Creates an IAM Instance Profile with selected permissions. This is a special version for wincheater to support some customizations
| Module version | Terraform version |
|---|---|
| 4.x.x | 0.12.x |
| 3.x.x and earlier | 0.11.x |
Upgrading from 0.11.x and earlier to 0.12.x should be seamless. You can simply update the ref in your source to point to a version greater than 4.0.0.
When first applied in 0.12.x, some policies may update due to the slight difference in format that occurs when moving from inline JSON to aws_iam_policy_document, however the policy permissions granted remain the same.
module "iam_profile_backend" {
source = "git::https://gitlab.com/claranet-pcp/terraform/aws/tf-aws-iam-instance-profile.git?ref=v4.0.0"
name = "${var.envtype}-backend"
codecommit_gitpull = "1"
codecommit_gitpull_repos = ["cool-app", "even-cooler-app"]
cw_readonly = "1"
ec2_attach = "1"
ec2_describe = "1"
kms_decrypt = "1"
kms_decrypt_arns = [aws_kms_key.puppet.arn]
kms_encrypt = "1"
kms_encrypt_arns = [aws_kms_key.puppet.arn]
r53_update = "1"
s3_read_buckets = ["my-bucket-1", "my-bucket-2"]
s3_readonly = "1"
s3_write = "1"
s3_write_buckets = ["my-writable-bucket", "another-writable-bucket"]
sqs_allowall = "1"
}
The following variables are used for overall control of the module:
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
name |
Prefix for the profile and role names | String | Empty | Yes |
enabled |
Whether or not to create resources | String | 1 |
No |
The enabled flag remains in this module to ease upgrades from 0.11.x to 0.12.x. For projects using 0.12.x, it may be worth considering using a count on the module inclusion instead, which is a feature added in 0.12.x.
The following variables toggle policies on and off. These can be set to 1 or 0 (or true and false may also be used). They all default to 0 and none are explicitly required to be specified when calling the module. Exact policies set by each variable can be checked in the relevant file.
| Name | Permissions granted | File |
|---|---|---|
ads_domain_join |
Join an Active Directory Service domain | ads.tf |
autoscaling_describe |
Describe Auto Scaling resources | autoscaling.tf |
autoscaling_suspend_resume |
Suspend and resume Auto Scaling processes | autoscaling.tf |
autoscaling_terminate_instance |
Terminate an instance in an Auto Scaling group | autoscaling.tf |
autoscaling_update |
Update an Auto Scaling Group's properties | autoscaling.tf |
codecommit_gitpull |
Pull from a CodeCommit repository (requires codecommit_gitpull_repos) |
codecommit.tf |
codecommit_gitpush |
Push to a CodeCommit repository (requires codecommit_gitpush_repos) |
codecommit.tf |
cw_logs_update |
Update CloudWatch log streams | cloudwatch.tf |
cw_readonly |
Get* and List* permissions for CloudWatch | cloudwatch.tf |
cw_update |
Put* permissions for CloudWatch | cloudwatch.tf |
ec2_attach |
Attach* permissions for EC2 (EBS, ENI, etc) | ec2.tf |
ec2_describe |
Describe* for all EC2 resources | ec2.tf |
ec2_ebs_attach |
Attach EBS volumes to EC2 instances | ec2.tf |
ec2_eni_attach |
Attach ENIs to EC2 instances | ec2.tf |
ec2_write_tags |
Create tags on EC2 resources | ec2.tf |
elasticache_readonly |
Describe and list tags for ElastiCache resources | elasticache.tf |
es_allowall |
Full access to AWS ElasticSearch Service | elasticsearch.tf |
es_write |
HTTP DELETE, GET, HEAD, POST and PUT to ElasticSearch domains | elasticsearch.tf |
firehose_streams |
PutRecord and PutRecordBatch for Firehose (requires firehose_stream_arns) |
firehose.tf |
kinesis_streams |
Read/Write access to Kinesis Streams | kinesis.tf |
kms_decrypt |
Decrypt using given KMS key(s) (requires kms_decrypt_arns) |
kms.tf |
kms_encrypt |
Encrypt using given KMS key(s) (requires kms_encrypt_arns) |
kms.tf |
packer_access |
Permissions for Packer builds per https://www.packer.io/docs/builders/amazon.html | packer.tf |
r53_update |
Get, list and change Route53 record sets | r53.tf |
rds_readonly |
Describe and list RDS resources | rds.tf |
redshift_read |
Read-only access to Redshift resources | redshift.tf |
s3_readonly |
Read access to given S3 buckets (requires s3_read_buckets) |
s3.tf |
s3_write |
Write access to given S3 buckets (requires s3_write_buckets) |
s3.tf |
s3_writeonly |
Write-only (no read) access to given S3 buckets (requires s3_writeonly_buckets) |
s3.tf |
sns_allowall |
Full access to SNS | sns.tf |
sqs_allowall |
Full access to SQS | sqs.tf |
ssm_get_params |
GetParameter for given SSM Parameters (requires ssm_get_params_names) |
ssm.tf |
ssm_managed |
Permissions required for managing an instance in SSM. See note below. | ssm.tf |
ssm_session_manager |
Access to SSM Session Manager | ssm.tf |
sts_assumerole |
Allow the instance to assume IAM roles listed in sts_assumeroles | sts.tf |
sts_assumeroles |
List of IAM role ARNs to allow the instance to assume. | sts.tf |
transcribe_fullaccess |
Full access to Transcribe | transcribe.tf |
list_aws_arns |
Special Exception for Windcheater Assume Roles List | main.tf |
Note that for ssm_managed, if you want to send output to an S3 bucket you will also need to explicitly allow write access to that bucket using s3_write and s3_write_buckets.
The following are only required in certain circumstances:
| Name | Required when | Type | Description |
|---|---|---|---|
codecommit_gitpull_repos |
codecommit_gitpull = 1 or true |
List of Strings | List of CodeCommit Repository names to allow pull access |
codecommit_gitpush_repos |
codecommit_gitpush = 1 or true |
List of Strings | List of CodeCommit Repository names to allow push access |
firehose_stream_arns |
firehose_streams = 1 or true |
List of Strings | List of Firehose Stream ARNs to allow access to |
kms_decrypt_arns |
kms_decrypt = 1 or true |
String | Comma-delimited list of KMS Keys to allow decryption with |
kms_encrypt_arns |
kms_encrypt = 1 or true |
String | Comma-delimited list of KMS Keys to allow encryption with |
s3_read_buckets |
s3_readonly = 1 or true |
List of Strings | List of S3 bucket names (not ARNs) to allow read access to |
s3_write_buckets |
s3_write = 1 or true |
List of Strings | List of S3 bucket names (not ARNs) to allow write access to |
s3_writeonly_buckets |
s3_writeonly = 1 or true |
List of Strings | List of S3 bucket names (not ARNs) to allow write-only (no read) access to |
ssm_get_params_names |
ssm_get_params = 1 or true |
List of Strings | List of SSM Parameter names to allow read access to |
sts_assumeroles |
sts_assumerole = 1 or true |
List of Strings | List of IAM role ARNs to allow the instance to assume. |
| Name | Version |
|---|---|
| terraform | >= 0.12.0 |
| Name | Version |
|---|---|
| aws | n/a |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| ads_domain_join | Bit indicating whether to create a role policy to allow AWS Directory Service Domain Join | string |
"0" |
no |
| autoscaling_describe | Bit indicating whether to create a role policy to allow the Describe permission on Autoscaling Groups | string |
"0" |
no |
| autoscaling_suspend_resume | Bit indicating whether to create a role policy to allow Suspend/Resume on Autoscaling Groups | string |
"0" |
no |
| autoscaling_terminate_instance | Bit indicating whether to create a role policy to allow termination of Autoscaled instances | string |
"0" |
no |
| autoscaling_update | Bit indicating whether to create a role policy to allow the Update permission on Autoscaling Groups | string |
"0" |
no |
| aws_policies | A list of AWS policies to attach, e.g. AmazonMachineLearningFullAccess | list(string) |
[] |
no |
| codecommit_gitpull | Bit indicating whether to create a role policy to allow read access to a CodeCommit repository | string |
"0" |
no |
| codecommit_gitpull_repos | A list of CodeCommit repositories names to create GitPull role policies on | list(string) |
[] |
no |
| codecommit_gitpush | Bit indicating whether to create a role policy to allow write access to a CodeCommit repository | string |
"0" |
no |
| codecommit_gitpush_repos | A list of CodeCommit repositories names to create GitPush role policies on | list(string) |
[] |
no |
| cw_logs_update | Bit indicating whether to create a role policy to allow log update permissions on a Cloudwatch service | string |
"0" |
no |
| cw_readonly | Bit indicating whether to create a role policy to allow List/Get permissions on a Cloudwatch service | string |
"0" |
no |
| cw_update | Bit indicating whether to create a role policy to allow Put permissions on a Cloudwatch service | string |
"0" |
no |
| ec2_assign_private_ip | Bit indicating whether to create a role policy to allow the assigning of an additional private IP address | string |
"0" |
no |
| ec2_attach | Bit indicating whether to create a role policy to allow Attach* access to instances | string |
"0" |
no |
| ec2_describe | Bit indicating whether to create a role policy for access to the ec2_describe API | string |
"1" |
no |
| ec2_ebs_attach | Bit indicating whether to create a role policy to allow attaching Elastic Block Store volumes to instances, also grants DescribeVolume | string |
"0" |
no |
| ec2_eni_attach | Bit indicating whether to create a role policy to allow attaching Elastic Network Interfaces to instances, also grants Describe interfaces and Describe/Modify attributes | string |
"0" |
no |
| ec2_write_tags | Bit indicating whether to create a role policy to allow write of ec2 tags | string |
"0" |
no |
| ecr_readonly | Bit indicating whether to create a role policy to allow Listobjects in ECR | string |
"0" |
no |
| ecs_update | Bit indicating whether to create a role policy for update ECS | string |
"0" |
no |
| elasticache_readonly | Bit indicating whether to create a role policy to allow read permissions on an ElastiCache service | string |
