xdr-terraform-modules/base/iam/okta_saml_roles

okta saml roles module

Defines several well-known IAM roles and ties them to matching OKTA groups that are passed over as part of a SAML assertion.

Make sure you have an OKTA_API_TOKEN enviornment variable set with an Okta API token.

Providers

Name	Version
aws	~2.0?
okta	?

Inputs

Name	Description	Type	Required
okta_app	The (friendly) name of the Okta app. In our environment either "AWS - Commercial" or "AWS - GovCloud"	string	Yes
account_alias	The account alias that should be set for the AWS account. This is an AWS global value	string	yes
trusted arns	Any ARNS that should be able to AssumeRole. This is mostly intended for use in "child" AWS accounts.	list(string)	no

Roles created

Role Name	Attached Policies	Description
/user/mdr_engineer	mdr_engineer	"legacy" role.
/user/mdr_engineer_readonly	ReadOnlyAccess mdr_engineer_readonly_assumerole	Read only access to AWS console with ability to escalate to Terraformer role
/user/mdr_iam_admin	IAMFullAccess iam_admin_kms	"legacy" role.
/user/mdr_terraformer	mdr_terraformer	Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole

Policies created

Policy Name	Description
mdr_engineer	"legacy" policy. Gives effectively PowerUserAccess but with limitations on iam:PassRole and sts:AssumeRole.
iam_admin_kms	"legacy" policy. Gives several kms:* actions related to creating, destroying, and managing keys. Encrypt and Decrypt are noticeably absent.
mdr_engineer_readonly_assumerole	Read only access to AWS console with ability to escalate to Terraformer role
mdr_terraformer	Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole