Component: iam-primary-roles
No description available.
Component: iam-primary-roles
This component is responsible for provisioning all primary user and system roles into the centralized identity account. This is expected to be use alongside the iam-delegated-roles component to provide fine grained role delegation across the account hierarchy.
Usage
Stack Level: Global
Here’s an example snippet for how to use this component. The component should only be applied once, which is typically done via the identity stack (e.g. gbl-identity.yaml).
components:
terraform:
iam-primary-roles:
vars:
# When assume_role_restricted is true, assuming other roles in the identity
# account is restricted based on the role configuration, but that can only
# be set up after the roles are created. When the roles do not yet exist,
# such as during cold start, set assume_role_restricted false, and all
# roles will be able to assume other roles.
assume_role_restricted: true
# AWS SSO assigns users to unpredictable roles, so we cannot whitelist them
# and must by default allow other roles in the identity account to assume
# the identity roles, relying on their own IAM restrictions to limit them.
default_assume_role_enabled: true
primary_account_id: "xxxxxxxxxxxx" # `identity` account
# The maximum session duration (in seconds) that you want to set for the IAM roles.
# If you do not specify a value for this setting, the default maximum of one hour is applied.
# This setting can have a value from 3600 (1 hour) to 43200 (12 hours)
iam_role_max_session_duration: 43200
# delegated_ roles_config is not just the set of roles for the identity account, it is
# also the template for roles in all other "delegated" accounts.
#
# The role_policy_arn defines the policy for that role in the identity account,
# which is why, for example, poweruser has ViewOnlyAccess. The policy for the
# role in the delegated accounts is set in the iam-delegated-roles project.
#
# The trusted_primary_roles list indicates which roles in identity are allowed
# to access those roles. So "ops" can access "poweruser", for example.
delegated_roles_config:
admin:
role_policy_arns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ]
role_description: "Role with AdministratorAccess permissions"
sso_login_enabled: true
# list of roles in primary that can assume into this role in delegated accounts
# primary admin can assume delegated admin
trusted_primary_roles: [ "admin" ]
ops:
role_policy_arns: [ "arn:aws:iam::aws:policy/PowerUserAccess" ]
role_description: "Role for OPS personnel"
sso_login_enabled: true
trusted_primary_roles: [ "admin", "ops" ]
poweruser:
role_policy_arns:
- "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
- "delegated_assume_role"
role_description: "Role for Power Users (read/write)"
sso_login_enabled: true
trusted_primary_roles: [ "admin", "ops", "poweruser" ]
observer:
role_policy_arns:
- "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
- "delegated_assume_role"
role_description: "Observer (read-only) role"
sso_login_enabled: true
trusted_primary_roles: [ "admin", "ops", "observer" ]
terraform:
role_policy_arns:
- "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
- "delegated_assume_role"
role_description: "Role with permissions for terraform automation"
sso_login_enabled: false
# Terraform is too powerful a role to allow powerusers to access it
trusted_primary_roles: [ "admin", "ops", "cicd", "terraform" ]
helm:
role_policy_arns:
- "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
- "delegated_assume_role"
role_description: "Role with permissions for helm automation"
sso_login_enabled: false
# Helm is too powerful a role to allow powerusers to access it
trusted_primary_roles: [ "admin", "ops", "cicd", "helm" ]