"0" |
no |
| enabled | Enable or disable the resources. | string |
"1" |
no |
| es_allowall | Bit indicating whether to create a role policy to allow full access to Elasticsearch | string |
"0" |
no |
| es_write | Bit indicating whether to create a role policy to allow write access to Elasticsearch | string |
"0" |
no |
| firehose_stream_arns | List of Firehose Stream ARNs to be allowed | list(string) |
[] |
no |
| firehose_streams | Bit indicating whether to create a role policy to allow sending to Firehose Streams | string |
"0" |
no |
| kinesis_streams | Bit indicating whether to create a role policy to allow Get/Put/Describe access to Kinesis Streams | string |
"0" |
no |
| kms_decrypt | Bit indicating whether to create a role policy to allow decryption using KMS | string |
"0" |
no |
| kms_decrypt_arns | Comma seperated list of KMS key ARNs that can be used for decryption | string |
"" |
no |
| kms_encrypt | Bit indicating whether to create a role policy to allow encryption using KMS | string |
"0" |
no |
| kms_encrypt_arns | Comma seperated list of KMS key ARNs that can be used for encryption | string |
"" |
no |
| list_aws_arns | A list of Assume AWS type ARNs | list(string) |
[] |
no |
| name | The name prefix for the IAM role and instance profile | string |
n/a | yes |
| packer_access | Bit indicating whether to create a role policy to allow access for Hashicorp Packer | string |
"0" |
no |
| r53_update | Bit indicating whether to create a role policy to allow update of r53 zones | string |
"0" |
no |
| rds_readonly | Bit indicating whether to create a role policy to allow read access to the a Relational Database Service | string |
"0" |
no |
| read_ecr_list | A list of ECR resources create read role policies on | list(string) |
[] |
no |
| recover_volume | Recover Volume from EBS Snapshot and attach or detach volume | string |
"0" |
no |
| redshift_read | Bit indicating whether to create a role policy to allow read access to Redshift, and assocated ec2/CloudWatch access | string |
"0" |
no |
| s3_read_buckets | A list of s3 buckets to create read role policies on | list(string) |
[] |
no |
| s3_readonly | Bit indicating whether to create a role policy to allow List/Get objects in a bucket | string |
"0" |
no |
| s3_readonly_name | s3 readonly policy name | string |
"s3_readonly" |
no |
| s3_write | Bit indicating whether to create a role policy to allow full access to a bucket | string |
"0" |
no |
| s3_write_buckets | A list of s3 buckets to create write role policies on | list(string) |
[] |
no |
| s3_write_name | s3 write policy name | string |
"s3_write" |
no |
| s3_writeonly | Bit indicating whether to create a role policy to allow write only access to a bucket | string |
"0" |
no |
| s3_writeonly_buckets | A list of s3 buckets to create write only role policies on | list(string) |
[] |
no |
| s3_writeonly_name | s3 writeonly policy name | string |
"s3_writeonly" |
no |
| secrets_manager_read | Bit indicating whether to create a role policy for access to the secrets_manager_read API | string |
"0" |
no |
| secrets_manager_read_list | A List of Secrets Manager resources | list(string) |
[] |
no |
| sns_allowall | Bit indicating whether to create a role policy to allow full access to SNS | string |
"0" |
no |
| sqs_allowall | Bit indicating whether to create a role policy to allow full access to SQS | string |
"0" |
no |
| ssm_get_params | Bit indicating whether to create a role policy to allow getting SSM parameters | string |
"0" |
no |
| ssm_get_params_names | List of SSM parameter names to be allowed | list(string) |
[] |
no |
| ssm_managed | Bit indicating whether to create a role policy to allow SSM management | string |
"0" |
no |
| ssm_session_manager | Bit indicating whether to create a role policy to allow SSM Session Manager. Enabling this will also enable SSM management policy. | string |
"0" |
no |
| sts_assumerole | Bit indicating whether to create a role policy to allow assume access to the Security Token Service | string |
"0" |
no |
| sts_assumeroles | List of IAM role ARNs that the instance should be allowed to assume. | list(string) |
[] |
no |
| transcribe_fullaccess | Bit indicating whether to create a role policy to allow full access to the Transcribe Service | string |
"0" |
no |
| update_ecs_list | A List of ECS resources | list(string) |
[] |
no |
| Name | Description |
|---|---|
| profile_arn | n/a |
| profile_id | n/a |
| profile_name | n/a |
| profile_path | n/a |
| profile_role | n/a |
| profile_unique_id | n/a |
| role_arn | n/a |
| role_id | n/a |