Skip to main content
Sponsor @cloudposse

Module: iam-assumed-roles

Terraform module to provision two IAM roles and two IAM groups for assuming the roles provided MFA is present, and add IAM users to the groups.

  • Role and group with Administrator (full) access to AWS resources
  • Role and group with Readonly access to AWS resources

To give a user administrator's access, add the user to the admin group.

To give a user readonly access, add the user to the readonly group.

Usage

module "assumed_roles" {
  source              = "git::https://github.com/cloudposse/terraform-aws-iam-assumed-roles.git?ref=master"
  namespace           = "cp"
  stage               = "prod"
  admin_name          = "admin"
  readonly_name       = "readonly"
  admin_user_names    = ["User1","User2"] # Add these IAM users to the admin group
  readonly_user_names = ["User3","User4"] # Add these IAM users to the readonly group
}

Variables

Required Variables

Optional Variables

admin_name (string) optional

Name for the admin group and role (e.g. admin)


Default value: "admin"

admin_user_names (list(string)) optional

Optional list of IAM user names to add to the admin group


Default value: [ ]

readonly_name (string) optional

Name for the readonly group and role (e.g. readonly)


Default value: "readonly"

readonly_user_names (list(string)) optional

Optional list of IAM user names to add to the readonly group


Default value: [ ]

switchrole_url (string) optional

URL to the IAM console to switch to a role


Default value: "https://signin.aws.amazon.com/switchrole?account=%s&roleName=%s&displayName=%s"

Context Variables

The following variables are defined in the context.tf file of this module and part of the terraform-null-label pattern.

namespace (string) required

Namespace (e.g. cp or cloudposse)
Required: Yes

Default value: ``

stage (string) required

Stage (e.g. prod, dev, staging)
Required: Yes

Default value: ``

attributes (list(string)) optional

Additional attributes (e.g. policy or role)
Required: No

Default value: [ ]

delimiter (string) optional

Delimiter to be used between namespace, stage, name, and attributes
Required: No

Default value: "-"

enabled (string) optional

Set to false to prevent the module from creating any resources
Required: No

Default value: "true"

tags (map(string)) optional

Additional tags (e.g. map(BusinessUnit,XYZ)
Required: No

Default value: { }

Outputs

group_admin_arn

Admin group ARN

group_admin_id

Admin group ID

group_admin_name

Admin group name

group_readonly_arn

Readonly group ARN

group_readonly_id

Readonly group ID

group_readonly_name

Readonly group name

role_admin_arn

Admin role ARN

role_admin_name

Admin role name

role_readonly_arn

Readonly role ARN

role_readonly_name

Readonly role name

switchrole_admin_url

URL to the IAM console to switch to the admin role

switchrole_readonly_url

URL to the IAM console to switch to the readonly role

Dependencies

Providers

  • aws

Modules

NameVersionSourceDescription
admin_labeltags/0.3.3git::https://github.com/cloudposse/terraform-null-label.gitn/a
readonly_labeltags/0.3.3git::https://github.com/cloudposse/terraform-null-label.gitn/a

Resources

The following resources are used by this module:

Data Sources

The following data sources are used by this module: