terraform-aws-modules / Terraform Aws Iam
Licence: other
Terraform module which creates IAM resources on AWS
Stars: ✭ 314
Projects that are alternatives of or similar to Terraform Aws Iam
Iam Policy Json To Terraform
Small tool to convert an IAM Policy in JSON format into a Terraform aws_iam_policy_document
Stars: ✭ 282 (-10.19%)
Mutual labels: aws, hcl, iam
Trackiam
A project to collate IAM actions, AWS APIs and managed policies from various public sources.
Stars: ✭ 115 (-63.38%)
Mutual labels: aws, aws-iam, iam
Terraform Aws Cross Account Role
A Terraform module to create an IAM Role for Cross Account delegation.
Stars: ✭ 30 (-90.45%)
Mutual labels: aws, hcl, iam
Startup Aws Iam Roles
A list of typical positions in a startup and their policies for IAM AWS.
Stars: ✭ 118 (-62.42%)
Mutual labels: aws, aws-iam, iam
Cloudsplaining
Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
Stars: ✭ 1,057 (+236.62%)
Mutual labels: aws, aws-iam, iam
Terraform Aws Eks Cluster
Terraform module for provisioning an EKS cluster
Stars: ✭ 256 (-18.47%)
Mutual labels: aws, hcl
Terraform Examples
Terraform samples for all the major clouds you can copy and paste. The future, co-created.
Stars: ✭ 256 (-18.47%)
Mutual labels: aws, hcl
Cloudblock
Cloudblock automates deployment of secure ad-blocking for all of your devices - even when mobile. Step-by-step text and video guides included! Compatible clouds include AWS, Azure, Google Cloud, and Oracle Cloud. Cloudblock deploys Wireguard VPN, Pi-Hole DNS Ad-blocking, and DNS over HTTPS in a cloud provider - or locally - using Terraform and Ansible.
Stars: ✭ 257 (-18.15%)
Mutual labels: aws, hcl
Terraform Aws Atlantis
Terraform configurations for running Atlantis on AWS Fargate. Github, Gitlab and BitBucket are supported
Stars: ✭ 246 (-21.66%)
Mutual labels: aws, hcl
stsauth
A CLI tool that allows easy generation of AWS credentials using STS, ADFS, and Active Directory.
Stars: ✭ 18 (-94.27%)
Mutual labels: iam, aws-iam
Terraform Aws Tfstate Backend
Terraform module that provision an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
Stars: ✭ 229 (-27.07%)
Mutual labels: aws, hcl
Terraform Aws Gitlab Runner
Terraform module for AWS GitLab runners on ec2 (spot) instances
Stars: ✭ 292 (-7.01%)
Mutual labels: aws, hcl
Elasticsearch Cloud Deploy
Deploy Elasticsearch on the cloud easily
Stars: ✭ 308 (-1.91%)
Mutual labels: aws, hcl
AWS Identity and Access Management (IAM) Terraform module
These types of resources are supported:
- IAM account alias
- IAM password policy
- IAM user
- IAM user login profile
- IAM group
- IAM role
- IAM policy
- IAM access key
- IAM SSH public key
Terraform versions
Terraform 0.12 or newer. Pin module version to ~> v3.0. Submit pull-requests to master branch.
Terraform 0.11. Pin module version to ~> v1.0. Submit pull-requests to terraform011 branch.
Features
-
Cross-account access. Define IAM roles using
iam_assumable_roleoriam_assumable_rolessubmodules in "resource AWS accounts (prod, staging, dev)" and IAM groups and users usingiam-group-with-assumable-roles-policysubmodule in "IAM AWS Account" to setup access controls between accounts. See iam-group-with-assumable-roles-policy example for more details. - Individual IAM resources (users, roles, policies). See usage snippets and examples listed below.
