Página Principal Explorar Ajuda
Registe-se Iniciar Sessão
AFS
/
xdr-terraform-modules
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Árvore: ffc81e90b9
Ramos Etiquetas
xdr-terraform-m...
/
submodules
/
iam
/
okta_saml_roles
Fred Damstra ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
..
modules ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
README.md ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
account_alias.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
assume_role_policy-okta_saml.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
datasources.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
locals.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
policy-mdr_engineer.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
policy-mdr_iam_admin.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
policy-mdr_readonly_assumerole.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
policy-mdr_terraformer.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
role-mdr_engineer.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
role-mdr_engineer_readonly.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
role-mdr_iam_admin.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
role-mdr_terraformer.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
saml_provider.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
variables.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás
versions.tf ffc81e90b9 Decouples IAM terraform from the `live` repository há 5 anos atrás

README.md

okta saml roles module

Defines several well-known IAM roles and ties them to matching OKTA groups that are passed over as part of a SAML assertion.

Make sure you have an OKTA_API_TOKEN enviornment variable set with an Okta API token.

Providers

Name Version
aws ~2.0?
okta ?

Inputs

Name Description Type Required
okta_app The (friendly) name of the Okta app. In our environment either "AWS - Commercial" or "AWS - GovCloud" string Yes
account_alias The account alias that should be set for the AWS account. This is an AWS global value string yes
trusted arns Any ARNS that should be able to AssumeRole. This is mostly intended for use in "child" AWS accounts. list(string) no

Roles created

Role Name Attached Policies Description
/user/mdr_engineer mdr_engineer "legacy" role.
/user/mdr_engineer_readonly ReadOnlyAccess
mdr_engineer_readonly_assumerole		 Read only access to AWS console with ability to escalate to Terraformer role
/user/mdr_iam_admin IAMFullAccess
iam_admin_kms		 "legacy" role.
/user/mdr_terraformer mdr_terraformer Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole

Policies created

Policy Name Description
mdr_engineer "legacy" policy. Gives effectively PowerUserAccess but with limitations on iam:PassRole and sts:AssumeRole.
iam_admin_kms "legacy" policy. Gives several kms:* actions related to creating, destroying, and managing keys. Encrypt and Decrypt are noticeably absent.
mdr_engineer_readonly_assumerole Read only access to AWS console with ability to escalate to Terraformer role
mdr_terraformer Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole