Skip to main content
Sponsor @cloudposse

Module: ssm-iam-role

Terraform module to provision an IAM role with configurable permissions to access SSM Parameter Store.

Introduction

For more information on how to control access to Systems Manager parameters by using AWS Identity and Access Management, see Controlling Access to Systems Manager Parameters.

For more information on how to use parameter hierarchies to help organize and manage parameters, see Organizing Parameters into Hierarchies.

NOTE: This module can be used to provision IAM roles with SSM permissions for chamber.

Usage

This example creates a role with the name cp-prod-app-all with permission to read all SSM parameters, and gives permission to the entities specified in assume_role_arns to assume the role.

module "ssm_iam_role" {
  source           = "git::https://github.com/cloudposse/terraform-aws-ssm-iam-role.git?ref=master"
  namespace        = "cp"
  stage            = "prod"
  name             = "app"
  attributes       = ["all"]
  region           = "us-west-2"
  account_id       = "XXXXXXXXXXX"
  assume_role_arns = ["arn:aws:xxxxxxxxxx", "arn:aws:yyyyyyyyyyyy"]
  kms_key_arn      = "arn:aws:kms:us-west-2:123454095951:key/aced568e-3375-4ece-85e5-b35abc46c243"
  ssm_parameters   = ["*"]
  ssm_actions      = ["ssm:GetParametersByPath", "ssm:GetParameters"]
}

Examples

Example With Permission For Specific Resources

This example creates a role with the name cp-prod-app-secrets with permission to read the SSM parameters that begin with secret-, and gives permission to the entities specified in assume_role_arns to assume the role.

module "ssm_iam_role" {
  source           = "git::https://github.com/cloudposse/terraform-aws-ssm-iam-role.git?ref=master"
  namespace        = "cp"
  stage            = "prod"
  name             = "app"
  attributes       = ["secrets"]
  region           = "us-west-2"
  account_id       = "XXXXXXXXXXX"
  assume_role_arns = ["arn:aws:xxxxxxxxxx", "arn:aws:yyyyyyyyyyyy"]
  kms_key_arn      = "arn:aws:kms:us-west-2:123454095951:key/aced568e-3375-4ece-85e5-b35abc46c243"
  ssm_parameters   = ["secret-*"]
  ssm_actions      = ["ssm:GetParameters"]
}

Complete Example

This example:

  • Provisions a KMS key to encrypt SSM Parameter Store secrets using terraform-aws-kms-key module
  • Performs Kops cluster lookup to find the ARNs of masters and nodes by using terraform-aws-kops-metadata module
  • Creates a role with the name cp-prod-chamber-kops with permission to read all SSM parameters from the path kops, and gives permission to the Kops masters and nodes to assume the role
module "kms_key" {
  source      = "git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=master"
  namespace   = "cp"
  stage       = "prod"
  name        = "chamber"
  description = "KMS key for SSM"
}

module "kops_metadata" {
  source       = "git::https://github.com/cloudposse/terraform-aws-kops-metadata.git?ref=master"
  dns_zone     = "us-west-2.prod.cloudposse.co"
  masters_name = "masters"
  nodes_name   = "nodes"
}

module "ssm_iam_role" {
  source           = "git::https://github.com/cloudposse/terraform-aws-ssm-iam-role.git?ref=master"
  namespace        = "cp"
  stage            = "prod"
  name             = "chamber"
  attributes       = ["kops"]
  region           = "us-west-2"
  account_id       = "XXXXXXXXXXX"
  assume_role_arns = ["${module.kops_metadata.masters_role_arn}", "${module.kops_metadata.nodes_role_arn}"]
  kms_key_arn      = "${module.kms_key.key_arn}"
  ssm_parameters   = ["kops/*"]
  ssm_actions      = ["ssm:GetParametersByPath", "ssm:GetParameters"]
}