]
}]
conditions = [{
test = "StringEquals"
variable = "sts:ExternalId"
values = ["some-secret-id"]
}]
}
]
policies = {
AmazonCognitoReadOnly = "arn:aws:iam::aws:policy/AmazonCognitoReadOnly"
AlexaForBusinessFullAccess = "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"
custom = aws_iam_policy.this.arn
}
tags = {
Terraform = "true"
Environment = "dev"
}
}
Creates an IAM user with ability to create a login profile, access key, and SSH key.
module "iam_user" {
source = "terraform-aws-modules/iam/aws//modules/iam-user"
name = "vasya.pupkin"
force_destroy = true
pgp_key = "keybase:test"
password_reset_required = false
tags = {
Terraform = "true"
Environment = "dev"
}
}
- iam-account - Set AWS account alias and password policy
- iam-group - IAM group with users who are allowed to assume IAM roles in another AWS account and have access to specified IAM policies
- iam-oidc-provider - Create an OpenID connect provider and IAM role which can be assumed from specified subjects federated from the OIDC provider
- iam-read-only-policy - Create IAM read-only policy
- iam-role - Create individual IAM role which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
- iam-role-for-service-accounts - Create IAM role for service accounts (IRSA) for use within EKS clusters
- iam-role-saml - Create individual IAM role which can be assumed by users with a SAML Identity Provider
- iam-user - Add IAM user, login profile and access keys (with PGP enabled or disabled)
Module is maintained by Anton Babenko with help from these awesome contributors.
Apache-2.0 Licensed. See LICENSE.
- Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
- Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
- Putin khuylo!