From f0e65a760bf6ddac1344ead5d1f1aaf409c38d18 Mon Sep 17 00:00:00 2001 From: Christopher Redwine Date: Tue, 1 Oct 2024 15:56:55 -0500 Subject: [PATCH] fix: Add required S3 PutObjectTagging permission to Velero IRSA policy (#517) Co-authored-by: Bryant Biggs --- .github/workflows/pre-commit.yml | 21 ++++++++++++-- .pre-commit-config.yaml | 2 +- examples/iam-account/README.md | 4 +-- .../iam-assumable-role-with-oidc/README.md | 4 +-- .../iam-assumable-role-with-saml/README.md | 4 +-- examples/iam-assumable-role/README.md | 4 +-- .../iam-assumable-roles-with-saml/README.md | 4 +-- examples/iam-assumable-roles/README.md | 4 +-- examples/iam-eks-role/README.md | 4 +-- examples/iam-github-oidc/README.md | 4 +-- examples/iam-group-complete/README.md | 4 +-- .../README.md | 4 +-- examples/iam-group-with-policies/README.md | 4 +-- examples/iam-policy/README.md | 4 +-- examples/iam-read-only-policy/README.md | 4 +-- .../README.md | 4 +-- examples/iam-user/README.md | 4 +-- modules/iam-account/README.md | 4 +-- .../iam-assumable-role-with-oidc/README.md | 4 +-- .../iam-assumable-role-with-saml/README.md | 6 ++-- modules/iam-assumable-role/README.md | 8 +++--- .../iam-assumable-roles-with-saml/README.md | 12 ++++---- modules/iam-assumable-roles/README.md | 12 ++++---- modules/iam-eks-role/README.md | 4 +-- modules/iam-github-oidc-provider/README.md | 6 ++-- modules/iam-github-oidc-role/README.md | 4 +-- .../README.md | 4 +-- modules/iam-group-with-policies/README.md | 4 +-- modules/iam-policy/README.md | 4 +-- modules/iam-read-only-policy/README.md | 6 ++-- .../README.md | 28 +++++++++---------- .../policies.tf | 1 + modules/iam-user/README.md | 4 +-- 33 files changed, 106 insertions(+), 88 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index c2632d1a..23d64779 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -7,8 +7,8 @@ on: - master env: - TERRAFORM_DOCS_VERSION: v0.16.0 - TFLINT_VERSION: v0.50.3 + TERRAFORM_DOCS_VERSION: v0.19.0 + TFLINT_VERSION: v0.53.0 jobs: collectInputs: @@ -75,10 +75,27 @@ jobs: # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449 - name: Delete huge unnecessary tools folder run: | + df -h rm -rf /opt/hostedtoolcache/CodeQL rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk rm -rf /opt/hostedtoolcache/Ruby rm -rf /opt/hostedtoolcache/go + # And a little bit more + sudo apt-get -qq remove -y 'azure-.*' + sudo apt-get -qq remove -y 'cpp-.*' + sudo apt-get -qq remove -y 'dotnet-runtime-.*' + sudo apt-get -qq remove -y 'google-.*' + sudo apt-get -qq remove -y 'libclang-.*' + sudo apt-get -qq remove -y 'libllvm.*' + sudo apt-get -qq remove -y 'llvm-.*' + sudo apt-get -qq remove -y 'mysql-.*' + sudo apt-get -qq remove -y 'postgresql-.*' + sudo apt-get -qq remove -y 'php.*' + sudo apt-get -qq remove -y 'temurin-.*' + sudo apt-get -qq remove -y kubectl firefox powershell mono-devel + sudo apt-get -qq autoremove -y + sudo apt-get -qq clean + df -h - name: Checkout uses: actions/checkout@v4 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b567c521..66e925cc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.92.0 + rev: v1.96.1 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each diff --git a/examples/iam-account/README.md b/examples/iam-account/README.md index 540651c4..05f3f02d 100644 --- a/examples/iam-account/README.md +++ b/examples/iam-account/README.md @@ -14,7 +14,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -46,4 +46,4 @@ No inputs. |------|-------------| | [caller\_identity\_account\_id](#output\_caller\_identity\_account\_id) | The ID of the AWS account | | [iam\_account\_password\_policy\_expire\_passwords](#output\_iam\_account\_password\_policy\_expire\_passwords) | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. | - + diff --git a/examples/iam-assumable-role-with-oidc/README.md b/examples/iam-assumable-role-with-oidc/README.md index 01429c10..1b0ac0c6 100644 --- a/examples/iam-assumable-role-with-oidc/README.md +++ b/examples/iam-assumable-role-with-oidc/README.md @@ -14,7 +14,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -51,4 +51,4 @@ No inputs. | [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role | | [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role | | [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/examples/iam-assumable-role-with-saml/README.md b/examples/iam-assumable-role-with-saml/README.md index 882aba08..f1d0d2ac 100644 --- a/examples/iam-assumable-role-with-saml/README.md +++ b/examples/iam-assumable-role-with-saml/README.md @@ -14,7 +14,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -54,4 +54,4 @@ No inputs. | [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role | | [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role | | [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/examples/iam-assumable-role/README.md b/examples/iam-assumable-role/README.md index 9c63694c..8a3b011e 100644 --- a/examples/iam-assumable-role/README.md +++ b/examples/iam-assumable-role/README.md @@ -16,7 +16,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -61,4 +61,4 @@ No inputs. | [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role | | [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | | [role\_requires\_mfa](#output\_role\_requires\_mfa) | Whether admin IAM role requires MFA | - + diff --git a/examples/iam-assumable-roles-with-saml/README.md b/examples/iam-assumable-roles-with-saml/README.md index 78deaa14..c6e571c9 100644 --- a/examples/iam-assumable-roles-with-saml/README.md +++ b/examples/iam-assumable-roles-with-saml/README.md @@ -14,7 +14,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -64,4 +64,4 @@ No inputs. | [readonly\_iam\_role\_name](#output\_readonly\_iam\_role\_name) | Name of readonly IAM role | | [readonly\_iam\_role\_path](#output\_readonly\_iam\_role\_path) | Path of readonly IAM role | | [readonly\_iam\_role\_unique\_id](#output\_readonly\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/examples/iam-assumable-roles/README.md b/examples/iam-assumable-roles/README.md index 9e4363fe..15902f75 100644 --- a/examples/iam-assumable-roles/README.md +++ b/examples/iam-assumable-roles/README.md @@ -14,7 +14,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -60,4 +60,4 @@ No inputs. | [readonly\_iam\_role\_path](#output\_readonly\_iam\_role\_path) | Path of readonly IAM role | | [readonly\_iam\_role\_requires\_mfa](#output\_readonly\_iam\_role\_requires\_mfa) | Whether readonly IAM role requires MFA | | [readonly\_iam\_role\_unique\_id](#output\_readonly\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/examples/iam-eks-role/README.md b/examples/iam-eks-role/README.md index 0e511196..e5c68149 100644 --- a/examples/iam-eks-role/README.md +++ b/examples/iam-eks-role/README.md @@ -14,7 +14,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -59,4 +59,4 @@ No inputs. | [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role | | [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role | | [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/examples/iam-github-oidc/README.md b/examples/iam-github-oidc/README.md index 20f25525..51a7f733 100644 --- a/examples/iam-github-oidc/README.md +++ b/examples/iam-github-oidc/README.md @@ -17,7 +17,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -60,4 +60,4 @@ No inputs. | [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | | [provider\_arn](#output\_provider\_arn) | The ARN assigned by AWS for this provider | | [provider\_url](#output\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | - + diff --git a/examples/iam-group-complete/README.md b/examples/iam-group-complete/README.md index 90e6ed97..6c3f35c2 100644 --- a/examples/iam-group-complete/README.md +++ b/examples/iam-group-complete/README.md @@ -16,7 +16,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -51,4 +51,4 @@ No inputs. | [assumable\_roles](#output\_assumable\_roles) | List of ARNs of IAM roles which members of IAM group can assume | | [group\_users](#output\_group\_users) | List of IAM users in IAM group | | [policy\_arn](#output\_policy\_arn) | Assume role policy ARN for IAM group | - + diff --git a/examples/iam-group-with-assumable-roles-policy/README.md b/examples/iam-group-with-assumable-roles-policy/README.md index ebe96657..f6e00280 100644 --- a/examples/iam-group-with-assumable-roles-policy/README.md +++ b/examples/iam-group-with-assumable-roles-policy/README.md @@ -14,7 +14,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -61,4 +61,4 @@ No inputs. | [iam\_account\_id](#output\_iam\_account\_id) | IAM AWS account id (this code is managing resources in this account) | | [policy\_arn](#output\_policy\_arn) | Assume role policy ARN for IAM group | | [production\_account\_id](#output\_production\_account\_id) | Production AWS account id | - + diff --git a/examples/iam-group-with-policies/README.md b/examples/iam-group-with-policies/README.md index a01542d1..ed1341ff 100644 --- a/examples/iam-group-with-policies/README.md +++ b/examples/iam-group-with-policies/README.md @@ -14,7 +14,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -55,4 +55,4 @@ No inputs. | [group\_name](#output\_group\_name) | IAM group name | | [group\_users](#output\_group\_users) | List of IAM users in IAM group | | [iam\_account\_id](#output\_iam\_account\_id) | IAM AWS account id | - + diff --git a/examples/iam-policy/README.md b/examples/iam-policy/README.md index f3584a9a..6e9931ad 100644 --- a/examples/iam-policy/README.md +++ b/examples/iam-policy/README.md @@ -14,7 +14,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -56,4 +56,4 @@ No inputs. | [name](#output\_name) | The name of the policy | | [path](#output\_path) | The path of the policy in IAM | | [policy](#output\_policy) | The policy document | - + diff --git a/examples/iam-read-only-policy/README.md b/examples/iam-read-only-policy/README.md index acd5d611..bae77fb4 100644 --- a/examples/iam-read-only-policy/README.md +++ b/examples/iam-read-only-policy/README.md @@ -14,7 +14,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -56,4 +56,4 @@ No inputs. | [name](#output\_name) | The name of the policy | | [path](#output\_path) | The path of the policy in IAM | | [policy](#output\_policy) | The policy document | - + diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md index 0224fb43..224389f0 100644 --- a/examples/iam-role-for-service-accounts-eks/README.md +++ b/examples/iam-role-for-service-accounts-eks/README.md @@ -14,7 +14,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -78,4 +78,4 @@ No inputs. | [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role | | [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role | | [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/examples/iam-user/README.md b/examples/iam-user/README.md index 6ee8b258..038d1dea 100644 --- a/examples/iam-user/README.md +++ b/examples/iam-user/README.md @@ -15,7 +15,7 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - + ## Requirements | Name | Version | @@ -70,4 +70,4 @@ No inputs. | [keybase\_secret\_key\_pgp\_message](#output\_keybase\_secret\_key\_pgp\_message) | Encrypted access secret key | | [pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) | | [policy\_arns](#output\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | - + diff --git a/modules/iam-account/README.md b/modules/iam-account/README.md index 7fb8dbc1..10c0c4b1 100644 --- a/modules/iam-account/README.md +++ b/modules/iam-account/README.md @@ -21,7 +21,7 @@ module.iam_account.aws_iam_account_alias.this: Refreshing state... (ID: this) Import successful! ``` - + ## Requirements | Name | Version | @@ -72,4 +72,4 @@ No modules. | [caller\_identity\_arn](#output\_caller\_identity\_arn) | The AWS ARN associated with the calling entity | | [caller\_identity\_user\_id](#output\_caller\_identity\_user\_id) | The unique identifier of the calling entity | | [iam\_account\_password\_policy\_expire\_passwords](#output\_iam\_account\_password\_policy\_expire\_passwords) | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. | - + diff --git a/modules/iam-assumable-role-with-oidc/README.md b/modules/iam-assumable-role-with-oidc/README.md index 76ee5a35..f73c086a 100644 --- a/modules/iam-assumable-role-with-oidc/README.md +++ b/modules/iam-assumable-role-with-oidc/README.md @@ -6,7 +6,7 @@ Creates single IAM role which can be assumed by trusted resources using OpenID C This module supports IAM Roles for kubernetes service accounts as described in the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - + ## Requirements | Name | Version | @@ -69,4 +69,4 @@ No modules. | [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role | | [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role | | [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/modules/iam-assumable-role-with-saml/README.md b/modules/iam-assumable-role-with-saml/README.md index 8b101cf4..62d0fb78 100644 --- a/modules/iam-assumable-role-with-saml/README.md +++ b/modules/iam-assumable-role-with-saml/README.md @@ -5,7 +5,7 @@ Creates single IAM role which can be assumed by trusted resources using SAML Fed [Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) [Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) - + ## Requirements | Name | Version | @@ -52,7 +52,7 @@ No modules. | [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no | | [role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no | | [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no | -| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional role actions | `list(string)` |
[
"sts:AssumeRoleWithSAML",
"sts:TagSession"
]
| no | +| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional role actions | `list(string)` |
[
"sts:AssumeRoleWithSAML",
"sts:TagSession"
]
| no | ## Outputs @@ -62,4 +62,4 @@ No modules. | [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role | | [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role | | [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md index b35a2250..e2c0828f 100644 --- a/modules/iam-assumable-role/README.md +++ b/modules/iam-assumable-role/README.md @@ -4,7 +4,7 @@ Creates single IAM role which can be assumed by trusted resources. Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - typically, AWS accounts and users. - + ## Requirements | Name | Version | @@ -67,10 +67,10 @@ No modules. | [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no | | [role\_requires\_mfa](#input\_role\_requires\_mfa) | Whether role requires MFA | `bool` | `true` | no | | [role\_requires\_session\_name](#input\_role\_requires\_session\_name) | Determines if the role-session-name variable is needed when assuming a role(https://aws.amazon.com/blogs/security/easily-control-naming-individual-iam-role-sessions/) | `bool` | `false` | no | -| [role\_session\_name](#input\_role\_session\_name) | role\_session\_name for roles which require this parameter when being assumed. By default, you need to set your own username as role\_session\_name | `list(string)` |
[
"${aws:username}"
]
| no | +| [role\_session\_name](#input\_role\_session\_name) | role\_session\_name for roles which require this parameter when being assumed. By default, you need to set your own username as role\_session\_name | `list(string)` |
[
"${aws:username}"
]
| no | | [role\_sts\_externalid](#input\_role\_sts\_externalid) | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no | | [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no | -| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional trusted role actions | `list(string)` |
[
"sts:AssumeRole",
"sts:TagSession"
]
| no | +| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional trusted role actions | `list(string)` |
[
"sts:AssumeRole",
"sts:TagSession"
]
| no | | [trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no | | [trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no | @@ -88,4 +88,4 @@ No modules. | [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | | [role\_requires\_mfa](#output\_role\_requires\_mfa) | Whether IAM role requires MFA | | [role\_sts\_externalid](#output\_role\_sts\_externalid) | STS ExternalId condition value to use with a role | - + diff --git a/modules/iam-assumable-roles-with-saml/README.md b/modules/iam-assumable-roles-with-saml/README.md index 4092c896..4cc0e4ea 100644 --- a/modules/iam-assumable-roles-with-saml/README.md +++ b/modules/iam-assumable-roles-with-saml/README.md @@ -6,7 +6,7 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assume [Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) [Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) - + ## Requirements | Name | Version | @@ -45,7 +45,7 @@ No modules. | [admin\_role\_name](#input\_admin\_role\_name) | IAM role with admin access | `string` | `"admin"` | no | | [admin\_role\_path](#input\_admin\_role\_path) | Path of admin IAM role | `string` | `"/"` | no | | [admin\_role\_permissions\_boundary\_arn](#input\_admin\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for admin role | `string` | `""` | no | -| [admin\_role\_policy\_arns](#input\_admin\_role\_policy\_arns) | List of policy ARNs to use for admin role | `list(string)` |
