-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
83 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| # About aws-iam-role | ||
|
|
||
| # Usage | ||
|
|
||
| ```hcl | ||
| module "myrole" { | ||
| source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.gi" | ||
| role_name = "my-role" | ||
| saml_provider_arn = "aws:aws-us-gov:iam:1234567890:saml/X" | ||
| enable_ldap_creation = true | ||
| assume_policy_document = data.terraform_remote_state.common.outputs.saml_assume_json | ||
| ec2_assume_policy_document = "X" | ||
| attached_policies = ["arn1", "arn2"] | ||
| ldap_user = "cn=myuser,ou=Application,o=U.S. Census Bureau,c=US" | ||
| ldap_password = "password1234$$" | ||
| # optional | ||
| ec2_role_name = "my-role-other" | ||
| enable_instance_role = false | ||
| ec2_attached_policies = [] | ||
| ldap_host = "ldap.e.tco.census.gov" | ||
| ldap_port = 389 | ||
| } | ||
| ``` | ||
|
|
||
| ## Requirements | ||
|
|
||
| No requirements. | ||
|
|
||
| ## Providers | ||
|
|
||
| | Name | Version | | ||
| |------|---------| | ||
| | aws | n/a | | ||
| | ldap | n/a | | ||
| | ldap.ebocas | n/a | | ||
| | null | n/a | | ||
| | template | n/a | | ||
|
|
||
| ## Modules | ||
|
|
||
| No Modules. | ||
|
|
||
| ## Resources | ||
|
|
||
| | Name | | ||
| |------| | ||
| | [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | | ||
| | [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | | ||
| | [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | | ||
| | [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | | ||
| | [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | | ||
| | [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | | ||
| | [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | | ||
| | [ldap_object](https://registry.terraform.io/providers/hashicorp/ldap/latest/docs/resources/object) | | ||
| | [null_resource](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | | ||
| | [template_file](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | | ||
|
|
||
| ## Inputs | ||
|
|
||
| | Name | Description | Type | Default | Required | | ||
| |------|-------------|------|---------|:--------:| | ||
| | account\_alias | AWS Account Alias | `string` | `""` | no | | ||
| | account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no | | ||
| | assume\_policy\_document | JSON policy document for role to assume (i.e., the SAML assume document) | `string` | `""` | no | | ||
| | attached\_policies | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no | | ||
| | ec2\_assume\_policy\_document | JSON policy document for EC2 instance role (default is sts:AssumeRole for ec2 service) | `string` | `""` | no | | ||
| | ec2\_attached\_policies | List of IAM Policy ARNs to attach to this EC2 instance role | `list(string)` | `[]` | no | | ||
| | ec2\_role\_name | EC2 instace Role/application name without prefix | `string` | `""` | no | | ||
| | enable\_instance\_role | Flag to enable the creation of a partner EC2 instance role with specific policies and optionally a different name | `boolean` | `false` | no | | ||
| | enable\_ldap\_creation | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `boolean` | `false` | no | | ||
| | ldap\_host | LDAP Hostname (default is for eBOCAS) | `string` | `"ldap.e.tco.census.gov"` | no | | ||
| | ldap\_password | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no | | ||
| | ldap\_port | LDAP port (default is 389 but also using STARTTLS) | `number` | `389` | no | | ||
| | ldap\_user | LDAP user for writing data into eDirectory or Active Directory | `string` | `""` | no | | ||
| | override\_prefixes | Override built-in prefixes by component (role, policy). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | | ||
| | role\_name | Role/application name without prefix | `string` | n/a | yes | | ||
| | saml\_provider\_arn | ARN of SAML Provider | `string` | `""` | no | | ||
| | tags | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | | ||
|
|
||
| ## Outputs | ||
|
|