We value your privacy
This module is designed to create and manage AWS IAM Roles Anywhere resources. Allows to easily set up and configure IAM roles, trust anchors, and profiles for use with AWS Roles Anywhere.
The main purpose of the module is to simplify the process of implementing AWS Roles Anywhere, allowing for more secure and efficient management of temporary credentials for workloads outside of AWS.
Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:
shellterraform login solutions.corewide.com
Initialize mandatory providers:
Copy and paste into your Terraform configuration and insert the variables:
hclmodule "tf_aws_iam_roles_anywhere" {
source = "solutions.corewide.com/aws/tf-aws-iam-roles-anywhere/aws"
version = "~> 1.0.0"
# specify module inputs here or try one of the examples below
...
}
Initialize the setup:
shellterraform init
Corewide DevOps team strictly follows Semantic Versioning
Specification
to
provide our clients with products that have predictable upgrades between versions. We
recommend
pinning
patch versions of our modules using pessimistic
constraint operator (~>) to prevent breaking changes during upgrades.
To get new features during the upgrades (without breaking compatibility), use
~> 1.0 and run
terraform init -upgrade
For the safest setup, use strict pinning with version = "1.0.0"
| tf-aws-iam-role | €100 |
This module is designed to create and manage AWS IAM Roles Anywhere resources. Allows to easily set up and configure IAM roles, trust anchors, and profiles for use with AWS Roles Anywhere.
The main purpose of the module is to simplify the process of implementing AWS Roles Anywhere, allowing for more secure and efficient management of temporary credentials for workloads outside of AWS.
All notable changes to this project are documented here.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
CERTIFICATE_BUNDLE and AWS_ACM_PCA certificate source typesSetup to create Roles anywhere IAM role, trust anchor and profile with custom session policy:
hcldata "aws_iam_policy_document" "ra_session" {
statement {
effect = "Allow"
resources = ["*"]
actions = [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
]
}
}
module "roles_anywhere" {
source = "solutions.corewide.com/aws/tf-aws-iam-roles-anywhere/aws"
version = "~> 1.0"
iam_role_name = "roles-anywhere"
roles_anywhere_profiles = [
{
name = "developer"
session_policy = data.aws_iam_policy_document.ra_session.json
},
]
roles_anywhere_trust_anchor = {
name = "trust-anchor"
certificate = tls_private_key.ca_key.private_key_pem
}
}
Generate certificate bundle for trust anchor which is required for the AWS IAM Roles Anywhere Credential Helper tool:
hclresource "tls_private_key" "ca_key" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "tls_self_signed_cert" "ca_cert" {
private_key_pem = tls_private_key.ca_key.private_key_pem
is_ca_certificate = true
validity_period_hours = 87600
subject {
common_name = "RolesAnywhere CA"
organization = "My Organization"
}
allowed_uses = [
"digital_signature",
"cert_signing",
"crl_signing",
]
}
resource "tls_private_key" "client_key" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "tls_cert_request" "client_csr" {
private_key_pem = tls_private_key.client_key.private_key_pem
subject {
common_name = "RolesAnywhere Client"
organization = "My Organization"
}
}
resource "tls_locally_signed_cert" "client_cert" {
cert_request_pem = tls_cert_request.client_csr.cert_request_pem
ca_private_key_pem = tls_private_key.ca_key.private_key_pem
ca_cert_pem = tls_self_signed_cert.ca_cert.cert_pem
validity_period_hours = 87600
allowed_uses = [
"digital_signature",
"key_encipherment",
"client_auth",
]
}
Minimal setup to create Roles Anywhere IAM roles, trust anchor and profile with AWS managed policy:
hclmodule "roles_anywhere" {
source = "solutions.corewide.com/aws/tf-aws-iam-roles-anywhere/aws"
version = "~> 1.0"
iam_role_name = "roles-anywhere"
roles_anywhere_trust_anchor = {
name = "trust-anchor"
certificate = file("/path/to/your/certificate.pem")
}
roles_anywhere_profiles = [
{
name = "admin"
managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
},
]
}
| Variable | Description | Type | Default | Required | Sensitive |
|---|---|---|---|---|---|
iam_role_name |
Name of the IAM role to be created for Roles Anywhere | string |
yes | no | |
roles_anywhere_profiles |
List of Roles Anywhere profiles to create | list(object) |
yes | no | |
roles_anywhere_trust_anchor |
Configuration for the Roles Anywhere Trust Anchor | object |
yes | no | |
roles_anywhere_profiles[*].duration_seconds |
The number of seconds the vended session credentials are valid for | number |
no | no | |
roles_anywhere_profiles[*].managed_policy_arns |
A list of managed policy ARNs that apply to the vended session credentials | list(string) |
[] |
no | no |
roles_anywhere_profiles[*].name |
Name of Roles Anywhere profile | string |
yes | no | |
roles_anywhere_profiles[*].session_policy |
A session policy that applies to the trust boundary of the vended session credentials | string |
no | no | |
roles_anywhere_trust_anchor.acm_pca_arn |
The ARN of an ACM certificate | string |
no | no | |
roles_anywhere_trust_anchor.certificate |
SSL certificate that is signed by a Certificate Authority to be assigned to the Roles Anywhere Trust Anchor | string |
no | no | |
roles_anywhere_trust_anchor.enabled |
Toggle the Trust Anchor | bool |
true |
no | no |
roles_anywhere_trust_anchor.name |
Name of the Trust Anchor | string |
yes | no |
| Output | Description | Type | Sensitive |
|---|---|---|---|
iam_role_arns |
ARNs of the IAM roles created for Roles Anywhere | computed |
no |
iam_role_names |
Names of the IAM roles created for Roles Anywhere | computed |
no |
profile_arns |
ARNs of the Roles Anywhere profiles | computed |
no |
trust_anchor_arn |
ARN of the Roles Anywhere trust anchor | attribute |
no |
| Dependency | Version | Kind |
|---|---|---|
terraform |
>= 1.3 |
CLI |
hashicorp/aws |
~> 5.72 |
provider |
tf-aws-iam-role |
~> 1.1 |
module |