[
"arn:aws:iam::aws:policy/AdministratorAccess"
]
| no | +| [admin\_role\_policy\_arns](#input\_admin\_role\_policy\_arns) | List of policy ARNs to use for admin role | `list(string)` |
[
"arn:aws:iam::aws:policy/AdministratorAccess"
]
| no | | [admin\_role\_tags](#input\_admin\_role\_tags) | A map of tags to add to admin role resource. | `map(string)` | `{}` | no | | [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no | | [aws\_saml\_endpoint](#input\_aws\_saml\_endpoint) | AWS SAML Endpoint | `string` | `"https://signin.aws.amazon.com/saml"` | no | @@ -57,16 +57,16 @@ No modules. | [poweruser\_role\_name](#input\_poweruser\_role\_name) | IAM role with poweruser access | `string` | `"poweruser"` | no | | [poweruser\_role\_path](#input\_poweruser\_role\_path) | Path of poweruser IAM role | `string` | `"/"` | no | | [poweruser\_role\_permissions\_boundary\_arn](#input\_poweruser\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for poweruser role | `string` | `""` | no | -| [poweruser\_role\_policy\_arns](#input\_poweruser\_role\_policy\_arns) | List of policy ARNs to use for poweruser role | `list(string)` |
[
"arn:aws:iam::aws:policy/PowerUserAccess"
]
| no | +| [poweruser\_role\_policy\_arns](#input\_poweruser\_role\_policy\_arns) | List of policy ARNs to use for poweruser role | `list(string)` |
[
"arn:aws:iam::aws:policy/PowerUserAccess"
]
| no | | [poweruser\_role\_tags](#input\_poweruser\_role\_tags) | A map of tags to add to poweruser role resource. | `map(string)` | `{}` | no | | [provider\_id](#input\_provider\_id) | ID of the SAML Provider. Use provider\_ids to specify several IDs. | `string` | `""` | no | | [provider\_ids](#input\_provider\_ids) | List of SAML Provider IDs | `list(string)` | `[]` | no | | [readonly\_role\_name](#input\_readonly\_role\_name) | IAM role with readonly access | `string` | `"readonly"` | no | | [readonly\_role\_path](#input\_readonly\_role\_path) | Path of readonly IAM role | `string` | `"/"` | no | | [readonly\_role\_permissions\_boundary\_arn](#input\_readonly\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for readonly role | `string` | `""` | no | -| [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` |
[
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
| no | +| [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` |
[
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
| no | | [readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no | -| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional role actions | `list(string)` |
[
"sts:AssumeRoleWithSAML",
"sts:TagSession"
]
| no | +| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional role actions | `list(string)` |
[
"sts:AssumeRoleWithSAML",
"sts:TagSession"
]
| no | ## Outputs @@ -84,4 +84,4 @@ No modules. | [readonly\_iam\_role\_name](#output\_readonly\_iam\_role\_name) | Name of readonly IAM role | | [readonly\_iam\_role\_path](#output\_readonly\_iam\_role\_path) | Path of readonly IAM role | | [readonly\_iam\_role\_unique\_id](#output\_readonly\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/modules/iam-assumable-roles/README.md b/modules/iam-assumable-roles/README.md index e74991af..36af68a1 100644 --- a/modules/iam-assumable-roles/README.md +++ b/modules/iam-assumable-roles/README.md @@ -4,7 +4,7 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assume Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - typically, AWS accounts and users. - + ## Requirements | Name | Version | @@ -44,7 +44,7 @@ No modules. | [admin\_role\_name](#input\_admin\_role\_name) | IAM role with admin access | `string` | `"admin"` | no | | [admin\_role\_path](#input\_admin\_role\_path) | Path of admin IAM role | `string` | `"/"` | no | | [admin\_role\_permissions\_boundary\_arn](#input\_admin\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for admin role | `string` | `""` | no | -| [admin\_role\_policy\_arns](#input\_admin\_role\_policy\_arns) | List of policy ARNs to use for admin role | `list(string)` |
