A Terraform module to bootstrap the creation of an IAM Role in an AWS Account when new accounts are created within AWS Organizations.
This module creates a new IAM role, attaches an AWS-managed permission policy, and sets the trust policy to the provided JSON-formatted string.
This module uses CloudWatch Events to identify when new accounts are added or invited to an AWS Organization, and triggers a Lambda function to create the IAM role.
To set up and run tests:
# Ensure the dependencies are installed on your system.
make python/deps
make pytest/deps
# Start up a mock AWS stack:
make mockstack/up
# Run unit tests:
make docker/run target=pytest/lambda/tests
# Run tests against the Terraform configuration:
make mockstack/pytest/lambda
# Shut down the mock AWS stack and clean up the docker image:
make mockstack/clean
Name | Version |
---|---|
terraform | >= 1.3 |
aws | >= 4.9 |
external | >= 1.0 |
local | >= 1.0 |
null | >= 2.0 |
random | >= 3.0 |
Name | Version |
---|---|
aws | >= 4.9 |
random | >= 3.0 |
Name | Type |
---|---|
aws_iam_policy_document.lambda | data source |
aws_partition.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
assume_role_name | Name of IAM role to assume the target account (case sensitive) | string |
n/a | yes |
role_name | Name of the IAM role to create in the target account (case sensitive) | string |
n/a | yes |
role_permission_policy | AWS-managed permission policy name to attach to the role (case sensitive) | string |
n/a | yes |
trust_policy_json | JSON-formatted string containing the role trust policy | string |
n/a | yes |
event_types | Event types that will trigger this lambda | set(string) |
[ |
no |
lambda | Map of any additional arguments for the upstream lambda module. See https://github.com/terraform-aws-modules/terraform-aws-lambda | object({ |
{} |
no |
log_level | Log level of the lambda output, one of: debug, info, warning, error, critical | string |
"info" |
no |
tags | Tags that are passed to resources | map(string) |
{} |
no |
Name | Description |
---|---|
aws_cloudwatch_event_rule | The cloudwatch event rule object |
aws_cloudwatch_event_target | The cloudWatch event target object |
aws_lambda_permission_events | The lambda permission object for cloudwatch event triggers |
lambda | The lambda module object |