child_account_roles module
Creates "standard" IAM policies and roles in an account being treated like an
AWS organizations child account.
Picture our collection of AWS accounts with the "common-services"
account being the root of an Organizations hierarchy, where all of the users
exist there and AssumeRole to the correct role in the child account.
common-services
prod-c2
test-c2
prod-customer-1
prod-customer-2
...
This module makes roles that are NOT SAML linked. It is expected you will
AssumeRole into these roles cross-account.
Providers
Inputs
| Name |
Description |
Type |
Required |
| okta_app |
The (friendly) name of the Okta app. In our environment either "AWS - Commercial" or "AWS - GovCloud" |
string |
Yes |
| account_alias |
The account alias that should be set for the AWS account. This is an AWS global value |
string |
yes |
Roles created
| Role Name |
Attached Policies |
Description |
| /user/mdr_engineer_readonly |
ReadOnlyAccess
mdr_engineer_readonly_assumerole |
Read only access to AWS console with ability to escalate to Terraformer role |
| /user/mdr_terraformer |
mdr_terraformer |
Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole |
Modules referenced
| Module name |
purpose |
| standard_iam_policies |
defines the policies used by the roles |
Fred Damstra [afs macbook]
baa1f43824
Applied `terraform fmt` to all modules