# primary_roles_config is for roles that only appear in the identity account.
# Users or services log in with one of these roles and assume
# delegated roles in other accounts.
primary_roles_config:
cicd:
role_policy_arns: [ "cicd" ]
role_description: "Role for our privileged CI/CD Runner"
sso_login_enabled: false
trusted_primary_roles: [ "admin", "ops" ]
Requirements
| Name | Version |
|---|---|
| terraform | >= 0.12.0 |
| aws | >= 2.0 |
| local | >= 1.3 |
| template | >= 2.0 |
Providers
| Name | Version |
|---|---|
| aws | >= 2.0 |
| terraform | n/a |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_map_environment_name | The name of the environment where account_map is provisioned |
string |
"gbl" |
no |
| account_map_stage_name | The name of the stage where account_map is provisioned |
string |
"root" |
no |
| additional_tag_map | Additional tags for appending to tags_as_list_of_maps. Not added to tags. |
map(string) |
{} |
no |
| assume_role_restricted | Set true to restrict (via trust policy) who can assume into a role | bool |
true |
no |
| attributes | Additional attributes (e.g. 1) |
list(string) |
[] |
no |
| audit_account_stage_name | The name of the stage for the audit account | string |
"audit" |
no |
| cicd_sa_roles | A list of Role ARNs that cicd runners may start with. Will be allowed to assume xxx-gbl-identity-cicd | list(string) |
[] |
no |
| context | Single object for setting entire context at once.See description of individual variables for details.Leave string and numeric variables as null to use default value.Individual variable settings (non-null) override settings in context object,except for attributes, tags, and additional_tag_map, which are merged. |
object({ enabled = bool namespace = string environment = string stage = string name = string delimiter = string attributes = list(string) tags = map(string) additional_tag_map = map(string) regex_replace_chars = string label_order = list(string) id_length_limit = number }) | { “additional_tag_map”: {}, “attributes”: [], “delimiter”: null, “enabled”: true, “environment”: null, “id_length_limit”: null, “label_order”: [], “name”: null, “namespace”: null, “regex_replace_chars”: null, “stage”: null, “tags”: {}} | no |
| delegated_roles_config | A roles map to configure the accounts. | map(object({ role_policy_arns = list(string) role_description = string sso_login_enabled = bool trusted_primary_roles = list(string) })) | n/a | yes |
| delimiter | Delimiter to be used between namespace, environment, stage, name and attributes.Defaults to - (hyphen). Set to "" to use no delimiter at all. |
string |
null |
no |
| enabled | Set to false to prevent the module from creating any resources | bool |
null |
no |
| environment | Environment, e.g. ‘uw2’, ‘us-west-2’, OR ‘prod’, ‘staging’, ‘dev’, ‘UAT’ | string |
null |
no |
| iam_role_max_session_duration | The maximum session duration (in seconds) that you want to set for the IAM roles. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours | number |
43200 |
no |
| id_length_limit | Limit id to this many characters.Set to 0 for unlimited length.Set to null for default, which is 0.Does not affect id_full. |
number |
null |
no |
| identity_account_stage_name | The name of the stage for the identity account | string |
"identity" |
no |
| import_role_arn | IAM Role ARN to use when importing a resource | string |
null |
no |
| label_order | The naming order of the id output and Name tag.Defaults to [“namespace”, “environment”, “stage”, “name”, “attributes”].You can omit any of the 5 elements, but at least one must be present. | list(string) |
null |
no |
| name | Solution name, e.g. ‘app’ or ‘jenkins’ | string |
null |
no |
| namespace | Namespace, which could be your organization name or abbreviation, e.g. ‘eg’ or ‘cp’ | string |
null |
no |
| primary_account_id | Primary authentication account id used as the source for assume role | string |
n/a | yes |
| primary_roles_config | A roles map to configure the accounts. | map(object({ role_policy_arns = list(string) role_description = string sso_login_enabled = bool trusted_primary_roles = list(string) })) | n/a | yes |
| regex_replace_chars | Regex to replace chars with empty string in namespace, environment, stage and name.If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits. |
string |
null |
no |
| region | AWS Region | string |
n/a | yes |
| root_account_stage_name | The name of the stage for the root account | string |
"root" |
no |
| sso_environment_name | The name of the environment where SSO is provisioned | string |
"gbl" |
no |
| sso_stage_name | The name of the stage where SSO is provisioned | string |
"identity" |
no |
| stage | Stage, e.g. ‘prod’, ‘staging’, ‘dev’, OR ‘source’, ‘build’, ‘test’, ‘deploy’, ‘release’ | string |
null |
no |
| tags | Additional tags (e.g. map('BusinessUnit','XYZ') |
map(string) |
{} |
no |
| tfstate_account_id | The ID of the account where the Terraform remote state backend is provisioned | string |
"" |
no |
| tfstate_assume_role | Set to false to use the caller’s role to access the Terraform remote state | bool |
true |
no |
| tfstate_bucket_environment_name | The name of the environment for Terraform state bucket | string |
"" |
no |
| tfstate_bucket_stage_name | The name of the stage for Terraform state bucket | string |
"root" |
no |
| tfstate_existing_role_arn | The ARN of the existing IAM Role to access the Terraform remote state. If not provided and remote_state_assume_role is true, a role will be constructed from remote_state_role_arn_template |
string |
"" |
no |
| tfstate_role_arn_template | IAM Role ARN template for accessing the Terraform remote state | string |
"arn:aws:iam::%s:role/%s-%s-%s-%s" |
no |
| tfstate_role_environment_name | The name of the environment for Terraform state IAM role | string |
"gbl" |
no |
| tfstate_role_name | IAM Role name for accessing the Terraform remote state | string |
"terraform" |
no |
| tfstate_role_stage_name | The name of the stage for Terraform state IAM role | string |
"root" |
no |
Outputs
| Name | Description |
|---|---|
| delegated_role_arns | List of delegated role ARNs |
| delegated_role_name_role_arn_map | Map of delegated role names to role ARNs |
| delegated_role_names | List of delegated role names |
| delegated_roles_config | Map of delegated role config with name, target arn, and description |
| primary_roles_config | Map of role config with name, target arn, and description |
| role_arns | List of role ARNs |
| role_name_role_arn_map | Map of role names to role ARNs |
| role_names | List of role names |
References
- cloudposse/terraform-aws-components - Cloud Posse’s upstream component