/terraform-aws-org-new-account-iam-role

Primary LanguagePythonApache License 2.0Apache-2.0

terraform-aws-org-new-account-iam-role

A Terraform module to bootstrap the creation of an IAM Role in an AWS Account when new accounts are created within AWS Organizations.

This module creates a new IAM role, attaches an AWS-managed permission policy, and sets the trust policy to the provided JSON-formatted string.

This module uses CloudWatch Events to identify when new accounts are added or invited to an AWS Organization, and triggers a Lambda function to create the IAM role.

Testing

To set up and run tests:

# Ensure the dependencies are installed on your system.
make python/deps
make pytest/deps

# Start up a mock AWS stack:
make mockstack/up

# Run unit tests:
make docker/run target=pytest/lambda/tests

# Run tests against the Terraform configuration:
make mockstack/pytest/lambda

# Shut down the mock AWS stack and clean up the docker image:
make mockstack/clean

Requirements

Name Version
terraform >= 1.3
aws >= 4.9
external >= 1.0
local >= 1.0
null >= 2.0
random >= 3.0

Providers

Name Version
aws >= 4.9
random >= 3.0

Resources

Name Type
aws_iam_policy_document.lambda data source
aws_partition.current data source

Inputs

Name Description Type Default Required
assume_role_name Name of IAM role to assume the target account (case sensitive) string n/a yes
role_name Name of the IAM role to create in the target account (case sensitive) string n/a yes
role_permission_policy AWS-managed permission policy name to attach to the role (case sensitive) string n/a yes
trust_policy_json JSON-formatted string containing the role trust policy string n/a yes
event_types Event types that will trigger this lambda set(string) 
[
  "CreateAccountResult",
  "InviteAccountToOrganization"
]
 no
lambda Map of any additional arguments for the upstream lambda module. See https://github.com/terraform-aws-modules/terraform-aws-lambda 
object({
    artifacts_dir            = optional(string, "builds")
    create_package           = optional(bool, true)
    ephemeral_storage_size   = optional(number)
    ignore_source_code_hash  = optional(bool, true)
    local_existing_package   = optional(string)
    recreate_missing_package = optional(bool, false)
    runtime                  = optional(string, "python3.11")
    s3_bucket                = optional(string)
    s3_existing_package      = optional(map(string))
    s3_prefix                = optional(string)
    store_on_s3              = optional(bool, false)
  })
 {} no
log_level Log level of the lambda output, one of: debug, info, warning, error, critical string "info" no
tags Tags that are passed to resources map(string) {} no

Outputs

Name Description
aws_cloudwatch_event_rule The cloudwatch event rule object
aws_cloudwatch_event_target The cloudWatch event target object
aws_lambda_permission_events The lambda permission object for cloudwatch event triggers
lambda The lambda module object