diff --git a/infrastructure/modules/iam/context.tf b/infrastructure/modules/iam/context.tf new file mode 100644 index 0000000..5eb0bc6 --- /dev/null +++ b/infrastructure/modules/iam/context.tf @@ -0,0 +1,365 @@ +# +# ONLY EDIT THIS FILE IN github.com/NHSDigital/screening-terraform-modules-aws/infrastructure/modules/tags +# All other instances of this file should be a copy of that one +# +# +# Copy this file from https://github.com/NHSDigital/screening-terraform-modules-aws/blob/master/infrastructure/modules/tags/exports/context.tf +# and then place it in your Terraform module to automatically get +# tag module standard configuration inputs suitable for passing +# to other modules. +# +# curl -sL https://raw.githubusercontent.com/NHSDigital/screening-terraform-modules-aws/master/infrastructure/modules/tags/exports/context.tf -o context.tf +# +# Modules should access the whole context as `module.this.context` +# to get the input variables with nulls for defaults, +# for example `context = module.this.context`, +# and access individual variables as `module.this.`, +# with final values filled in. +# +# For example, when using defaults, `module.this.context.delimiter` +# will be null, and `module.this.delimiter` will be `-` (hyphen). +# + +module "this" { + source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/tags?ref=feature/BCSS-23189-add-new-modules-to-suppport-bcss" + + service = var.service + project = var.project + region = var.region + environment = var.environment + stack = var.stack + workspace = var.workspace + name = var.name + delimiter = var.delimiter + attributes = var.attributes + tags = var.tags + additional_tag_map = var.additional_tag_map + label_order = var.label_order + regex_replace_chars = var.regex_replace_chars + id_length_limit = var.id_length_limit + label_key_case = var.label_key_case + label_value_case = var.label_value_case + descriptor_formats = var.descriptor_formats + labels_as_tags = var.labels_as_tags + + context = var.context +} + +# Copy contents of screening-terraform-modules-aws/tags/variables.tf here +# tflint-ignore: terraform_unused_declarations +variable "aws_region" { + type = string + description = "The AWS region" + default = "eu-west-2" + validation { + condition = contains(["eu-west-1", "eu-west-2", "us-east-1"], var.aws_region) + error_message = "AWS Region must be one of eu-west-1, eu-west-2, us-east-1" + } +} + +variable "context" { + type = any + default = { + enabled = true + service = null + project = null + region = null + environment = null + stack = null + workspace = null + delimiter = null + attributes = [] + tags = {} + additional_tag_map = {} + regex_replace_chars = null + label_order = [] + id_length_limit = null + label_key_case = null + label_value_case = null + descriptor_formats = {} + # Note: we have to use [] instead of null for unset lists due to + # https://github.com/hashicorp/terraform/issues/28137 + # which was not fixed until Terraform 1.0.0, + # but we want the default to be all the labels in `label_order` + # and we want users to be able to prevent all tag generation + # by setting `labels_as_tags` to `[]`, so we need + # a different sentinel to indicate "default" + labels_as_tags = ["unset"] + } + description = <<-EOT + Single object for setting entire context at once. + See description of individual variables for details. + Leave string and numeric variables as `null` to use default value. + Individual variable settings (non-null) override settings in context object, + except for attributes, tags, and additional_tag_map, which are merged. + EOT + + validation { + condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`." + } + + validation { + condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } +} + +variable "enabled" { + type = bool + default = null + description = "Set to false to prevent the module from creating any resources" +} + +variable "service" { + type = string + default = null + description = "ID element. Usually an abbreviation of your service directorate name, e.g. 'bcss' or 'csms', to help ensure generated IDs are globally unique" +} + +variable "region" { + type = string + default = null + description = "ID element _(Rarely used, not included by default)_. Usually an abbreviation of the selected AWS region e.g. 'uw2', 'ew2' or 'gbl' for resources like IAM roles that have no region" +} + +variable "project" { + type = string + default = null + description = "ID element. A project identifier, indicating the name or role of the project the resource is for, such as `website` or `api`" +} +variable "stack" { + type = string + default = null + description = "ID element. The name of the stack/component, e.g. `database`, `web`, `waf`, `eks`" +} +variable "workspace" { + type = string + default = null + description = "ID element. The Terraform workspace, to help ensure generated IDs are unique across workspaces" +} +variable "environment" { + type = string + default = null + description = "ID element. Usually used to indicate role, e.g. 