diff --git a/README.md b/README.md index 0842268..1e3f8a6 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,53 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assume Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - typically, AWS accounts and users. +``` +module "iam-roles" { + source = "git@github.com:kabisa/terraform-iam-assumable-roles.git?ref=[version]" + + trusted_role_arns = [ + "arn:aws:iam::${local.dovetail-iam}:root", + "arn:aws:iam::${local.kabisa-iam}:root", + ] + + create_ci_cd_role = true + + trusted_roles_ci_cd = [ + "arn:aws:iam::{[account-id]}:role/github_actions_role", + ] + + ci_cd_role_managed_policies = [ + "arn:aws:iam::aws:policy/AmazonSSMFullAccess", + "arn:aws:iam::aws:policy/AmazonEC2FullAccess" + ] + + ci_cd_role_inline_policies = { + "example_inline_policy" : data.aws_iam_policy_document.example.json, + "example2" : data.aws_iam_policy_document.example2.json + } + + create_admin_role = true + create_poweruser_role = true + create_readonly_role = true +} + +data "aws_iam_policy_document" "example" { + statement { + actions = ["ssm:*", "ec2:*"] + effect = "Allow" + resources = ["*"] + } +} + +data "aws_iam_policy_document" "example2" { + statement { + actions = ["s3:*"] + effect = "Allow" + resources = ["*"] + } +} +``` + ## Inputs diff --git a/ci_cd_role.tf b/ci_cd_role.tf new file mode 100644 index 0000000..d330ae9 --- /dev/null +++ b/ci_cd_role.tf @@ -0,0 +1,30 @@ +resource "aws_iam_role" "ci_cd_iam_role" { + count = var.create_ci_cd_role ? 1 : 0 + + name = "ci_cd_access_role" + assume_role_policy = data.aws_iam_policy_document.ci_cd_policy_document[0].json + managed_policy_arns = var.ci_cd_role_managed_policies + + dynamic "inline_policy" { + for_each = var.ci_cd_role_inline_policies + + content { + name = inline_policy.key + policy = inline_policy.value + } + } +} + +data "aws_iam_policy_document" "ci_cd_policy_document" { + count = var.create_ci_cd_role ? 1 : 0 + + statement { + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = var.trusted_roles_ci_cd + } + } +} + + diff --git a/main.tf b/main.tf index 3c489d2..97d383b 100644 --- a/main.tf +++ b/main.tf @@ -9,16 +9,6 @@ data "aws_iam_policy_document" "assume_role" { identifiers = var.trusted_role_arns } } - statement { - effect = "Allow" - - actions = ["sts:AssumeRole"] - - principals { - type = "AWS" - identifiers = var.trusted_roles_ci_cd - } - } } data "aws_iam_policy_document" "assume_role_with_mfa" { @@ -44,16 +34,6 @@ data "aws_iam_policy_document" "assume_role_with_mfa" { values = [var.mfa_age] } } - statement { - effect = "Allow" - - actions = ["sts:AssumeRole"] - - principals { - type = "AWS" - identifiers = var.trusted_roles_ci_cd - } - } } # Admin diff --git a/variables.tf b/variables.tf index f9e82f0..cea35fd 100644 --- a/variables.tf +++ b/variables.tf @@ -3,11 +3,6 @@ variable "trusted_role_arns" { default = [] } -variable "trusted_roles_ci_cd" { - description = "ARNs of AWS entities who can assume these roles for CI/CD" - default = [] -} - variable "mfa_age" { description = "Max age of valid MFA (in seconds) for roles which require MFA" @@ -125,7 +120,7 @@ variable "create_cloudwatch_share_role" { variable "nagios_role_arn" { description = "arn of principal which assumes nagios role" - default = "" + default = [] } variable "create_nagios_role" { @@ -151,3 +146,28 @@ variable "create_sla_reporter_role" { description = "Create role used by SLA report generator" default = false } + +# CI_CD + +variable "create_ci_cd_role" { + description = "Wheter ci_cd_role has to be created" + default = false + type = bool +} + +variable "trusted_roles_ci_cd" { + description = "ARNs of AWS entities who can assume these roles for CI/CD" + default = [] +} + +variable "ci_cd_role_inline_policies" { + default = {} + description = "Inline policies map with policy name as key and json as value." + type = map(string) +} + +variable "ci_cd_role_managed_policies" { + default = [] + description = "Managed policies list." + type = list(string) +}