登录
当前位置: 首页 > 软件库 > 云计算 > >

terraform-aws-iam

授权协议 Apache-2.0 License
开发语言 C/C++
所属分类 云计算
软件类型 开源软件
地区 不详
投 递 者 陈知
操作系统 跨平台
开源组织
适用人群 未知
软件官网
软件文档
官方下载
安全指数
 软件概览

AWS Identity and Access Management (IAM) Terraform module

Features

  1. Cross-account access. Define IAM roles using iam_assumable_role or iam_assumable_roles submodules in "resource AWS accounts (prod, staging, dev)" and IAM groups and users using iam-group-with-assumable-roles-policy submodule in "IAM AWS Account" to setup access controls between accounts. See iam-group-with-assumable-roles-policy example for more details.
  2. Individual IAM resources (users, roles, policies). See usage snippets and examples listed below.

Usage

iam-account:

module "iam_account" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-account"
  version = "~> 4.3"

  account_alias = "awesome-company"

  minimum_password_length = 37
  require_numbers         = false
}

iam-assumable-role:

module "iam_assumable_role" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
  version = "~> 4.3"

  trusted_role_arns = [
    "arn:aws:iam::307990089504:root",
    "arn:aws:iam::835367859851:user/anton",
  ]

  create_role = true

  role_name         = "custom"
  role_requires_mfa = true

  custom_role_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonCognitoReadOnly",
    "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",
  ]
  number_of_custom_role_policy_arns = 2
}

iam-assumable-role-with-oidc:

module "iam_assumable_role_with_oidc" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
  version = "~> 4.3"

  create_role = true

  role_name = "role-with-oidc"

  tags = {
    Role = "role-with-oidc"
  }

  provider_url = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"

  role_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
  ]
  number_of_role_policy_arns = 1
}

iam-assumable-role-with-saml:

module "iam_assumable_role_with_saml" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-saml"
  version = "~> 4.3"

  create_role = true

  role_name = "role-with-saml"

  tags = {
    Role = "role-with-saml"
  }

  provider_id = "arn:aws:iam::235367859851:saml-provider/idp_saml"

  role_policy_arns = [
    "arn:aws:iam::aws:policy/ReadOnlyAccess"
  ]
  number_of_role_policy_arns = 1
}

iam-assumable-roles:

module "iam_assumable_roles" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles"
  version = "~> 4.3"

  trusted_role_arns = [
    "arn:aws:iam::307990089504:root",
    "arn:aws:iam::835367859851:user/anton",
  ]

  create_admin_role = true

  create_poweruser_role = true
  poweruser_role_name   = "developer"

  create_readonly_role       = true
  readonly_role_requires_mfa = false
}

iam-assumable-roles-with-saml:

module "iam_assumable_roles_with_saml" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles-with-saml"
  version = "~> 4.3"

  create_admin_role = true

  create_poweruser_role = true
  poweruser_role_name   = "developer"

  create_readonly_role = true

  provider_id   = "arn:aws:iam::235367859851:saml-provider/idp_saml"
}

iam-user:

module "iam_user" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-user"
  version = "~> 4.3"

  name          = "vasya.pupkin"
  force_destroy = true

  pgp_key = "keybase:test"

  password_reset_required = false
}

iam-policy:

module "iam_policy" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
  version = "~> 4.3"

  name        = "example"
  path        = "/"
  description = "My example policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

iam-group-with-assumable-roles-policy:

module "iam_group_with_assumable_roles_policy" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-assumable-roles-policy"
  version = "~> 4.3"

  name = "production-readonly"

  assumable_roles = [
    "arn:aws:iam::835367859855:role/readonly"  # these roles can be created using `iam_assumable_roles` submodule
  ]

  group_users = [
    "user1",
    "user2"
  ]
}

iam-group-with-policies:

module "iam_group_with_policies" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies"
  version = "~> 4.3"

  name = "superadmins"

  group_users = [
    "user1",
    "user2"
  ]

  attach_iam_self_management_policy = true

  custom_group_policy_arns = [
    "arn:aws:iam::aws:policy/AdministratorAccess",
  ]

  custom_group_policies = [
    {
      name   = "AllowS3Listing"
      policy = data.aws_iam_policy_document.sample.json
    }
  ]
}

IAM Best Practices

AWS published IAM Best Practices and this Terraform module was created to help with some of points listed there:

1. Create Individual IAM Users

Use iam-user module module to manage IAM users.

2. Use AWS Defined Policies to Assign Permissions Whenever Possible

Use iam-assumable-roles module to create IAM roles with managed policies to support common tasks (admin, poweruser or readonly).

3. Use Groups to Assign Permissions to IAM Users

Use iam-group-with-assumable-roles-policy module to manage IAM groups of users who can assume roles.

