Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Service role module #2

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions modules/service_role/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## [1.0] - 2021-11-21

* Creates a service role module
31 changes: 31 additions & 0 deletions modules/service_role/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Service Role

This module provisions an IAM role that will be assumed by one or more AWS services.

## Usage

```terraform
module "service_role" {
role_name = "ecs-task-execution"
role_description = "ECS Task Execution Role"
services = ["ecs-tasks.amazonaws.com"]

policies = {
pull_ecr_image = aws_iam_policy.pull_ecr_image.arn
}

policy_documents = {
read_s3_bucket = data.aws_iam_policy_document.read_s3_bucket.json
}

tags = {
environment = "staging"
}
}

resource "aws_ecs_task_definition" "task" {
family = "my-ecs-task"
container_definitions = jsonencode([...])
execution_role_arn = module.service_role.role_arn
}
```
1 change: 1 addition & 0 deletions modules/service_role/VERSION.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
1.0
36 changes: 36 additions & 0 deletions modules/service_role/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
resource "aws_iam_role" "main" {
name = var.role_name
description = var.role_description
assume_role_policy = data.aws_iam_policy_document.services_can_assume.json
tags = var.tags
}

data "aws_iam_policy_document" "services_can_assume" {
statement {
sid = "AssumeRole"
actions = ["sts:AssumeRole"]

principals {
type = "service"
identifiers = var.services
}
}
}

resource "aws_iam_role_policy_attachment" "main" {
for_each = merge(
var.policies,
zipmap(var.policy_documents, aws_iam_policy.main[*].arn)
)
hnlee marked this conversation as resolved.
Show resolved Hide resolved

role = aws_iam_role.main.id
policy_arn = each.value
}

resource "aws_iam_policy" "main" {
for_each = var.policy_documents

name = each.key
policy = each.value
tags = var.tags
}
3 changes: 3 additions & 0 deletions modules/service_role/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
output "role_arn" {
value = aws_iam_role.main.arn
}
33 changes: 33 additions & 0 deletions modules/service_role/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
variable "role_name" {
type = string
description = "Name for IAM role"
}

variable "role_description" {
type = string
description = "Description for IAM role"
default = ""
}

variable "tags" {
type = map(string)
description = "Tags to be applied to IAM role and any IAM policies created"
default = {}
}

variable "services" {
type = list(string)
description = "AWS services that can assume IAM role"
}

variable "policies" {
type = map(string)
description = "IAM policies with an identifier as key and the policy ARN as value"
default = {}
}

variable "policy_documents" {
type = map(string)
description = "IAM policy documents with an identifier as key and the policy document JSON as value"
default = {}
}