'prd', 'dev', 'test', 'preprod', 'prod', 'uat'" +} + +variable "name" { + type = string + default = null + description = <<-EOT + ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. + This is the only ID element not also included as a `tag`. + The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. + EOT +} + +variable "delimiter" { + type = string + default = null + description = <<-EOT + Delimiter to be used between ID elements. + Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. + EOT +} + +variable "attributes" { + type = list(string) + default = [] + description = <<-EOT + ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`, + in the order they appear in the list. New attributes are appended to the + end of the list. The elements of the list are joined by the `delimiter` + and treated as a single ID element. + EOT +} + +variable "labels_as_tags" { + type = set(string) + default = ["default"] + description = <<-EOT + Set of labels (ID elements) to include as tags in the `tags` output. + Default is to include all labels. + Tags with empty values will not be included in the `tags` output. + Set to `[]` to suppress all generated tags. + **Notes:** + The value of the `name` tag, if included, will be the `id`, not the `name`. + Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be + changed in later chained modules. Attempts to change it will be silently ignored. + EOT +} + +variable "tags" { + type = map(string) + default = {} + description = <<-EOT + Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). + Neither the tag keys nor the tag values will be modified by this module. + EOT +} + +variable "additional_tag_map" { + type = map(string) + default = {} + description = <<-EOT + Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`. + This is for some rare cases where resources want additional configuration of tags + and therefore take a list of maps with tag key, value, and additional configuration. + EOT +} + +variable "label_order" { + type = list(string) + default = null + description = <<-EOT + The order in which the labels (ID elements) appear in the `id`. + Defaults to ["namespace", "environment", "stage", "name", "attributes"]. + You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. + EOT +} + +variable "regex_replace_chars" { + type = string + default = null + description = <<-EOT + Terraform regular expression (regex) string. + Characters matching the regex will be removed from the ID elements. + If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. + EOT +} + +variable "id_length_limit" { + type = number + default = null + description = <<-EOT + Limit `id` to this many characters (minimum 6). + Set to `0` for unlimited length. + Set to `null` for keep the existing setting, which defaults to `0`. + Does not affect `id_full`. + EOT + validation { + condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0 + error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length." + } +} + +variable "label_key_case" { + type = string + default = null + description = <<-EOT + Controls the letter case of the `tags` keys (label names) for tags generated by this module. + Does not affect keys of tags passed in via the `tags` input. + Possible values: `lower`, `title`, `upper`. + Default value: `title`. + EOT + + validation { + condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case) + error_message = "Allowed values: `lower`, `title`, `upper`." + } +} + +variable "label_value_case" { + type = string + default = null + description = <<-EOT + Controls the letter case of ID elements (labels) as included in `id`, + set as tag values, and output by this module individually. + Does not affect values of tags passed in via the `tags` input. + Possible values: `lower`, `title`, `upper` and `none` (no transformation). + Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs. + Default value: `lower`. + EOT + + validation { + condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } +} + +variable "descriptor_formats" { + type = any + default = {} + description = <<-EOT + Describe additional descriptors to be output in the `descriptors` output map. + Map of maps. Keys are names of descriptors. Values are maps of the form + `{ + format = string + labels = list(string) + }` + (Type is `any` so the map values can later be enhanced to provide additional options.) + `format` is a Terraform format string to be passed to the `format()` function. + `labels` is a list of labels, in order, to pass to `format()` function. + Label values will be normalized before being passed to `format()` so they will be + identical to how they appear in `id`. + Default is `{}` (`descriptors` output will be empty). + EOT +} + +variable "owner" { + type = string + description = "The name and or NHS.net email address