### Terragrunt Example: Managing Multiple S3 Buckets Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-user/README.md A Terragrunt configuration example demonstrating the management of multiple S3 buckets using the IAM user wrapper. It specifies default bucket policies and individual bucket configurations. ```hcl terraform { source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-user" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-user?ref=master" } inputs = { defaults = { force_destroy = true attach_elb_log_delivery_policy = true attach_lb_log_delivery_policy = true attach_deny_insecure_transport_policy = true attach_require_latest_tls_policy = true } items = { bucket1 = { bucket = "my-random-bucket-1" } bucket2 = { bucket = "my-random-bucket-2" tags = { Secure = "probably" } } } } ``` -------------------------------- ### Terragrunt Example: Managing Multiple S3 Buckets Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-account/README.md This example shows a Terragrunt configuration for managing multiple S3 buckets using the IAM account module wrapper. It sets specific default policies and defines two buckets with distinct configurations. ```hcl terraform { source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-account" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-account?ref=master" } inputs = { defaults = { force_destroy = true attach_elb_log_delivery_policy = true attach_lb_log_delivery_policy = true attach_deny_insecure_transport_policy = true attach_require_latest_tls_policy = true } items = { bucket1 = { bucket = "my-random-bucket-1" } bucket2 = { bucket = "my-random-bucket-2" tags = { Secure = "probably" } } } } ``` -------------------------------- ### Terragrunt Example: Managing Multiple S3 Buckets Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-read-only-policy/README.md An example Terragrunt configuration for managing multiple S3 buckets using the IAM read-only policy wrapper. It sets default bucket configurations and defines two specific buckets with their configurations. ```hcl terraform { source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-read-only-policy" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-read-only-policy?ref=master" } inputs = { defaults = { force_destroy = true attach_elb_log_delivery_policy = true attach_lb_log_delivery_policy = true attach_deny_insecure_transport_policy = true attach_require_latest_tls_policy = true } items = { bucket1 = { bucket = "my-random-bucket-1" } bucket2 = { bucket = "my-random-bucket-2" tags = { Secure = "probably" } } } } ``` -------------------------------- ### Create Multiple IAM Roles using Wrapper Module Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt This example demonstrates using the `iam-role` wrapper module to create multiple IAM roles (e.g., 'admin', 'readonly') with shared defaults and specific trust policies and attached managed policies. ```hcl module "iam_roles" { source = "terraform-aws-modules/iam/aws//wrappers/iam-role" version = "~> 6.0" defaults = { use_name_prefix = false tags = { ManagedBy = "terraform" } } items = { admin = { name = "admin" trust_policy_permissions = { Trust = { actions = ["sts:AssumeRole"] principals = [{ type = "AWS", identifiers = ["arn:aws:iam::123456789012:root"] }] } } policies = { AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess" } } readonly = { name = "readonly" trust_policy_permissions = { Trust = { actions = ["sts:AssumeRole"] principals = [{ type = "AWS", identifiers = ["arn:aws:iam::123456789012:root"] }] } } policies = { ReadOnlyAccess = "arn:aws:iam::aws:policy/ReadOnlyAccess" } } } } ``` -------------------------------- ### Basic IAM Group Creation Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-group/README.md Example of creating an IAM group named 'superadmins' with specified users, self-management permissions, custom policies, and tags. ```hcl module "iam_group" { source = "terraform-aws-modules/iam/aws//modules/iam-group" name = "superadmins" users = [ "user1", "user2" ] enable_self_management_permissions = true permissions = { AssumeRole = { actions = ["sts:AssumeRole"] resources = ["arn:aws:iam::111111111111:role/admin"] } } policies = { AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess", } tags = { Terraform = "true" Environment = "dev" } } ``` -------------------------------- ### Manage Multiple S3 Buckets with Terragrunt Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-group/README.md Example demonstrating how to manage multiple S3 buckets using the IAM Group wrapper module in Terragrunt. This configuration sets specific policies and tags for different buckets. ```hcl terraform { source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-group" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-group?ref=master" } inputs = { defaults = { force_destroy = true attach_elb_log_delivery_policy = true attach_lb_log_delivery_policy = true attach_deny_insecure_transport_policy = true attach_require_latest_tls_policy = true } items = { bucket1 = { bucket = "my-random-bucket-1" } bucket2 = { bucket = "my-random-bucket-2" tags = { Secure = "probably" } } } } ``` -------------------------------- ### IAM Role for EBS CSI Driver with EKS Integration Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-role-for-service-accounts/README.md This example demonstrates integrating the IRSA module with the `terraform-aws-eks` module to provision an IAM role for the EBS CSI driver. Ensure the EKS module is configured correctly to provide the `oidc_provider_arn`. ```hcl module "ebs_csi_driver_irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" name = "ebs-csi" attach_ebs_csi_policy = true oidc_providers = { this = { provider_arn = module.eks.oidc_provider_arn namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"] } } tags = { Terraform = "true" Environment = "dev" } } module "eks" { source = "terraform-aws-modules/eks/aws" version = "~> 21.0" name = "my-cluster" kubernetes_version = "1.33" vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets addons = { coredns = {} aws-ebs-csi-driver = { service_account_role_arn = module.ebs_csi_driver_irsa.arn } kube-proxy = {} vpc-cni = { before_compute = true } } eks_managed_node_groups = { example = { ami_type = "AL2023_x86_64_STANDARD" instance_types = ["m5.xlarge"] min_size = 1 max_size = 2 desired_size = 1 } } } ``` -------------------------------- ### Terragrunt Example: Managing Multiple S3 Buckets Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-policy/README.md This Terragrunt configuration manages multiple S3 buckets using the IAM policy wrapper. It sets default policies for buckets and defines specific configurations for `bucket1` and `bucket2`. ```hcl terraform { source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-policy" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-policy?ref=master" } inputs = { defaults = { force_destroy = true attach_elb_log_delivery_policy = true attach_lb_log_delivery_policy = true attach_deny_insecure_transport_policy = true attach_require_latest_tls_policy = true } items = { bucket1 = { bucket = "my-random-bucket-1" } bucket2 = { bucket = "my-random-bucket-2" tags = { Secure = "probably" } } } } ``` -------------------------------- ### Terragrunt Usage for IAM Role Wrapper Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-role/README.md Configure Terragrunt to manage multiple IAM roles using the wrapper module. This example shows how to define default values and specific configurations for each role. ```hcl terraform { source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-role" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-role?ref=master" } inputs = { defaults = { # Default values create = true tags = { Terraform = "true" Environment = "dev" } } items = { my-item = { # omitted... can be any argument supported by the module } my-second-item = { # omitted... can be any argument supported by the module } # omitted... } } ``` -------------------------------- ### Terragrunt Example: Managing Multiple S3 Buckets Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-oidc-provider/README.md This Terragrunt configuration manages multiple S3 buckets using the IAM OIDC provider wrapper module. It includes default settings for bucket policies and specific configurations for two buckets, bucket1 and bucket2. ```hcl terraform { source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-oidc-provider" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-oidc-provider?ref=master" } inputs = { defaults = { force_destroy = true attach_elb_log_delivery_policy = true attach_lb_log_delivery_policy = true attach_deny_insecure_transport_policy = true attach_require_latest_tls_policy = true } items = { bucket1 = { bucket = "my-random-bucket-1" } bucket2 = { bucket = "my-random-bucket-2" tags = { Secure = "probably" } } } } ``` -------------------------------- ### IAM Role - GitHub Enterprise Server OIDC Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-role/README.md Configure an IAM role for GitHub Enterprise Server OIDC. Requires specifying `oidc_audience` and `provider_urls` to match your GitHub Enterprise Server installation. Update `oidc_wildcard_subjects` for your organization and repository. ```hcl module "iam_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role" enable_github_oidc = true oidc_audiences = ["https://mygithub.com/"] oidc_provider_urls = ["mygithub.com/_services/token"] # This should be updated to suit your organization, repository, references/branches, etc. oidc_wildcard_subjects = ["/terraform-aws-iam:*"] policies = { S3ReadOnly = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" } tags = { Environment = "test" } } ``` -------------------------------- ### Terraform Initialization and Application Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/examples/iam-read-only-policy/README.md Run these commands to initialize your Terraform project, preview the changes, and apply them to create the resources. ```bash terraform init terraform plan terraform apply ``` -------------------------------- ### Create Bitbucket OIDC Provider Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-oidc-provider/README.md This configuration creates an IAM OIDC provider for Bitbucket. Replace 'example-workspace' with your actual Bitbucket workspace ID. ```hcl module "iam_oidc_provider" { source = "terraform-aws-modules/iam/aws//modules/iam-oidc-provider" url = "https://api.bitbucket.org/2.0/workspaces/example-workspace/pipelines-config/identity/oidc" tags = { Environment = "test" } } ``` -------------------------------- ### Instantiate IAM Account Module Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-account/README.md Use this snippet to configure the IAM account alias and password policy settings. Ensure all required inputs are provided. ```hcl module "iam_account" { source = "terraform-aws-modules/iam/aws//modules/iam-account" account_alias = "awesome-company" max_password_age = 90 minimum_password_length = 24 require_uppercase_characters = true require_lowercase_characters = true require_numbers = true require_symbols = true password_reuse_prevention = 3 allow_users_to_change_password = true } ``` -------------------------------- ### Terragrunt Usage for IAM Role for Service Accounts Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-role-for-service-accounts/README.md Configure Terragrunt to use the IAM Role for Service Accounts wrapper module. This example shows how to define default input values and specific items. ```hcl terraform { source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-role-for-service-accounts" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-role-for-service-accounts?ref=master" } inputs = { defaults = { # Default values create = true tags = { Terraform = "true" Environment = "dev" } } items = { my-item = { # omitted... can be any argument supported by the module } my-second-item = { # omitted... can be any argument supported by the module } # omitted... } } ``` -------------------------------- ### Create an IAM Policy Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-policy/README.md Use this snippet to create a new IAM policy with a name prefix, path, description, policy document, and tags. Ensure the policy JSON is correctly formatted. ```hcl module "iam_policy" { source = "terraform-aws-modules/iam/aws//modules/iam-policy" name_prefix = "example-" path = "/" description = "My example policy" policy = <<-EOF { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Effect": "Allow", "Resource": "*" } ] } EOF tags = { Environment = "test" } } ``` -------------------------------- ### Create IAM Account Policy and Alias Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/README.md Use this snippet to create an account policy and alias. This module should be instantiated once per account. ```hcl module "iam_account" { source = "terraform-aws-modules/iam/aws//modules/iam-account" account_alias = "awesome-company" max_password_age = 90 minimum_password_length = 24 require_uppercase_characters = true require_lowercase_characters = true require_numbers = true require_symbols = true password_reuse_prevention = 3 allow_users_to_change_password = true } ``` -------------------------------- ### Create Custom OIDC Provider (CircleCI) Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt Creates a custom IAM OIDC provider, demonstrated with CircleCI. Requires specifying the URL and client ID list. ```hcl module "circleci_oidc_provider" { source = "terraform-aws-modules/iam/aws//modules/iam-oidc-provider" version = "~> 6.0" url = "https://oidc.circleci.com/org/" client_id_list = [""] tags = { Environment = "shared" } } ``` -------------------------------- ### Set up SAML 2.0 Federated Role Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt This snippet demonstrates how to create an IAM role trusted by a SAML 2.0 provider, such as Okta. Ensure the SAML metadata document is correctly referenced. ```hcl resource "aws_iam_saml_provider" "okta" { name = "okta-saml" saml_metadata_document = file("okta-metadata.xml") } module "iam_role_saml" { source = "terraform-aws-modules/iam/aws//modules/iam-role" version = "~> 6.0" name = "okta-readonly" enable_saml = true saml_provider_ids = [aws_iam_saml_provider.okta.id] policies = { ReadOnlyAccess = "arn:aws:iam::aws:policy/ReadOnlyAccess" } } ``` -------------------------------- ### Create GitHub OIDC Provider Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-oidc-provider/README.md