-
-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathREADME.yaml
141 lines (118 loc) · 6.24 KB
/
README.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#
# This is the canonical configuration for the `README.md`
# Run `make readme` to rebuild the `README.md`
#
# Name of this project
name: terraform-aws-ssm-iam-role
# Logo for this project
#logo: docs/logo.png
# License of this project
license: "APACHE2"
# Canonical GitHub repo
github_repo: cloudposse/terraform-aws-ssm-iam-role
# Badges to display
badges:
- name: Latest Release
image: https://img.shields.io/github/release/cloudposse/terraform-aws-ssm-iam-role.svg?style=for-the-badge
url: /~https://github.com/cloudposse/terraform-aws-ssm-iam-role/releases/latest
- name: Last Updated
image: https://img.shields.io/github/last-commit/cloudposse/terraform-aws-ssm-iam-role.svg?style=for-the-badge
url: /~https://github.com/cloudposse/terraform-aws-ssm-iam-role/commits
- name: Slack Community
image: https://slack.cloudposse.com/for-the-badge.svg
url: https://slack.cloudposse.com
# List any related terraform modules that this module may be used with or that this module depends on.
related:
- name: "terraform-aws-ssm-parameter-store"
description: "Terraform module to populate AWS Systems Manager (SSM) Parameter Store with values from Terraform. Works great with Chamber."
url: "/~https://github.com/cloudposse/terraform-aws-ssm-parameter-store"
- name: "terraform-aws-ssm-parameter-store-policy-documents"
description: "A Terraform module that generates JSON documents for access for common AWS SSM Parameter Store policies"
url: "/~https://github.com/cloudposse/terraform-aws-ssm-parameter-store-policy-documents"
- name: "terraform-aws-iam-chamber-user"
description: "Terraform module to provision a basic IAM chamber user with access to SSM parameters and KMS key to decrypt secrets, suitable for CI/CD systems (e.g. TravisCI, CircleCI, CodeFresh) or systems which are external to AWS that cannot leverage AWS IAM Instance Profiles"
url: "/~https://github.com/cloudposse/terraform-aws-iam-chamber-user"
# Short description of this project
description: |-
Terraform module to provision an IAM role with configurable permissions to access [SSM Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html).
introduction: |-
For more information on how to control access to Systems Manager parameters by using AWS Identity and Access Management, see [Controlling Access to Systems Manager Parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html).
For more information on how to use parameter hierarchies to help organize and manage parameters, see [Organizing Parameters into Hierarchies](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-su-organize.html).
__NOTE:__ This module can be used to provision IAM roles with SSM permissions for [chamber](https://docs.cloudposse.com/tools/chamber/).
# How to use this project
usage: |-
This example creates a role with the name `cp-prod-app-all` with permission to read all SSM parameters,
and gives permission to the entities specified in `assume_role_arns` to assume the role.
```hcl
module "ssm_iam_role" {
source = "git::/~https://github.com/cloudposse/terraform-aws-ssm-iam-role.git?ref=master"
namespace = "cp"
stage = "prod"
name = "app"
attributes = ["all"]
region = "us-west-2"
account_id = "XXXXXXXXXXX"
assume_role_arns = ["arn:aws:xxxxxxxxxx", "arn:aws:yyyyyyyyyyyy"]
kms_key_arn = "arn:aws:kms:us-west-2:123454095951:key/aced568e-3375-4ece-85e5-b35abc46c243"
ssm_parameters = ["*"]
ssm_actions = ["ssm:GetParametersByPath", "ssm:GetParameters"]
}
```
examples: |-
### Example With Permission For Specific Resources
This example creates a role with the name `cp-prod-app-secrets` with permission to read the SSM parameters that begin with `secret-`,
and gives permission to the entities specified in `assume_role_arns` to assume the role.
```hcl
module "ssm_iam_role" {
source = "git::/~https://github.com/cloudposse/terraform-aws-ssm-iam-role.git?ref=master"
namespace = "cp"
stage = "prod"
name = "app"
attributes = ["secrets"]
region = "us-west-2"
account_id = "XXXXXXXXXXX"
assume_role_arns = ["arn:aws:xxxxxxxxxx", "arn:aws:yyyyyyyyyyyy"]
kms_key_arn = "arn:aws:kms:us-west-2:123454095951:key/aced568e-3375-4ece-85e5-b35abc46c243"
ssm_parameters = ["secret-*"]
ssm_actions = ["ssm:GetParameters"]
}
```
### Complete Example
This example:
* Provisions a KMS key to encrypt SSM Parameter Store secrets using [terraform-aws-kms-key](/~https://github.com/cloudposse/terraform-aws-kms-key) module
* Performs `Kops` cluster lookup to find the ARNs of `masters` and `nodes` by using [terraform-aws-kops-metadata](/~https://github.com/cloudposse/terraform-aws-kops-metadata) module
* Creates a role with the name `cp-prod-chamber-kops` with permission to read all SSM parameters from the path `kops`,
and gives permission to the Kops `masters` and `nodes` to assume the role
```hcl
module "kms_key" {
source = "git::/~https://github.com/cloudposse/terraform-aws-kms-key.git?ref=master"
namespace = "cp"
stage = "prod"
name = "chamber"
description = "KMS key for SSM"
}
module "kops_metadata" {
source = "git::/~https://github.com/cloudposse/terraform-aws-kops-metadata.git?ref=master"
dns_zone = "us-west-2.prod.cloudposse.co"
masters_name = "masters"
nodes_name = "nodes"
}
module "ssm_iam_role" {
source = "git::/~https://github.com/cloudposse/terraform-aws-ssm-iam-role.git?ref=master"
namespace = "cp"
stage = "prod"
name = "chamber"
attributes = ["kops"]
region = "us-west-2"
account_id = "XXXXXXXXXXX"
assume_role_arns = ["${module.kops_metadata.masters_role_arn}", "${module.kops_metadata.nodes_role_arn}"]
kms_key_arn = "${module.kms_key.key_arn}"
ssm_parameters = ["kops/*"]
ssm_actions = ["ssm:GetParametersByPath", "ssm:GetParameters"]
}
```
include:
- "docs/targets.md"
- "docs/terraform.md"
# Contributors to this project
contributors: []