of the service owner" + default = "None" +} + +variable "tag_version" { + type = string + description = "Used to identify the tagging version in use" + default = "1.0" +} + +variable "data_classification" { + type = string + description = "Used to identify the data classification of the resource, e.g 1-5" + default = "n/a" + validation { + condition = contains(["n/a", "1", "2", "3", "4", "5"], var.data_classification) + error_message = "Data Classification must be \"n/a\" or between 1-5" + } +} + +variable "data_type" { + type = string + description = "The tag data_type" + default = "None" + validation { + condition = contains(["None", "PCD", "PID", "Anonymised", "UserAccount", "Audit"], var.data_type) + error_message = "Data Type must be one of None, PCD, PID, Anonymised, UserAccount, Audit" + } +} + + +variable "public_facing" { + type = bool + description = "Whether this resource is public facing" + default = false +} + +variable "service_category" { + type = string + description = "The tag service_category" + default = "n/a" + validation { + condition = contains(["n/a", "Bronze", "Silver", "Gold", "Platinum"], var.service_category) + error_message = "The Service Category must be one of n/a, Bronze, Silver, Gold, Platinum" + } +} +variable "on_off_pattern" { + type = string + description = "Used to turn resources on and off based on a time pattern" + default = "n/a" +} + +variable "application_role" { + type = string + description = "The role the application is performing" + default = "General" +} + +variable "tool" { + type = string + description = "The tool used to deploy the resource" + default = "Terraform" +} + +#### End of copy of screening-terraform-modules-aws/tags/variables.tf diff --git a/infrastructure/modules/iam/main.tf b/infrastructure/modules/iam/main.tf new file mode 100644 index 0000000..eeadc50 --- /dev/null +++ b/infrastructure/modules/iam/main.tf @@ -0,0 +1,106 @@ +################################################################ +# IAM Module +# +# Thin wrapper around the community +# `terraform-aws-modules/iam/aws` submodules: +# - `iam-policy` — one per entry in `var.policies` +# - `iam-role` — one per entry in `var.roles` +# +# The upstream module has no root configuration (only submodules), +# so this wrapper invokes the relevant submodules +################################################################ + +locals { + # Default IAM path falls back to a context-derived value so policies/roles + # are grouped under a predictable namespace, e.g. "/bcss/screening/". + default_iam_path = format( + "/%s/", + join("/", compact([module.this.service, module.this.project])) + ) + iam_path = var.path != null ? var.path : local.default_iam_path +} + +################################################################ +# Per-policy and per-role label modules +# +# Used to derive a stable, context-aware name and tag set for +# every policy/role produced by this wrapper. +################################################################ + +module "policy_label" { + source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/tags?ref=feature/BCSS-23189-add-new-modules-to-suppport-bcss" + for_each = var.policies + + context = module.this.context + attributes = concat(module.this.attributes, ["policy", each.key]) +} + +module "role_label" { + source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/tags?ref=feature/BCSS-23189-add-new-modules-to-suppport-bcss" + for_each = var.roles + + context = module.this.context + attributes = concat(module.this.attributes, ["role", each.key]) +} + +################################################################ +# Customer-managed policies (upstream `iam-policy` submodule) +################################################################ + +module "policies" { + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "6.6.0" + for_each = module.this.enabled ? var.policies : {} + + name = module.policy_label[each.key].id + path = each.value.path != null ? each.value.path : local.iam_path + description = each.value.description + policy = each.value.policy + + tags = module.policy_label[each.key].tags +} + +################################################################ +# IAM roles (upstream `iam-role` submodule) +# +# `policy_arns` (externally-managed) and `policy_keys` (policies +# created above in this same invocation) are merged into the +# single `policies = { name => arn }` map the submodule expects. +# +# `inline_policies` is forwarded via `source_inline_policy_documents` +# so all statements are merged into one inline policy per role. +################################################################ + +locals { + # role_key -> { static_name => policy_arn } for attached policies. + role_policies = { + for role_key, role in var.roles : role_key => merge( + { for idx, arn in role.policy_arns : "external-${idx}" => arn }, + { for k in role.policy_keys : k => module.policies[k].arn } + ) + } +} + +module "roles" { + source = "terraform-aws-modules/iam/aws//modules/iam-role" + version = "6.6.0" + for_each = module.this.enabled ? var.roles : {} + + name = module.role_label[each.key].id + use_name_prefix = false + path = each.value.path != null ? each.value.path : local.iam_path + description = each.value.description + + max_session_duration = each.value.max_session_duration + permissions_boundary = each.value.permissions_boundary + + # Caller-supplied trust policy JSON is merged in as a source document. + source_trust_policy_documents = [each.value.assume_role_policy] + + policies = local.role_policies[each.key] + + create_inline_policy = length(each.value.inline_policies) > 0 + source_inline_policy_documents = values(each.value.inline_policies) + + tags = module.role_label[each.key].tags +} diff --git a/infrastructure/modules/iam/outputs.tf b/infrastructure/modules/iam/outputs.tf new file mode 100644 index 0000000..52c17b2 --- /dev/null +++ b/infrastructure/modules/iam/outputs.tf @@ -0,0 +1,19 @@ +output "policy_arns" { + description = "Map of policy key -> arn for every IAM policy created by this module." + value = { for k, m in module.policies : k => m.arn } +} + +output "policy_names" { + description = "Map of policy key -> name for every IAM policy created by this module." + value = { for k, m in module.policies : k => m.name } +} + +output "role_arns" { + description = "Map of role key -> arn for every IAM role created by this module." + value = { for k, m in module.roles : k => m.arn } +} + +output "role_names" { + description = "Map of role key -> name for every IAM role created by this module." + value = { for k, m in module.roles : k => m.name } +} diff --git a/infrastructure/modules/iam/readme.md b/infrastructure/modules/iam/readme.md new file mode 100644 index 0000000..88e7880 --- /dev/null +++ b/infrastructure/modules/iam/readme.md @@ -0,0 +1,219 @@ +# iam + +Creates iam customer-managed policies and (optionally) iam roles for any +team on the screening platform. Thin wrapper around the community +[`terraform-aws-modules/iam/aws`](https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest) +submodules (`iam-policy` and `iam-role`), with naming and tagging supplied +by the central `tags` module via `context.tf` — so every team gets +consistent `///` paths and the standard NHS tag set +automatically. + +## Usage + +The module is map-driven — one invocation can produce many policies and +roles. Three typical consumer patterns: + +### 1. SSO customer-managed policies (no roles) + +Use this when defining the iam policies that AWS Identity Center +permission sets will reference. The SSO wiring itself +(`aws_ssoadmin_permission_set`, `aws_ssoadmin_customer_managed_policy_attachment`, +account assignments) lives in the consumer stack, not in this module. + +```hcl +data "aws_iam_policy_document" "readonly" { + statement { + actions = ["s3:Get*", "s3:List*", "logs:Get*", "logs:Describe*"] + resources = ["*"] + } +} + +module "iam" { + source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/iam?ref=" + context = module.label.context + + policies = { + sso-readonly = { + policy = data.aws_iam_policy_document.readonly.json + description = "Read-only access for the team's SSO permission set" + } + } +} +``` + +Reference the output from the SSO permission set in the consumer stack: + +```hcl +resource "aws_ssoadmin_customer_managed_policy_attachment" "readonly" { + instance_arn = local.sso_instance_arn + permission_set_arn = aws_ssoadmin_permission_set.readonly.arn + + customer_managed_policy_reference { + name = module.iam.policy_names["sso-readonly"] + path = "///" # matches the module's default iam path + } +} +``` + +> **Note:** customer-managed policies must exist in every account a +> permission set is provisioned into. Run this module in every workload +> account; the permission set lives once, in the Identity Center +> delegated admin account. + +### 2. Service roles (no SSO) + +Use this for ECS task roles, Lambda execution roles, EventBridge invoke +roles, etc. + +```hcl +data "aws_iam_policy_document" "ecs_assume" { + statement { + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = ["ecs-tasks.amazonaws.com"] + } + } +} + +module "iam" { + source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/iam?ref=" + context = module.label.context + + roles = { + ecs-task = { + assume_role_policy = data.aws_iam_policy_document.ecs_assume.json + description = "ECS task role for the screening API" + policy_arns = [ + "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", + ] + inline_policies = { + secrets = data.aws_iam_policy_document.read_secrets.json + } + } + } +} +``` + +### 3. Role + matching policy in one call + +Use `policy_keys` to wire a role to a policy created by *this same module +invocation* — useful for IRSA/OIDC trust patterns or any service role +whose policy you also want to manage here. + +```hcl +module "iam" { + source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/iam?ref=" + context = module.label.context + + policies = { + s3-data-rw = { + policy = data.aws_iam_policy_document.data_rw.json + description = "Read/write to the screening data bucket" + } + } + + roles = { + data-processor = { + assume_role_policy = data.aws_iam_policy_document.lambda_assume.json + policy_keys = ["s3-data-rw"] + } + } +} +``` + +## Conventions + +- **Naming.