[
"arn:aws:iam::aws:policy/AdministratorAccess"
]
| no | +| [admin\_role\_policy\_arns](#input\_admin\_role\_policy\_arns) | List of policy ARNs to use for admin role | `list(string)` |
[
"arn:aws:iam::aws:policy/AdministratorAccess"
]
| no | | [admin\_role\_requires\_mfa](#input\_admin\_role\_requires\_mfa) | Whether admin role requires MFA | `bool` | `true` | no | | [admin\_role\_tags](#input\_admin\_role\_tags) | A map of tags to add to admin role resource. | `map(string)` | `{}` | no | | [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no | @@ -57,16 +57,16 @@ No modules. | [poweruser\_role\_name](#input\_poweruser\_role\_name) | IAM role with poweruser access | `string` | `"poweruser"` | no | | [poweruser\_role\_path](#input\_poweruser\_role\_path) | Path of poweruser IAM role | `string` | `"/"` | no | | [poweruser\_role\_permissions\_boundary\_arn](#input\_poweruser\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for poweruser role | `string` | `""` | no | -| [poweruser\_role\_policy\_arns](#input\_poweruser\_role\_policy\_arns) | List of policy ARNs to use for poweruser role | `list(string)` |
[
"arn:aws:iam::aws:policy/PowerUserAccess"
]
| no | +| [poweruser\_role\_policy\_arns](#input\_poweruser\_role\_policy\_arns) | List of policy ARNs to use for poweruser role | `list(string)` |
[
"arn:aws:iam::aws:policy/PowerUserAccess"
]
| no | | [poweruser\_role\_requires\_mfa](#input\_poweruser\_role\_requires\_mfa) | Whether poweruser role requires MFA | `bool` | `true` | no | | [poweruser\_role\_tags](#input\_poweruser\_role\_tags) | A map of tags to add to poweruser role resource. | `map(string)` | `{}` | no | | [readonly\_role\_name](#input\_readonly\_role\_name) | IAM role with readonly access | `string` | `"readonly"` | no | | [readonly\_role\_path](#input\_readonly\_role\_path) | Path of readonly IAM role | `string` | `"/"` | no | | [readonly\_role\_permissions\_boundary\_arn](#input\_readonly\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for readonly role | `string` | `""` | no | -| [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` |
[
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
| no | +| [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` |
[
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
| no | | [readonly\_role\_requires\_mfa](#input\_readonly\_role\_requires\_mfa) | Whether readonly role requires MFA | `bool` | `true` | no | | [readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no | -| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional trusted role actions | `list(string)` |
[
"sts:AssumeRole",
"sts:TagSession"
]
| no | +| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional trusted role actions | `list(string)` |
[
"sts:AssumeRole",
"sts:TagSession"
]
| no | | [trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no | | [trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no | @@ -89,4 +89,4 @@ No modules. | [readonly\_iam\_role\_path](#output\_readonly\_iam\_role\_path) | Path of readonly IAM role | | [readonly\_iam\_role\_requires\_mfa](#output\_readonly\_iam\_role\_requires\_mfa) | Whether readonly IAM role requires MFA | | [readonly\_iam\_role\_unique\_id](#output\_readonly\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/modules/iam-eks-role/README.md b/modules/iam-eks-role/README.md index 691b0d7a..0d46f8f0 100644 --- a/modules/iam-eks-role/README.md +++ b/modules/iam-eks-role/README.md @@ -74,7 +74,7 @@ module "iam_eks_role" { } ``` - + ## Requirements | Name | Version | @@ -129,4 +129,4 @@ No modules. | [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role | | [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role | | [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/modules/iam-github-oidc-provider/README.md b/modules/iam-github-oidc-provider/README.md index 1cd7f955..0a2244e6 100644 --- a/modules/iam-github-oidc-provider/README.md +++ b/modules/iam-github-oidc-provider/README.md @@ -16,7 +16,7 @@ module "iam_github_oidc_provider" { } ``` - + ## Requirements | Name | Version | @@ -48,7 +48,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [additional\_thumbprints](#input\_additional\_thumbprints) | List of additional thumbprints to add to the thumbprint list. | `list(string)` |