Usage
iam-account:
module "iam_account" {
source = "terraform-aws-modules/iam/aws//modules/iam-account"
version = "~> 3.0"
account_alias = "awesome-company"
minimum_password_length = 37
require_numbers = false
}
iam-assumable-role:
module "iam_assumable_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
version = "~> 3.0"
trusted_role_arns = [
"arn:aws:iam::307990089504:root",
"arn:aws:iam::835367859851:user/anton",
]
create_role = true
role_name = "custom"
role_requires_mfa = true
custom_role_policy_arns = [
"arn:aws:iam::aws:policy/AmazonCognitoReadOnly",
"arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",
]
number_of_custom_role_policy_arns = 2
}
iam-assumable-role-with-oidc:
module "iam_assumable_role_with_oidc" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "~> 3.0"
create_role = true
role_name = "role-with-oidc"
tags = {
Role = "role-with-oidc"
}
provider_url = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
role_policy_arns = [
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
]
number_of_role_policy_arns = 1
}
iam-assumable-role-with-saml:
module "iam_assumable_role_with_saml" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-saml"
version = "~> 3.0"
create_role = true
role_name = "role-with-saml"
tags = {
Role = "role-with-saml"
}
provider_id = "arn:aws:iam::235367859851:saml-provider/idp_saml"
role_policy_arns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
number_of_role_policy_arns = 1
}
iam-assumable-roles:
module "iam_assumable_roles" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles"
version = "~> 3.0"
trusted_role_arns = [
"arn:aws:iam::307990089504:root",
"arn:aws:iam::835367859851:user/anton",
]
create_admin_role = true
create_poweruser_role = true
poweruser_role_name = "developer"
create_readonly_role = true
readonly_role_requires_mfa = false
}
iam-assumable-roles-with-saml:
module "iam_assumable_roles_with_saml" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles-with-saml"
version = "~> 3.0"
create_admin_role = true
create_poweruser_role = true
poweruser_role_name = "developer"
create_readonly_role = true
provider_id = "arn:aws:iam::235367859851:saml-provider/idp_saml"
}
iam-user:
module "iam_user" {
source = "terraform-aws-modules/iam/aws//modules/iam-user"
version = "~> 3.0"
name = "vasya.pupkin"
force_destroy = true
pgp_key = "keybase:test"
password_reset_required = false
}
iam-policy:
module "iam_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-policy"
version = "~> 3.0"
name = "example"
path = "/"
description = "My example policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
iam-group-with-assumable-roles-policy:
module "iam_group_with_assumable_roles_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-group-with-assumable-roles-policy"
version = "~> 3.0"
name = "production-readonly"
assumable_roles = [
"arn:aws:iam::835367859855:role/readonly" # these roles can be created using `iam_assumable_roles` submodule
]
group_users = [
"user1",
"user2"
]
}
iam-group-with-policies:
module "iam_group_with_policies" {
source = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies"
version = "~> 3.0"
name = "superadmins"
group_users = [
"user1",
"user2"
]
attach_iam_self_management_policy = true
custom_group_policy_arns = [
"arn:aws:iam::aws:policy/AdministratorAccess",
]
custom_group_policies = [
{
name = "AllowS3Listing"
policy = data.aws_iam_policy_document.sample.json
}
]
}
IAM Best Practices
AWS published IAM Best Practices and this Terraform module was created to help with some of points listed there:
1. Create Individual IAM Users
Use iam-user module module to manage IAM users.
2. Use AWS Defined Policies to Assign Permissions Whenever Possible
Use iam-assumable-roles module to create IAM roles with managed policies to support common tasks (admin, poweruser or readonly).
3. Use Groups to Assign Permissions to IAM Users
Use iam-group-with-assumable-roles-policy module to manage IAM groups of users who can assume roles.
Use iam-group-with-policies module to manage IAM groups of users where specified IAM policies are allowed.
4. Configure a Strong Password Policy for Your Users
Use iam-account module to set password policy for your IAM users.
5. Enable MFA for Privileged Users
Terraform can't configure MFA for the user. It is only possible via AWS Console and AWS CLI.
6. Delegate by Using Roles Instead of by Sharing Credentials
iam-assumable-role, iam-assumable-roles, iam-assumable-roles-with-saml and iam-group-with-assumable-roles-policy modules provide complete set of functionality required for this.
7. Use Policy Conditions for Extra Security
iam-assumable-roles module can be configured to require valid MFA token when different roles are assumed (for example, admin role requires MFA, but readonly - does not).
8. Create IAM Policies
Use iam-policy module module to manage IAM policy.
Examples
- iam-account - Set AWS account alias and password policy
- iam-assumable-role - Create individual IAM role which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
- iam-assumable-role-with-oidc - Create individual IAM role which can be assumed from specified subjects federated with a OIDC Identity Provider
- iam-assumable-role-with-saml - Create individual IAM role which can be assumed by users with a SAML Identity Provider
- iam-assumable-roles - Create several IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
- iam-assumable-roles-with-saml - Create several IAM roles which can be assumed by users with a SAML Identity Provider
- iam-group-with-assumable-roles-policy - IAM group with users who are allowed to assume IAM roles in the same or in separate AWS account
- iam-group-with-policies - IAM group with users who are allowed specified IAM policies (eg, "manage their own IAM user")
- iam-group-complete - IAM group with users who are allowed to assume IAM roles in another AWS account and have access to specified IAM policies
- iam-user - Add IAM user, login profile and access keys (with PGP enabled or disabled)
- iam-policy - Create IAM policy
Authors
Module managed by Anton Babenko.
License
Apache 2 Licensed. See LICENSE for full details.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].