** Resource names are derived from `module.this.id` plus an + `attributes` suffix — e.g. `-policy-` and `-role-`. +- **iam path.** Defaults to `///` from context. Override + globally with `var.path` or per-entry with `entry.path`. +- **Enabled switch.** Set `context.enabled = false` to disable the entire + module (e.g. in development tfvars). All resources are gated by it. +- **Descriptions.** Strongly encouraged on every policy and role — + whoever sees them in the iam console later will thank you. +- **Inline policies.** `inline_policies` is a map of name -> JSON document; + the upstream `iam-role` submodule merges all documents into a single + inline policy on the role, so the map keys are used only for caller-side + bookkeeping (they do not become inline-policy names in AWS). Prefer + `policy_keys` + `var.policies` when you need a named, attachable policy. + +## What this module does NOT do + +- SSO permission sets, account assignments, group/user management — lives + in the consumer stack via `aws_ssoadmin_*` and `aws_identitystore_*`. +- iam users, iam groups, SAML/OIDC identity providers +- Account-wide iam settings (password policy, account alias, MFA enforcement). + + + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [policies](#module_policies) | `terraform-aws-modules/iam/aws//modules/iam-policy` | 6.6.0 | +| [policy_label](#module_policy_label) | `git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/tags` | feature/BCSS-23189-add-new-modules-to-suppport-bcss | +| [role_label](#module_role_label) | `git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/tags` | feature/BCSS-23189-add-new-modules-to-suppport-bcss | +| [roles](#module_roles) | `terraform-aws-modules/iam/aws//modules/iam-role` | 6.6.0 | +| [this](#module_this) | `git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/tags` | feature/BCSS-23189-add-new-modules-to-suppport-bcss | + +## Resources + +No resources. iam resources are created by the wrapped upstream submodules listed above. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`. | `map(string)` | `{}` | no | +| [application_role](#input_application_role) | The role the application is performing | `string` | `"General"` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`, in the order they appear in the list. | `list(string)` | `[]` | no | +| [aws_region](#input_aws_region) | The AWS region | `string` | `"eu-west-2"` | no | +| [context](#input_context) | Single object for setting entire context at once. See description of individual variables for details. | `any` | see `context.tf` | no | +| [data_classification](#input_data_classification) | Used to identify the data classification of the resource, e.g 1-5 | `string` | `"n/a"` | no | +| [data_type](#input_data_type) | The tag data_type | `string` | `"None"` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements. Defaults to `-` (hyphen). | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map. | `any` | `{}` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used to indicate role, e.g. 'prd', 'dev', 'test', 'preprod', 'prod', 'uat' | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6). | `number` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`, set as tag values, and output by this module individually. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output. | `set(string)` | `["default"]` | no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. | `string` | `null` | no | +| [on_off_pattern](#input_on_off_pattern) | Used to turn resources on and off based on a time pattern | `string` | `"n/a"` | no | +| [owner](#input_owner) | The name and or NHS.net email address of the service owner | `string` | `"None"` | no | +| [path](#input_path) | Default IAM path applied to policies and roles when an entry does not override it. Defaults to `///` derived from context. | `string` | `null` | no | +| [policies](#input_policies) | Map of IAM customer-managed policies to create. See variables.tf for the schema. | 
map(object({
    policy      = string
    description = optional(string)
    path        = optional(string)
  }))
| `{}` | no | +| [project](#input_project) | ID element. A project identifier, indicating the name or role of the project the resource is for. | `string` | `null` | no | +| [public_facing](#input_public_facing) | Whether this resource is public facing | `bool` | `false` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. | `string` | `null` | no | +| [region](#input_region) | ID element. Short region abbreviation e.g. 'uw2', 'ew2'. | `string` | `null` | no | +| [roles](#input_roles) | Map of IAM roles to create. See variables.tf for the schema. | 
