The iam-connector module provisions an IAM role that the AWS IAM Strategy can use to escalate or de-escalate users via AWS IAM groups.
This Connector will provision a single IAM role for the Sym Runtime to use with a Strategy.
Only the supplied runtime_role_arns are trusted to assume this role.
module "iam_connector" {
source = "symopsio/iam-connector/aws"
version = ">= 1.0.0"
environment = "sandbox"
runtime_role_arns = [ var.runtime_role_arn ]
}By default, the IAM connector can only modify groups that are within the /sym/ path. You can can configure the connector to access other groups by changing the group-config setting:
group_config = [
{ path="/", name="EscalationGroups*" },
{ path="/other-path/", name="BreakGlass*" }
]| Name | Version |
|---|---|
| terraform | >= 0.13.7 |
| aws | >= 3.0 |
| Name | Version |
|---|---|
| aws | >= 3.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_policy.iam | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.iam | resource |
| aws_caller_identity.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| environment | An environment qualifier for the resources this module creates, to support a Terraform SDLC. | string |
n/a | yes |
| group_config | List of group resources the connector can modify. Each group resource is an object that contains a path and a name property. Both the path and name can contain wildcards. | list(object( |
[ |
no |
| runtime_role_arns | ARNs of the runtime connector roles that are trusted to assume the IAM role. | list(string) |
n/a | yes |
| tags | Additional tags to apply to resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| settings | A map of settings to supply to a Sym Permission Context. |