Creates a custom role for which you assume through your GCC2.0 cloud assume role
module 'role-gcc' {
group_names = ["gpcgr"]
# Run `aws iam list-roles --query "Roles[?starts_with(RoleName, 'AWSReservedSSO_agency_assume_local')].[RoleId]" --output text`"
agency_assume_local_role_id = "AXXXXXXXXXXXX"
attach_policies = {
"read-only-access" : "arn:aws:iam::aws:policy/ReadOnlyAccess",
}
managed_policies = {
myPolicy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"events:List*",
"events:Describe*",
"events:Get*",
],
"Effect": "Allow",
"Resource": "*",
"Sid": "MISC"
}
]
}
EOF}
techpass_email_addresses = [
"[email protected]",
]
# Using external_id https://aws.amazon.com/blogs/apn/securely-using-external-id-for-accessing-aws-accounts-owned-by-others/
external_id = "some_external_id"
# Checks the source IPs when assuming the role
# Note: Restricting assume role to WARP/SEED IPs only blocks initial the assume role process, not the later use of the temporary credentials if stolen.
# A permissions boundary with a deny on all actions using NotIpAddress could be added to mitigate this.
source_ip_addresses = ["ip_1","ip_2"]
# Will not create if empty, if need custom policy, use the EOF syntax
custom_policy = ""
description = "great power comes great responsibility role"
name = "gpcgr"
}No requirements.
| Name | Version |
|---|---|
| aws | n/a |
No modules.
| Name | Type |
|---|---|
| aws_iam_policy.managed_policies | resource |
| aws_iam_policy.policy | resource |
| aws_iam_role.iam_role | resource |
| aws_iam_role_policy_attachment.attach_custom_policy | resource |
| aws_iam_role_policy_attachment.attach_policy | resource |
| aws_iam_role_policy_attachment.managed_policies | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.iam_trusted | data source |
| aws_iam_policy_document.trusted_accounts | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| agency_assume_local_role_id | your agency_assume_local role_id, use aws iam list-roles --query "Roles[?starts_with(RoleName, 'AWSReservedSSO_agency_assume_local')].[RoleId]" --output text |
string |
n/a | yes |
| attach_policies | map(string) of existing policies to attach | map(string) |
{} |
no |
| aws_region | aws region | string |
n/a | yes |
| custom_policy | custom policy to be applied to role using the EOF syntax | string |
"" |
no |
| description | description of the role | string |
n/a | yes |
| external_id | external id condition for assume role | string |
"" |
no |
| managed_policies | Custom polices to be created managed policies (not inline). | map(string) |
{} |
no |
| max_session_duration | maximum duration in seconds for role, between 1 to 12 hours | number |
3600 |
no |
| name | name of the role in aws console | string |
n/a | yes |
| path | path of the role in aws console | string |
"/" |
no |
| permissions_boundary | ARN of permissions boundary policy to attach to role | string |
"" |
no |
| source_ip_addresses | Only allow assume role coming from specific IPs, this rule is disabled if the list is empty. | list(string) |
[] |
no |
| tags | A mapping of tags to assign to the resource | map(string) |
{} |
no |
| techpass_email_addresses | list of TechPass users' email addresses to allow use of this role | list(string) |
n/a | yes |
| Name | Description |
|---|---|
| arn | arn of the role |
| create_date | date which the role was created |
| custom_policy_arn | ARN of the custom policy |
| custom_policy_id | id of the custom policy |
| custom_policy_name | name of the custom policy |
| description | description of the role |
| id | id of the role |
| name | name of the role |
| role_session_duration | maximum duration a role can be assume for |
| unique_id | unique id of the role |