You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: modules/role/README.md
+91-2
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,93 @@
1
1
# AWS IAM OIDC Trust Role
2
2
3
+
## Description
4
+
5
+
This module creates an two IAM roles with trust relationships to an OIDC provider. One role is read-only and the other is read-write. The read-only role is intended to be used by CI/CD pipelines to validate pull requests and changes, where as the read-write role applies the changes on the merge to main. In all cases the consumer must pass a IAM boundary policy to ensure that the roles are not able to escalate their permissions, or make changes to critical resources.
6
+
7
+
## Update Documentation
8
+
9
+
The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
10
+
11
+
1. Make changes to the `.terraform-docs.yml` file
12
+
2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
13
+
3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
|[aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity)| data source |
47
+
|[aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider)| data source |
48
+
|[aws_iam_policy_document.base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)| data source |
49
+
|[aws_iam_policy_document.dynamo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)| data source |
50
+
|[aws_iam_policy_document.ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)| data source |
51
+
|[aws_iam_policy_document.rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)| data source |
52
+
|[aws_iam_policy_document.sr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)| data source |
53
+
|[aws_iam_policy_document.tfstate_apply](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)| data source |
54
+
|[aws_iam_policy_document.tfstate_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)| data source |
55
+
|[aws_iam_policy_document.tfstate_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)| data source |
56
+
|[aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region)| data source |
57
+
58
+
## Inputs
59
+
60
+
| Name | Description | Type | Default | Required |
| <aname="input_additional_audiences"></a> [additional_audiences](#input_additional_audiences)| Additional audiences to be allowed in the OIDC federation mapping |`list(string)`|`[]`| no |
63
+
| <aname="input_common_provider"></a> [common_provider](#input_common_provider)| The name of a common OIDC provider to be used as the trust for the role |`string`|`""`| no |
64
+
| <aname="input_custom_provider"></a> [custom_provider](#input_custom_provider)| An object representing an `aws_iam_openid_connect_provider` resource | <pre>object({<br> url = string<br> audiences = list(string)<br> subject_reader_mapping = string<br> subject_branch_mapping = string<br> subject_tag_mapping = string<br> })</pre> |`null`| no |
65
+
| <aname="input_description"></a> [description](#input_description)| Description of the role being created |`string`| n/a | yes |
66
+
| <aname="input_force_detach_policies"></a> [force_detach_policies](#input_force_detach_policies)| Flag to force detachment of policies attached to the IAM role. |`bool`|`null`| no |
67
+
| <aname="input_name"></a> [name](#input_name)| Name of the role to create |`string`| n/a | yes |
68
+
| <aname="input_permission_boundary_arn"></a> [permission_boundary_arn](#input_permission_boundary_arn)| The ARN of the policy that is used to set the permissions boundary for the IAM role |`string`|`null`| no |
69
+
| <aname="input_protected_branch"></a> [protected_branch](#input_protected_branch)| The name of the protected branch under which the read-write role can be assumed |`string`|`"main"`| no |
70
+
| <aname="input_protected_tag"></a> [protected_tag](#input_protected_tag)| The name of the protected tag under which the read-write role can be assume |`string`|`"*"`| no |
71
+
| <aname="input_read_only_inline_policies"></a> [read_only_inline_policies](#input_read_only_inline_policies)| Inline policies map with policy name as key and json as value. |`map(string)`|`{}`| no |
72
+
| <aname="input_read_only_max_session_duration"></a> [read_only_max_session_duration](#input_read_only_max_session_duration)| The maximum session duration (in seconds) that you want to set for the specified role |`number`|`null`| no |
73
+
| <aname="input_read_only_policy_arns"></a> [read_only_policy_arns](#input_read_only_policy_arns)| List of IAM policy ARNs to attach to the read-only role |`list(string)`|`[]`| no |
74
+
| <aname="input_read_write_inline_policies"></a> [read_write_inline_policies](#input_read_write_inline_policies)| Inline policies map with policy name as key and json as value. |`map(string)`|`{}`| no |
75
+
| <aname="input_read_write_max_session_duration"></a> [read_write_max_session_duration](#input_read_write_max_session_duration)| The maximum session duration (in seconds) that you want to set for the specified role |`number`|`null`| no |
76
+
| <aname="input_read_write_policy_arns"></a> [read_write_policy_arns](#input_read_write_policy_arns)| List of IAM policy ARNs to attach to the read-write role |`list(string)`|`[]`| no |
77
+
| <aname="input_repository"></a> [repository](#input_repository)| List of repositories to be allowed i nthe OIDC federation mapping |`string`| n/a | yes |
78
+
| <aname="input_role_path"></a> [role_path](#input_role_path)| Path under which to create IAM role. |`string`|`null`| no |
79
+
| <aname="input_shared_repositories"></a> [shared_repositories](#input_shared_repositories)| List of repositories to provide read access to the remote state |`list(string)`|`[]`| no |
80
+
| <aname="input_tags"></a> [tags](#input_tags)| Tags to apply resoures created by this module |`map(string)`|`{}`| no |
| <aname="input_description"></a> [description](#input\_description)| Description of the role being created |`string`| n/a | yes |
54
142
| <aname="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies)| Flag to force detachment of policies attached to the IAM role. |`bool`|`null`| no |
55
143
| <aname="input_name"></a> [name](#input\_name)| Name of the role to create |`string`| n/a | yes |
56
-
| <aname="input_permission_boundary_arn"></a> [permission\_boundary\_arn](#input\_permission\_boundary\_arn)| The ARN of the policy that is used to set the permissions boundary for the IAM role |`string`|`null`|no|
144
+
| <aname="input_permission_boundary"></a> [permission\_boundary](#input\_permission\_boundary)| The name of the policy that is used to set the permissions boundary for the IAM role |`string`|n/a|yes|
57
145
| <aname="input_protected_branch"></a> [protected\_branch](#input\_protected\_branch)| The name of the protected branch under which the read-write role can be assumed |`string`|`"main"`| no |
58
146
| <aname="input_protected_tag"></a> [protected\_tag](#input\_protected\_tag)| The name of the protected tag under which the read-write role can be assume |`string`|`"*"`| no |
59
147
| <aname="input_read_only_inline_policies"></a> [read\_only\_inline\_policies](#input\_read\_only\_inline\_policies)| Inline policies map with policy name as key and json as value. |`map(string)`|`{}`| no |
@@ -65,7 +153,7 @@ No modules.
65
153
| <aname="input_repository"></a> [repository](#input\_repository)| List of repositories to be allowed i nthe OIDC federation mapping |`string`| n/a | yes |
66
154
| <aname="input_role_path"></a> [role\_path](#input\_role\_path)| Path under which to create IAM role. |`string`|`null`| no |
67
155
| <aname="input_shared_repositories"></a> [shared\_repositories](#input\_shared\_repositories)| List of repositories to provide read access to the remote state |`list(string)`|`[]`| no |
68
-
| <aname="input_tags"></a> [tags](#input\_tags)| Tags to apply resoures created by this module |`map(string)`|`{}`|no|
156
+
| <aname="input_tags"></a> [tags](#input\_tags)| Tags to apply resoures created by this module |`map(string)`|n/a|yes|
0 commit comments