terraform-aws-org-new-account-iam-role

A Terraform module to bootstrap the creation of an IAM Role in an AWS Account when new accounts are created within AWS Organizations.

This module creates a new IAM role, attaches an AWS-managed permission policy, and sets the trust policy to the provided JSON-formatted string.

This module uses CloudWatch Events to identify when new accounts are added or invited to an AWS Organization, and triggers a Lambda function to create the IAM role.

Testing

To set up and run tests against the Terraform configuration:

# Start up LocalStack, a mock AWS stack:
make localstack/up

# Run the tests:
make terraform/pytest

# Shut down LocalStack and clean up docker images:
make localstack/clean

Requirements

Name	Version
terraform	>= 0.12

Providers

Name	Version
aws	n/a
random	n/a

Resources

Name	Type
aws_iam_policy_document.lambda	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
assume_role_name	Name of IAM role to assume the target account (case sensitive)	`string`	n/a	yes
role_name	Name of the IAM role to create in the target account (case sensitive)	`string`	n/a	yes
role_permission_policy	AWS-managed permission policy name to attach to the role (case sensitive)	`string`	n/a	yes
trust_policy_json	JSON-formatted string containing the role trust policy	`string`	n/a	yes
log_level	Log level of the lambda output, one of: debug, info, warning, error, critical	`string`	`"info"`	no
tags	Tags that are passed to resources	`map(string)`	`{}`	no

Outputs

Name	Description
aws_cloudwatch_event_rule	The cloudwatch event rule object
aws_cloudwatch_event_target	The cloudWatch event target object
aws_lambda_permission_events	The lambda permission object for cloudwatch event triggers
lambda	The lambda module object