Module: ssm-iam-role
Terraform module to provision an IAM role with configurable permissions to access SSM Parameter Store.
Introduction
For more information on how to control access to Systems Manager parameters by using AWS Identity and Access Management, see Controlling Access to Systems Manager Parameters.
For more information on how to use parameter hierarchies to help organize and manage parameters, see Organizing Parameters into Hierarchies.
NOTE: This module can be used to provision IAM roles with SSM permissions for chamber.
Usage
This example creates a role with the name cp-prod-app-all with permission to read all SSM parameters,
and gives permission to the entities specified in assume_role_arns to assume the role.
module "ssm_iam_role" {
source = "git::https://github.com/cloudposse/terraform-aws-ssm-iam-role.git?ref=master"
namespace = "cp"
stage = "prod"
name = "app"
attributes = ["all"]
region = "us-west-2"
account_id = "XXXXXXXXXXX"
assume_role_arns = ["arn:aws:xxxxxxxxxx", "arn:aws:yyyyyyyyyyyy"]
kms_key_arn = "arn:aws:kms:us-west-2:123454095951:key/aced568e-3375-4ece-85e5-b35abc46c243"
ssm_parameters = ["*"]
ssm_actions = ["ssm:GetParametersByPath", "ssm:GetParameters"]
}
Examples
Example With Permission For Specific Resources
This example creates a role with the name cp-prod-app-secrets with permission to read the SSM parameters that begin with secret-,
and gives permission to the entities specified in assume_role_arns to assume the role.
module "ssm_iam_role" {
source = "git::https://github.com/cloudposse/terraform-aws-ssm-iam-role.git?ref=master"
namespace = "cp"
stage = "prod"
name = "app"
attributes = ["secrets"]
region = "us-west-2"
account_id = "XXXXXXXXXXX"
assume_role_arns = ["arn:aws:xxxxxxxxxx", "arn:aws:yyyyyyyyyyyy"]
kms_key_arn = "arn:aws:kms:us-west-2:123454095951:key/aced568e-3375-4ece-85e5-b35abc46c243"
ssm_parameters = ["secret-*"]
ssm_actions = ["ssm:GetParameters"]
}
Complete Example
This example:
- Provisions a KMS key to encrypt SSM Parameter Store secrets using terraform-aws-kms-key module
- Performs
Kopscluster lookup to find the ARNs ofmastersandnodesby using terraform-aws-kops-metadata module - Creates a role with the name
cp-prod-chamber-kopswith permission to read all SSM parameters from the pathkops, and gives permission to the Kopsmastersandnodesto assume the role
module "kms_key" {
source = "git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=master"
namespace = "cp"
stage = "prod"
name = "chamber"
description = "KMS key for SSM"
}
module "kops_metadata" {
source = "git::https://github.com/cloudposse/terraform-aws-kops-metadata.git?ref=master"
dns_zone = "us-west-2.prod.cloudposse.co"
masters_name = "masters"
nodes_name = "nodes"
}
module "ssm_iam_role" {
source = "git::https://github.com/cloudposse/terraform-aws-ssm-iam-role.git?ref=master"
namespace = "cp"
stage = "prod"
name = "chamber"
attributes = ["kops"]
region = "us-west-2"
account_id = "XXXXXXXXXXX"
assume_role_arns = ["${module.kops_metadata.masters_role_arn}", "${module.kops_metadata.nodes_role_arn}"]
kms_key_arn = "${module.kms_key.key_arn}"
ssm_parameters = ["kops/*"]
ssm_actions = ["ssm:GetParametersByPath", "ssm:GetParameters"]
}
Requirements
No requirements.
Providers
| Name | Version |
|---|---|
| aws | n/a |
Modules
| Name | Source | Version |
|---|---|---|
| label | git::https://github.com/cloudposse/terraform-terraform-label.git | 0.1.3 |
Resources
| Name | Type |
|---|---|
| aws_iam_policy.default | resource |
| aws_iam_role.default | resource |
| aws_iam_role_policy_attachment.default | resource |
| aws_iam_policy_document.assume_role | data source |
| aws_iam_policy_document.default | data source |
| aws_kms_key.default | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_id | AWS account ID | string | n/a | yes |
| assume_role_arns | List of ARNs to allow assuming the role. Could be AWS services or accounts, Kops nodes, IAM users or groups | list(string) | n/a | yes |
| attributes | Additional attributes (e.g. 1) | list(string) | [] | no |
| delimiter | Delimiter to be used between namespace, stage, name and attributes | string | "-" | no |
| kms_key_reference | The Key ID, Key ARN, Key Alias Name, or Key Alias ARN of the KMS key which will encrypt/decrypt SSM secret strings | any | n/a | yes |
| max_session_duration | The maximum session duration (in seconds) for the role. Can have a value from 1 hour to 12 hours | number | 3600 | no |
| name | Name (e.g. app or chamber) | string | n/a | yes |
| namespace | Namespace (e.g. cp or cloudposse) | string | n/a | yes |
| region | AWS Region | string | n/a | yes |
| ssm_actions | SSM actions to allow | list(string) | | no |
| ssm_parameters | List of SSM parameters to apply the actions. A parameter can include a path and a name pattern that you define by using forward slashes, e.g. kops/secret-* | list(string) | n/a | yes |
| stage | Stage (e.g. prod, dev, staging) | string | n/a | yes |
| tags | Additional tags (e.g. map(BusinessUnit,XYZ) | map(string) | {} | no |
Outputs
| Name | Description |
|---|---|
| role_arn | The Amazon Resource Name (ARN) specifying the role |
| role_id | The stable and unique string identifying the role |
| role_name | The name of the crated role |
| role_policy_document | A copy of the IAM policy document (JSON) that grants permissions to this role. |