|
|
@@ -1,9 +1,22 @@
|
|
|
-This role is created separate from account standards even though it is required in all accounts. The role must be created after the salt master instance or the trust policy can't be applied.
|
|
|
+# s3_bucket_writer_role
|
|
|
|
|
|
-PREREQUISITES:
|
|
|
+A role to enable read/write access to a specific S3 bucket via `sts:AssumeRole`.
|
|
|
+It's primarily intended for cross-account scenarios. This is a little odd perhaps
|
|
|
+compared to S3 bucket policies and things allowing for native cross-account
|
|
|
+access via `Principal` in the bucket policy itself.
|
|
|
|
|
|
-Order gets very important in this module, unfortunately. The following sequence is required:
|
|
|
-* The salt-master instances must be created in C2 test and C2 prod (in govcloud).
|
|
|
-* This module must be run in commercial C2 prod (The user is created, which is trusted by all others)
|
|
|
-* This module must be run in commercial C2 test (The user is created, which is trusted by the rest of test)
|
|
|
-* Then the module can be run in all the other accounts
|
|
|
+I went this way so that scripts running on EC2 nodes with instance roles would
|
|
|
+have the ablility to (when needed) use an AssumeRole in order to gain
|
|
|
+read-write access to a bucket that 99.99% of the time they don't need the
|
|
|
+read-write access.
|
|
|
+
|
|
|
+## inputs
|
|
|
+
|
|
|
+| Argument | type | value / description |
|
|
|
+|---------------|----------------|---------------------|
|
|
|
+| name | string | The name of the role we're making. It will be in the /service/ path in IAM
|
|
|
+| trusted_arns | list(string) | The ARNs that should be able to assume this role |
|
|
|
+| description | string | Description tied to the role |
|
|
|
+| bucket | string | The bucket that this policy should allow write access to |
|
|
|
+| tags | map | (optional) Tags to be applied
|
|
|
+| standard_tags | map | (optional) Other tags to be applied from terragrunt
|
Duane Waddle