Skip to content

Latest commit

 

History

History

iam-assumable-roles-with-saml

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

iam-assumable-roles-with-saml

Creates predefined IAM roles (admin, poweruser and readonly) which can be assumed by trusted resources using SAML Federated Users.

Creating IAM SAML Identity Providers Enabling SAML 2.0 Federated Users to Access the AWS Management Console

Requirements

Name Version
terraform >= 1.0
aws >= 4.0

Providers

Name Version
aws >= 4.0

Modules

No modules.

Resources

Name Type
aws_iam_role.admin resource
aws_iam_role.poweruser resource
aws_iam_role.readonly resource
aws_iam_role_policy_attachment.admin resource
aws_iam_role_policy_attachment.poweruser resource
aws_iam_role_policy_attachment.readonly resource
aws_caller_identity.current data source
aws_iam_policy_document.assume_role_with_saml data source
aws_partition.current data source

Inputs

Name Description Type Default Required
admin_role_name IAM role with admin access string "admin" no
admin_role_path Path of admin IAM role string "/" no
admin_role_permissions_boundary_arn Permissions boundary ARN to use for admin role string "" no
admin_role_policy_arns List of policy ARNs to use for admin role list(string) 
[
  "arn:aws:iam::aws:policy/AdministratorAccess"
]
 no
admin_role_tags A map of tags to add to admin role resource. map(string) {} no
allow_self_assume_role Determines whether to allow the role to be assume itself bool false no
aws_saml_endpoint AWS SAML Endpoint string "https://signin.aws.amazon.com/saml" no
create_admin_role Whether to create admin role bool false no
create_poweruser_role Whether to create poweruser role bool false no
create_readonly_role Whether to create readonly role bool false no
force_detach_policies Whether policies should be detached from this role when destroying bool false no
max_session_duration Maximum CLI/API session duration in seconds between 3600 and 43200 number 3600 no
poweruser_role_name IAM role with poweruser access string "poweruser" no
poweruser_role_path Path of poweruser IAM role string "/" no
poweruser_role_permissions_boundary_arn Permissions boundary ARN to use for poweruser role string "" no
poweruser_role_policy_arns List of policy ARNs to use for poweruser role list(string) 
[
  "arn:aws:iam::aws:policy/PowerUserAccess"
]
 no
poweruser_role_tags A map of tags to add to poweruser role resource. map(string) {} no
provider_id ID of the SAML Provider. Use provider_ids to specify several IDs. string "" no
provider_ids List of SAML Provider IDs list(string) [] no
readonly_role_name IAM role with readonly access string "readonly" no
readonly_role_path Path of readonly IAM role string "/" no
readonly_role_permissions_boundary_arn Permissions boundary ARN to use for readonly role string "" no
readonly_role_policy_arns List of policy ARNs to use for readonly role list(string) 
[
  "arn:aws:iam::aws:policy/ReadOnlyAccess"
]
 no
readonly_role_tags A map of tags to add to readonly role resource. map(string) {} no
trusted_role_actions Additional role actions list(string) 
[
  "sts:AssumeRoleWithSAML",
  "sts:TagSession"
]
 no

Outputs

Name Description
admin_iam_role_arn ARN of admin IAM role
admin_iam_role_name Name of admin IAM role
admin_iam_role_path Path of admin IAM role
admin_iam_role_unique_id Unique ID of IAM role
poweruser_iam_role_arn ARN of poweruser IAM role
poweruser_iam_role_name Name of poweruser IAM role
poweruser_iam_role_path Path of poweruser IAM role
poweruser_iam_role_unique_id Unique ID of IAM role
readonly_iam_role_arn ARN of readonly IAM role
readonly_iam_role_name Name of readonly IAM role
readonly_iam_role_path Path of readonly IAM role
readonly_iam_role_unique_id Unique ID of IAM role