Use iam-group-with-policies module to manage IAM groups of users where specified IAM policies are allowed.

4. Configure a Strong Password Policy for Your Users

Use iam-account module to set password policy for your IAM users.

5. Enable MFA for Privileged Users

Terraform can't configure MFA for the user. It is only possible via AWS Console and AWS CLI.

6. Delegate by Using Roles Instead of by Sharing Credentials

iam-assumable-role, iam-assumable-roles, iam-assumable-roles-with-saml and iam-group-with-assumable-roles-policy modules provide complete set of functionality required for this.

7. Use Policy Conditions for Extra Security

iam-assumable-roles module can be configured to require valid MFA token when different roles are assumed (for example, admin role requires MFA, but readonly - does not).

8. Create IAM Policies

Use iam-policy module module to manage IAM policy.

Examples

  • iam-account - Set AWS account alias and password policy
  • iam-assumable-role - Create individual IAM role which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
  • iam-assumable-role-with-oidc - Create individual IAM role which can be assumed from specified subjects federated with a OIDC Identity Provider
  • iam-assumable-role-with-saml - Create individual IAM role which can be assumed by users with a SAML Identity Provider
  • iam-assumable-roles - Create several IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
  • iam-assumable-roles-with-saml - Create several IAM roles which can be assumed by users with a SAML Identity Provider
  • iam-group-with-assumable-roles-policy - IAM group with users who are allowed to assume IAM roles in the same or in separate AWS account
  • iam-group-with-policies - IAM group with users who are allowed specified IAM policies (eg, "manage their own IAM user")
  • iam-group-complete - IAM group with users who are allowed to assume IAM roles in another AWS account and have access to specified IAM policies
  • iam-user - Add IAM user, login profile and access keys (with PGP enabled or disabled)
  • iam-policy - Create IAM policy

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

 相关资料
  • terraform-aws-frontend

    Terraform AWS frontend module Collection of Terraform modules for frontend app deployment on AWS. List of submodules Frontend app Maintainers Bartłomiej Wójtowicz (@qbart) Łukasz Pawlik (@LukeP91) LIC

  • terraform-provider-aws

    Terraform Provider for AWS Website: terraform.io Tutorials: learn.hashicorp.com Forum: discuss.hashicorp.com Chat: gitter Mailing List: Google Groups The Terraform AWS provider is a plugin for Terrafo

  • terraform-aws-vpc

    AWS VPC Terraform module Terraform module which creates VPC resources on AWS. Usage module "vpc" { source = "terraform-aws-modules/vpc/aws" name = "my-vpc" cidr = "10.0.0.0/16" azs = [

  • mastodon-aws-terraform

    Mastodon on AWS with Terraform Terraform module for mastodon service deploy Will deploy an ec2 instance with mastodon and run the service. Requirements AWS account EC2 domain with Route53 Terraform Us

  • terraform-aws-rds

    AWS RDS Terraform module Terraform module which creates RDS resources on AWS. Root module calls these modules which can also be used separately to create independent resources: db_instance - creates R

  • terraform-aws-atlantis

    AWS Terraform module which runs Atlantis on AWS Fargate Atlantis is tool which provides unified workflow for collaborating on Terraform through GitHub, GitLab and Bitbucket Cloud. This repository cont

同类工具

t-vaultuvicorn-gunicorn-fastapi-dockerRancher Kubernetes Engine(RKE)Wormholejenkins-zhmastodon-aws-terraformHeroku-Dockeraws-workshop-for-kubernetes

相关阅读

AWS Lambda函数写入S3AWS Lambda RDS连接超时使用在aws-sdk中扮演角色的配置文件(AWS JavaScript SDK)AWS S3 Java SDK-拒绝访问AWS CodeDeploy Github文件已存在

相关文章

相关问答

在aws\U实例上使用terraform user\U数据启动的进程如何继续运行到terraform apply finishing之后?使用Terraform为AWS配置Windows VM(包括文件Provisioner)会导致超时Terraform上的AWS:删除资源出错:等待状态被破坏时超时AWS创建DynamoDB表时出错:使用terraform创建Dynamodb表时验证异常如何使用Terraform禁用AWS秘密管理器的自动秘密旋转?

相关文档

快捷导航: 新手教程 算法原理 架构设计 Java进阶 数据库进阶 大厂专栏 面试经验 编程笔记 编程问答 所有专题 文档资料 工具软件 电子书籍 小牛导航
在线工具: 房贷计算器 个税计算器 Linux命令查询 Json格式化 正则表达式 颜色转换 AES加解密 SHA1加密 MD5加密 毒鸡汤 字数统计 随机密码生成 进制转换 Base64编解码 励志句子
Copyright © 2019-2024 小牛知识库@xnip.cn. All Rights Reserved.