Use this snippet to create an IAM OIDC provider for GitHub Actions. Ensure the URL is correct for your GitHub repository. ```hcl module "iam_oidc_provider" { source = "terraform-aws-modules/iam/aws//modules/iam-oidc-provider" url = "https://token.actions.githubusercontent.com" tags = { Environment = "test" } } ``` -------------------------------- ### Terraform Configuration for IAM Account Wrapper Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-account/README.md This Terraform configuration demonstrates how to use the IAM account module wrapper. It specifies default input values and individual resource configurations within the `items` map. ```hcl module "wrapper" { source = "terraform-aws-modules/iam/aws//wrappers/iam-account" defaults = { # Default values create = true tags = { Terraform = "true" Environment = "dev" } } items = { my-item = { # omitted... can be any argument supported by the module } my-second-item = { # omitted... can be any argument supported by the module } # omitted... } } ``` -------------------------------- ### Create IAM User with Login Profile and Keys Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/README.md This snippet creates an IAM user, optionally with the ability to create a login profile, access key, and SSH key. It supports PGP encryption for keys. ```hcl module "iam_user" { source = "terraform-aws-modules/iam/aws//modules/iam-user" name = "vasya.pupkin" force_destroy = true pgp_key = "keybase:test" password_reset_required = false tags = { Terraform = "true" Environment = "dev" } } ``` -------------------------------- ### Create IAM Service User with Access Key and Inline Policy Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt Use this snippet to create an IAM user with programmatic access keys and an inline policy for specific ECR permissions. Ensure the module version is compatible. ```hcl module "iam_service_user" { source = "terraform-aws-modules/iam/aws//modules/iam-user" version = "~> 6.0" name = "ci-deploy" create_login_profile = false create_access_key = true create_inline_policy = true inline_policy_permissions = { ECRPush = { effect = "Allow" actions = ["ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload"] resources = ["*"] } } } ``` -------------------------------- ### Basic IAM Role for Service Account Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-role-for-service-accounts/README.md Use this snippet to create a basic IAM role for a service account. Configure the `name` and `oidc_providers` to match your environment. ```hcl module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" name = "my-app" oidc_providers = { one = { provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D" namespace_service_accounts = ["default:my-app-staging", "canary:my-app-staging"] } two = { provider_arn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.ap-southeast-1.amazonaws.com/id/5C54DDF35ER54476848E7333374FF09G" namespace_service_accounts = ["default:my-app-staging"] } } policies = { policy = "arn:aws:iam::012345678901:policy/myapp" } } ``` -------------------------------- ### Terraform Usage for IAM User Wrapper Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-user/README.md Illustrates how to use the IAM user wrapper module in a standard Terraform configuration. It defines default input values and specific items for managing IAM users. ```hcl module "wrapper" { source = "terraform-aws-modules/iam/aws//wrappers/iam-user" defaults = { # Default values create = true tags = { Terraform = "true" Environment = "dev" } } items = { my-item = { # omitted... can be any argument supported by the module } my-second-item = { # omitted... can be any argument supported by the module } # omitted... } } ``` -------------------------------- ### Terraform Configuration for IAM Policy Wrapper Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-policy/README.md This Terraform configuration demonstrates how to use the IAM policy module wrapper. It defines default input values and a map of items for creating multiple IAM policies. ```hcl module "wrapper" { source = "terraform-aws-modules/iam/aws//wrappers/iam-policy" defaults = { # Default values create = true tags = { Terraform = "true" Environment = "dev" } } items = { my-item = { # omitted... can be any argument supported by the module } my-second-item = { # omitted... can be any argument supported by the module } # omitted... } } ``` -------------------------------- ### Migrate Assumable Roles with SAML to New IAM Role Module (v6.0) Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/docs/UPGRADE-6.0.md Before v5.60, `iam-assumable-roles-with-saml` module was used. After v6.0, use the `iam-role` module with `enable_saml` and `saml_provider_ids`. ```hcl module "iam_assumable_roles" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles-with-saml" version = "~> 5.60" create_admin_role = true create_poweruser_role = true poweruser_role_name = "developer" provider_id = aws_iam_saml_provider.idp_saml.id provider_ids = [aws_iam_saml_provider.idp_saml.id, aws_iam_saml_provider.second_idp_saml.id] } resource "aws_iam_saml_provider" "idp_saml" { name = "idp_saml" saml_metadata_document = file("saml-metadata.xml") } resource "aws_iam_saml_provider" "second_idp_saml" { name = "second_idp_saml" saml_metadata_document = file("saml-metadata.xml") } ``` ```hcl module "iam_role_admin" { source = "terraform-aws-modules/iam/aws//modules/iam-role" version = "~> 6.0" name = "admin" enable_saml = true saml_provider_ids = [ aws_iam_saml_provider.idp_saml.id, aws_iam_saml_provider.second_idp_saml.id ] policies = { AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess" } } module "iam_role_poweruser" { source = "terraform-aws-modules/iam/aws//modules/iam-role" version = "~> 6.0" name = "poweruser" enable_saml = true saml_provider_ids = [ aws_iam_saml_provider.idp_saml.id, aws_iam_saml_provider.second_idp_saml.id ] policies = { PowerUserAccess = "arn:aws:iam::aws:policy/PowerUserAccess" } } ``` -------------------------------- ### Terragrunt Usage for IAM User Wrapper Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-user/README.md Demonstrates how to configure the IAM user wrapper module within a Terragrunt `terragrunt.hcl` file. It shows the structure for defining default input values and specific items. ```hcl terraform { source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-user" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-user?ref=master" } inputs = { defaults = { # Default values create = true tags = { Terraform = "true" Environment = "dev" } } items = { my-item = { # omitted... can be any argument supported by the module } my-second-item = { # omitted... can be any argument supported by the module } # omitted... } } ``` -------------------------------- ### Create IAM User with PGP-Encrypted Credentials and Access Key Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt Creates an IAM user with a console login profile, programmatic access key, and SSH key. Both password and access key are PGP-encrypted. Password reset is enforced. ```hcl # Full-featured user with PGP-encrypted credentials module "iam_user_pgp" { source = "terraform-aws-modules/iam/aws//modules/iam-user" version = "~> 6.0" name = "jane.doe" force_destroy = true # Login profile — password encrypted with PGP create_login_profile = true pgp_key = "keybase:janedoe" password_reset_required = true password_length = 20 # Programmatic access key (also PGP-encrypted) create_access_key = true # SSH key for CodeCommit etc. create_ssh_key = true ssh_public_key = "ssh-rsa AAAA...your-public-key..." policies = { ReadOnlyAccess = "arn:aws:iam::aws:policy/ReadOnlyAccess" } tags = { Department = "engineering" } } ``` -------------------------------- ### Create IAM Policy from JSON Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt Creates an IAM managed policy from a raw JSON string using jsonencode. Ensure the policy document is valid JSON. ```hcl # From a JSON heredoc module "iam_policy" { source = "terraform-aws-modules/iam/aws//modules/iam-policy" version = "~> 6.0" name = "ec2-describe" path = "/" description = "Allow EC2 Describe operations" policy = jsonencode({ Version = "2012-10-17" Statement = [{ Sid = "AllowEC2Describe" Effect = "Allow" Action = ["ec2:Describe*"] Resource = "*" }] }) tags = { Team = "infra" } } ``` -------------------------------- ### Terraform Configuration for IAM OIDC Provider Wrapper Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-oidc-provider/README.md This Terraform configuration demonstrates how to use the IAM OIDC provider wrapper module. It defines the module source and input variables, including default values and specific configurations for multiple items. ```hcl module "wrapper" { source = "terraform-aws-modules/iam/aws//wrappers/iam-oidc-provider" defaults = { # Default values create = true tags = { Terraform = "true" Environment = "dev" } } items = { my-item = { # omitted... can be any argument supported by the module } my-second-item = { # omitted... can be any argument supported by the module } # omitted... } } ``` -------------------------------- ### Create IAM Group with Users and Policies Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt This module creates an IAM group, adds specified users, and attaches both inline custom policies and managed policies. It supports self-management permissions and MFA enforcement for group members. ```hcl module "iam_group" { source = "terraform-aws-modules/iam/aws//modules/iam-group" version = "~> 6.0" name = "platform-engineers" users = ["alice", "bob", "carol"] # Built-in self-service and MFA enforcement