Creates an IAM role for use as a Snow Family service role.
module "snowfamily_iam_role" {
source = "dod-iac/snowfamily-iam-role/aws"
name = format("app-%s-snowfamily-%s", var.application, var.environment)
kms_keys_decrypt = ["*"]
kms_keys_encrypt = ["*"]
s3_buckets_import = ["*"]
s3_buckets_export = ["*"]
sns_topics_publish = ["*"]
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to main branch.
Terraform 0.11 and 0.12 are not supported.
This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 3.0, < 5.0 |
| Name | Version |
|---|---|
| aws | >= 3.0, < 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_policy.main | resource |
| aws_iam_role.main | resource |
| aws_iam_role_policy_attachment.main | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_role_policy | data source |
| aws_iam_policy_document.main | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| assume_role_policy | The assume role policy for the AWS IAM role. If blank, allows Snow Family (fka Import/Export) to assume the role. | string |
"" |
no |
| kms_keys_decrypt | The ARNs of the AWS KMS keys that can be used to decrypt data. Use ["*"] to allow all keys. | list(string) |
[] |
no |
| kms_keys_encrypt | The ARNs of the AWS KMS keys that can be used to encrypt data. Use ["*"] to allow all keys. | list(string) |
[] |
no |
| name | The name of the AWS IAM role. | string |
n/a | yes |
| policy_description | The description of the AWS IAM policy. Defaults to "The policy for [NAME]". | string |
"" |
no |
| policy_name | The name of the AWS IAM policy. Defaults to "[NAME]-policy". | string |
"" |
no |
| s3_buckets_export | The ARNs of the AWS S3 buckets that data can be exported from. Use ["*"] to allow all buckets. | list(string) |
[] |
no |
| s3_buckets_import | The ARNs of the AWS S3 buckets that data can be imported into. Use ["*"] to allow all buckets. | list(string) |
[] |
no |
| sns_topics_publish | The ARNs of the AWS SNS topics that status updates can be published to. Use ["*"] to allow all topics. | list(string) |
[] |
no |
| tags | Tags applied to the AWS IAM role. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| arn | The Amazon Resource Name (ARN) of the AWS IAM Role. |
| name | The name of the AWS IAM Role. |