/terraform-aws-boundary-stack

A wrapper to deploy an IAM boundary via a cloudformation stackset

Primary LanguageHCL

Appvia Banner

Terraform Registry Latest Release Slack Community Contributors

Github Actions

Terraform AWS IAM Boundary Stack



IAM Boundary

Description

The purpose of this module is to provide a convenient method of deploying IAM boundaries to all AWS accounts within an AWS Organization, including the management account. The method effectively wraps a cloudformation stackset, and deploy to the organization root. Note, since stacksets are not deployed to the management account, the same functionality is deployed your a single cloudformation stack.

Usage

module "boundary" {
  source = "../.."

  description               = "Used to deploy the default permissions boundary for the pipelines."
  enable_management_account = true
  name                      = "LZA-IAM-DefaultBoundary"
  region                    = "us-west-2"
  tags                      = {}
  template                  = file("assets/default-boundary.yml")
  parameters                = {}
}

Update Documentation

The terraform-docs utility is used to generate this README. Follow the below steps to update:

  1. Make changes to the .terraform-docs.yml file
  2. Fetch the terraform-docs binary (https://terraform-docs.io/user-guide/installation/)
  3. Run terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .

Requirements

Name Version
terraform >= 1.0
aws ~> 5.0

Providers

Name Version
aws ~> 5.0

Modules

No modules.

Resources

Name Type
aws_cloudformation_stack.management resource
aws_cloudformation_stack_set.boundary resource
aws_cloudformation_stack_set_instance.root resource
aws_organizations_organization.current data source

Inputs

Name Description Type Default Required
description The description of the cloudformation stack string n/a yes
name The name of the cloudformation stack string n/a yes
region The region to deploy the cloudformation template string n/a yes
tags The tags to apply to the cloudformation stack map(string) n/a yes
template The body of the cloudformation template to deploy string n/a yes
capabilities The capabilities required to deploy the cloudformation template list(string) 
[
  "CAPABILITY_NAMED_IAM",
  "CAPABILITY_AUTO_EXPAND",
  "CAPABILITY_IAM"
]
 no
enable_management_account Enable the deployment to the management account bool false no
max_concurrent_count The maximum number of concurrent deployments number 10 no
organization_units A list of organization units to deploy the boundary (defaults to all organization units) list(string) [] no
parameters The parameters to pass to the cloudformation template map(string) {} no

Outputs

Name Description
stack_instance_id The arn for the cloudformation stack instance when deployed to management account
stack_set_arn The arn for the cloudformation stack set