enable_self_management_permissions = true enable_mfa_enforcement = true # Custom inline policy statements permissions = { AssumeDevRole = { effect = "Allow" actions = ["sts:AssumeRole"] resources = ["arn:aws:iam::111111111111:role/dev-admin"] } ReadSecrets = { effect = "Allow" actions = ["secretsmanager:GetSecretValue"] resources = ["arn:aws:secretsmanager:eu-west-1:111111111111:secret:dev/*"] condition = [{ test = "StringEquals" variable = "aws:RequestedRegion" values = ["eu-west-1"] }] } } # Attach additional managed policies policies = { ReadOnlyAccess = "arn:aws:iam::aws:policy/ReadOnlyAccess" } tags = { Environment = "dev" } } output "group_arn" { value = module.iam_group.arn } output "group_policy" { value = module.iam_group.policy_arn } # module.iam_group.users => ["alice", "bob", "carol"] ``` -------------------------------- ### Terragrunt Configuration for IAM Account Wrapper Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/wrappers/iam-account/README.md Use this configuration in your `terragrunt.hcl` file to manage IAM account resources. It defines default input values and specific items to be configured. ```hcl terraform { source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-account" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-account?ref=master" } inputs = { defaults = { # Default values create = true tags = { Terraform = "true" Environment = "dev" } } items = { my-item = { # omitted... can be any argument supported by the module } my-second-item = { # omitted... can be any argument supported by the module } # omitted... } } ``` -------------------------------- ### Create IAM Role for GitHub OIDC Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/README.md This snippet creates an IAM role that trusts an OpenID connect provider, specifically configured for GitHub OIDC. It allows specifying wildcard subjects for trust and attaching policies like S3ReadOnly. ```hcl module "iam_role_github_oidc" { source = "terraform-aws-modules/iam/aws//modules/iam-role" enable_github_oidc = true # This should be updated to suit your organization, repository, references/branches, etc. oidc_wildcard_subjects = ["terraform-aws-modules/terraform-aws-iam:*"] policies = { S3ReadOnly = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" } tags = { Terraform = "true" Environment = "dev" } } ``` -------------------------------- ### Create IAM Policy Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/README.md This snippet defines and creates a custom IAM policy with specified actions, effects, and resources. It includes a description and tags for organization. ```hcl module "iam_policy" { source = "terraform-aws-modules/iam/aws//modules/iam-policy" name = "example" path = "/" description = "My example policy" policy = <<-EOF { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Effect": "Allow", "Resource": "*" } ] } EOF tags = { Terraform = "true" Environment = "dev" } } ``` -------------------------------- ### Create IAM Role for EKS Service Accounts with Custom Permissions Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt Creates an IAM role with custom permissions defined in the `permissions` block, alongside OIDC provider configuration for service account assumption. ```hcl module "custom_irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" version = "~> 6.0" name = "my-app" permissions = { S3ReadWrite = { effect = "Allow" actions = ["s3:GetObject", "s3:PutObject"] resources = ["arn:aws:s3:::my-app-data/*"] } } oidc_providers = { main = { provider_arn = module.eks.oidc_provider_arn namespace_service_accounts = ["default:my-app-sa"] } } } ``` -------------------------------- ### Create IAM Policy from Data Source Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt Creates an IAM managed policy using an `aws_iam_policy_document` data source. This is useful for more complex policy definitions. ```hcl # From an aws_iam_policy_document data source data "aws_iam_policy_document" "s3" { statement { sid = "AllowS3List" actions = ["s3:ListAllMyBuckets"] resources = ["*"] } } module "s3_list_policy" { source = "terraform-aws-modules/iam/aws//modules/iam-policy" version = "~> 6.0" name = "s3-list" policy = data.aws_iam_policy_document.s3.json } ``` -------------------------------- ### Create IAM OIDC Provider Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/README.md Use this to create an OpenID connect provider, which is useful for trusting external identity providers like GitHub or Bitbucket. An IAM provider is unique per account and URL. ```hcl module "iam_oidc_provider" { source = "terraform-aws-modules/iam/aws//modules/iam-oidc-provider" url = "https://token.actions.githubusercontent.com" tags = { Terraform = "true" Environment = "dev" } } ``` -------------------------------- ### Output IAM Role ARNs Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt This output provides a map of the ARNs for all IAM roles created using the wrapper module. ```hcl output "role_arns" { value = { for k, v in module.iam_roles.wrapper : k => v.arn } } ``` -------------------------------- ### Create GitHub Actions OIDC Provider Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt Creates an IAM OIDC provider for GitHub Actions. The URL defaults to the GitHub Actions token endpoint. ```hcl module "github_oidc_provider" { source = "terraform-aws-modules/iam/aws//modules/iam-oidc-provider" version = "~> 6.0" # url defaults to https://token.actions.githubusercontent.com tags = { Environment = "shared" } } ``` -------------------------------- ### Create IAM Role for EKS Service Accounts (VPC CNI) Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt Creates an IAM role for the VPC CNI add-on, enabling IPv4 support. Requires an OIDC provider configured for the EKS cluster. ```hcl module "vpc_cni_irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" version = "~> 6.0" name = "vpc-cni" attach_vpc_cni_policy = true vpc_cni_enable_ipv4 = true oidc_providers = { main = { provider_arn = module.eks.oidc_provider_arn namespace_service_accounts = ["kube-system:aws-node"] } } tags = { Addon = "vpc-cni" } } ``` -------------------------------- ### IAM Role - GitHub Free, Pro, & Team OIDC Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-role/README.md Configure an IAM role for GitHub OIDC, suitable for GitHub Free, Pro, & Team. Use with the official AWS GitHub action. Update `oidc_wildcard_subjects` to match your organization and repository. ```hcl module "iam_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role" enable_github_oidc = true # This should be updated to suit your organization, repository, references/branches, etc. oidc_wildcard_subjects = ["terraform-aws-modules/terraform-aws-iam:*"] policies = { S3ReadOnly = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" } tags = { Environment = "test" } } ``` -------------------------------- ### Migrate Assumable Roles to New IAM Role Module (v6.0) Source: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/docs/UPGRADE-6.0.md Before v5.60, `iam-assumable-roles` module was used. After v6.0, use the `iam-role` module with updated trust policy configurations. ```hcl module "iam_assumable_roles" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles" version = "~> 5.60" trusted_role_arns = [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/anton", ] trusted_role_services = [ "codedeploy.amazonaws.com" ] create_admin_role = true create_poweruser_role = true poweruser_role_name = "Billing-And-Support-Access" poweruser_role_policy_arns = [ "arn:aws:iam::aws:policy/job-function/Billing", "arn:aws:iam::aws:policy/AWSSupportAccess", ] } ``` ```hcl module "iam_role_admin" { source = "terraform-aws-modules/iam/aws//modules/iam-role" version = "~> 6.0" name = "admin" trust_policy_permissions = { TrustRoleAndServiceToAssume = { actions = [ "sts:AssumeRole", "sts:TagSession", ] principals = [ { type = "AWS" identifiers = [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/anton", ] }, { type = "Service" identifiers = ["codedeploy.amazonaws.com"] } ] } } policies = { AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess" } } module "iam_role_poweruser" { source = "terraform-aws-modules/iam/aws//modules/iam-role" version = "~> 6.0" name = "Billing-And-Support-Access" trust_policy_permissions = { TrustRoleAndServiceToAssume = { actions = [ "sts:AssumeRole", "sts:TagSession", ] principals = [ { type = "AWS" identifiers = [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/anton", ] }, { type = "Service" identifiers = ["codedeploy.amazonaws.com"] } ] } } policies = { PowerUserAccess = "arn:aws:iam::aws:policy/PowerUserAccess" Billing = "arn:aws:iam::aws:policy/job-function/Billing" AWSSupportAccess = "arn:aws:iam::aws:policy/AWSSupportAccess" } } ``` -------------------------------- ### Configure IAM Account Alias and Password Policy Source: https://context7.com/terraform-aws-modules/terraform-aws-iam/llms.txt Use this module to set the AWS account alias and enforce a global IAM password policy. Ensure this is instantiated only once per AWS account. ```hcl module "iam_account" { source = "terraform-aws-modules/iam/aws//modules/iam-account" version = "~> 6.0" account_alias = "my-company-prod" # Password policy create_account_password_policy = true minimum_password_length = 24 max_password_age = 90 password_reuse_prevention = 5 require_uppercase_characters = true require_lowercase_characters = true require_numbers = true require_symbols = true allow_users_to_change_password = true hard_expiry = false } # Output output "passwords_expire" { value = module.iam_account.iam_account_password_policy_expire_passwords # true when max_password_age > 0 } ```