README.md 1.6 KB
child_account_roles module
Creates "standard" IAM policies and roles in an account being treated like an AWS organizations child account.
Picture our collection of AWS accounts with the "common-services" account being the root of an Organizations hierarchy, where all of the users exist there and AssumeRole to the correct role in the child account.
common-services
prod-c2
test-c2
prod-customer-1
prod-customer-2
...
This module makes roles that are NOT SAML linked. It is expected you will AssumeRole into these roles cross-account.
Providers
| Name | Version |
|---|---|
| aws | ~2.0? |
Inputs
| Name | Description | Type | Required |
|---|---|---|---|
| okta_app | The (friendly) name of the Okta app. In our environment either "AWS - Commercial" or "AWS - GovCloud" | string |
Yes |
| account_alias | The account alias that should be set for the AWS account. This is an AWS global value | string |
yes |
Roles created
| Role Name | Attached Policies | Description |
|---|---|---|
| /user/mdr_engineer_readonly | ReadOnlyAccess mdr_engineer_readonly_assumerole |
Read only access to AWS console with ability to escalate to Terraformer role |
| /user/mdr_terraformer | mdr_terraformer | Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole |
Modules referenced
| Module name | purpose |
|---|---|
| standard_iam_policies | defines the policies used by the roles |