map(object({
    assume_role_policy   = string
    description          = optional(string)
    path                 = optional(string)
    max_session_duration = optional(number, 3600)
    permissions_boundary = optional(string)
    policy_arns          = optional(list(string), [])
    policy_keys          = optional(list(string), [])
    inline_policies      = optional(map(string), {})
  }))
| `{}` | no | +| [service](#input_service) | ID element. Service directorate abbreviation, e.g. 'bcss'. | `string` | `null` | no | +| [service_category](#input_service_category) | The tag service_category | `string` | `"n/a"` | no | +| [stack](#input_stack) | ID element. The name of the stack/component, e.g. `database`, `web`, `waf`, `eks`. | `string` | `null` | no | +| [tag_version](#input_tag_version) | Used to identify the tagging version in use | `string` | `"1.0"` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). | `map(string)` | `{}` | no | +| [tool](#input_tool) | The tool used to deploy the resource | `string` | `"Terraform"` | no | +| [workspace](#input_workspace) | ID element. The Terraform workspace, to help ensure generated IDs are unique across workspaces. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [policy_arns](#output_policy_arns) | Map of policy key -> arn for every IAM policy created by this module. | +| [policy_names](#output_policy_names) | Map of policy key -> name for every IAM policy created by this module. | +| [role_arns](#output_role_arns) | Map of role key -> arn for every IAM role created by this module. | +| [role_names](#output_role_names) | Map of role key -> name for every IAM role created by this module. | + + diff --git a/infrastructure/modules/iam/variables.tf b/infrastructure/modules/iam/variables.tf new file mode 100644 index 0000000..6ac99c7 --- /dev/null +++ b/infrastructure/modules/iam/variables.tf @@ -0,0 +1,84 @@ +################################################################ +# IAM-specific inputs. +# +# Naming, tagging and the master `enabled` switch come from +# `context.tf` via `module.this` — see that file for the full +# list of inherited inputs (service, project, environment, +# stack, name, owner, data_classification, tags, etc.). +################################################################ + +variable "path" { + description = "Default IAM path applied to policies and roles when an entry does not override it. Defaults to `///` derived from context." + type = string + default = null + + validation { + condition = var.path == null || can(regex("^/.*/$", coalesce(var.path, "/"))) + error_message = "path must start and end with a forward slash, e.g. \"/bcss/\"." + } +} + +variable "policies" { + description = <<-EOT + Map of IAM customer-managed policies to create. + + Each key is a logical identifier (e.g. "read-only", "ssm-session") used + in the rendered policy name. Each value is an object with: + + policy - (required) IAM policy document JSON + description - (optional) policy description + path - (optional) IAM path; overrides `var.path` / context default + + Example: + policies = { + readonly = { + policy = data.aws_iam_policy_document.readonly.json + description = "Read-only access for SSO permission set" + } + } + EOT + type = map(object({ + policy = string + description = optional(string) + path = optional(string) + })) + default = {} +} + +variable "roles" { + description = <<-EOT + Map of IAM roles to create. + + Each key is a logical identifier used in the rendered role name. Each + value is an object with: + + assume_role_policy - (required) trust policy JSON + description - (optional) role description + path - (optional) IAM path; overrides `var.path` / context default + max_session_duration - (optional) session duration in seconds (3600-43200) + permissions_boundary - (optional) ARN of a permissions boundary policy + policy_arns - (optional) list of existing/managed policy ARNs to attach + policy_keys - (optional) list of keys from `var.policies` to attach + inline_policies - (optional) map of inline policy name -> JSON document + + Example: + roles = { + ec2-bastion = { + assume_role_policy = data.aws_iam_policy_document.ec2_assume.json + policy_arns = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"] + policy_keys = ["readonly"] + } + } + EOT + type = map(object({ + assume_role_policy = string + description = optional(string) + path = optional(string) + max_session_duration = optional(number, 3600) + permissions_boundary = optional(string) + policy_arns = optional(list(string), []) + policy_keys = optional(list(string), []) + inline_policies = optional(map(string), {}) + })) + default = {} +}