README.md

Module - IAM setup for using boundaries

This module is optional and only added as example. You can deploy the root terraform module via you own IAM user with the right credentials. Alternatively you can create a role to deploy the root module with a limit boundary set.

This module will create an AWS IAM role that is required to use permission boundaries. The created rol can be used to deploy the root module.

Usages

See below or check out this example Create a workspace and add the following terraform code.

module "iam" {
  source = "../../"

  environment = "default"
  account_id  = "123456789

  namespaces = {
    boundary_namespace         = "boundaries"
    role_namespace             = "runners"
    policy_namespace           = "runners"
    instance_profile_namespace = "runners"
  }
}

output "role" {
  value = module.iam.role
}

output "boundary" {
  value = module.iam.boundary
}

Next execute the created Terraform code terraform init && terraform apply The module will. You can use the created role in your terraform provider with assume role and the boundary as well the namespace needs to be set to the root module.

Requirements

Name	Version
terraform	>= 1.3.0
aws	~> 4.0

Providers

Name	Version
aws	~> 4.0

Modules

No modules.

Resources

Name	Type
aws_iam_policy.boundary	resource
aws_iam_policy.deploy	resource
aws_iam_policy.deploy_boundary	resource
aws_iam_role.deploy	resource
aws_iam_role_policy_attachment.deploy	resource
aws_caller_identity.current	data source

Inputs

Name	Description	Type	Default	Required
account_id	The module allows to switch to the created role from the provided account id.	string	n/a	yes
aws_partition	(optional) partition in the arn namespace if not aws	string	"aws"	no
environment	A name that identifies the environment, used as prefix and for tagging.	string	null	no
namespaces	The role will be only allowed to create roles, policies and instance profiles in the given namespace / path. All policies in the boundaries namespace cannot be modified by this role.	object({ boundary_namespace = string role_namespace = string policy_namespace = string instance_profile_namespace = string })	n/a	yes
prefix	The prefix used for naming resources	string	"github-actions"	no

Outputs

Name	Description
boundary	n/a
role	n/a

Philips Forest

This module is part of the Philips Forest.

                                                     ___                   _
                                                    / __\__  _ __ ___  ___| |_
                                                   / _\/ _ \| '__/ _ \/ __| __|
                                                  / / | (_) | | |  __/\__ \ |_
                                                  \/   \___/|_|  \___||___/\__|

                                                                 Infrastructure

Talk to the forestkeepers in the forest-channel on Slack.

Requirements

Name	Version
terraform	>= 1.3.0
aws	~> 4.0

Providers

Name	Version
aws	~> 4.0

Modules

No modules.

Resources

Name	Type
aws_iam_policy.boundary	resource
aws_iam_policy.deploy	resource
aws_iam_policy.deploy_boundary	resource
aws_iam_role.deploy	resource
aws_iam_role_policy_attachment.deploy	resource
aws_caller_identity.current	data source

Inputs

Name	Description	Type	Default	Required
account_id	The module allows to switch to the created role from the provided account id.	string	n/a	yes
aws_partition	(optional) partition in the arn namespace if not aws	string	"aws"	no
environment	A name that identifies the environment, used as prefix and for tagging.	string	null	no
namespaces	The role will be only allowed to create roles, policies and instance profiles in the given namespace / path. All policies in the boundaries namespace cannot be modified by this role.	object({ boundary_namespace = string role_namespace = string policy_namespace = string instance_profile_namespace = string })	n/a	yes
prefix	The prefix used for naming resources	string	"github-actions"	no

Outputs

Name	Description
boundary	n/a
role	n/a