[
"6938fd4d98bab03faadb97b34396831e3780aea1",
"1c58a3a8518e8759bf075b76b750d4f2df264fcd"
]
| no | +| [additional\_thumbprints](#input\_additional\_thumbprints) | List of additional thumbprints to add to the thumbprint list. | `list(string)` |
[
"6938fd4d98bab03faadb97b34396831e3780aea1",
"1c58a3a8518e8759bf075b76b750d4f2df264fcd"
]
| no | | [client\_id\_list](#input\_client\_id\_list) | List of client IDs (also known as audiences) for the IAM OIDC provider. Defaults to STS service if not values are provided | `list(string)` | `[]` | no | | [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no | | [tags](#input\_tags) | A map of tags to add to the resources created | `map(any)` | `{}` | no | @@ -60,4 +60,4 @@ No modules. |------|-------------| | [arn](#output\_arn) | The ARN assigned by AWS for this provider | | [url](#output\_url) | The URL of the identity provider. Corresponds to the iss claim | - + diff --git a/modules/iam-github-oidc-role/README.md b/modules/iam-github-oidc-role/README.md index c09a69fd..e024f0b2 100644 --- a/modules/iam-github-oidc-role/README.md +++ b/modules/iam-github-oidc-role/README.md @@ -50,7 +50,7 @@ module "iam_github_oidc_role" { } } ``` - + ## Requirements | Name | Version | @@ -104,4 +104,4 @@ No modules. | [name](#output\_name) | Name of IAM role | | [path](#output\_path) | Path of IAM role | | [unique\_id](#output\_unique\_id) | Unique ID of IAM role | - + diff --git a/modules/iam-group-with-assumable-roles-policy/README.md b/modules/iam-group-with-assumable-roles-policy/README.md index f6f05dfc..a9b0db90 100644 --- a/modules/iam-group-with-assumable-roles-policy/README.md +++ b/modules/iam-group-with-assumable-roles-policy/README.md @@ -2,7 +2,7 @@ Creates IAM group with users who are allowed to assume IAM roles. This is typically done in resource AWS account where IAM users can jump into from IAM AWS account. - + ## Requirements | Name | Version | @@ -50,4 +50,4 @@ No modules. | [group\_name](#output\_group\_name) | IAM group name | | [group\_users](#output\_group\_users) | List of IAM users in IAM group | | [policy\_arn](#output\_policy\_arn) | Assume role policy ARN of IAM group | - + diff --git a/modules/iam-group-with-policies/README.md b/modules/iam-group-with-policies/README.md index 86cbb79c..ea63516c 100644 --- a/modules/iam-group-with-policies/README.md +++ b/modules/iam-group-with-policies/README.md @@ -2,7 +2,7 @@ Creates IAM group with specified IAM policies, and add users into a group. - + ## Requirements | Name | Version | @@ -59,4 +59,4 @@ No modules. | [group\_arn](#output\_group\_arn) | IAM group arn | | [group\_name](#output\_group\_name) | IAM group name | | [group\_users](#output\_group\_users) | List of IAM users in IAM group | - + diff --git a/modules/iam-policy/README.md b/modules/iam-policy/README.md index 6bbbc092..03abb122 100644 --- a/modules/iam-policy/README.md +++ b/modules/iam-policy/README.md @@ -2,7 +2,7 @@ Creates IAM policy. - + ## Requirements | Name | Version | @@ -48,4 +48,4 @@ No modules. | [name](#output\_name) | The name of the policy | | [path](#output\_path) | The path of the policy in IAM | | [policy](#output\_policy) | The policy document | - + diff --git a/modules/iam-read-only-policy/README.md b/modules/iam-read-only-policy/README.md index 11146d18..2faeccce 100644 --- a/modules/iam-read-only-policy/README.md +++ b/modules/iam-read-only-policy/README.md @@ -3,7 +3,7 @@ Creates IAM read-only policy for specified services. Default AWS read-only policies (arn:aws:iam::aws:policy/job-function/ViewOnlyAccess, arn:aws:iam::aws:policy/ReadOnlyAccess), being a one-size-fits-all type of policies, have a lot of things missing as well as something that you might not need. Also, AWS default policies are known for having [security issues](https://securityboulevard.com/2020/12/the-aws-managed-policies-trap/) Thus this module is an attempt to build a better base for a customizable usable read-only policy. - + ## Requirements | Name | Version | @@ -47,7 +47,7 @@ No modules. | [name\_prefix](#input\_name\_prefix) | IAM policy name prefix | `string` | `null` | no | | [path](#input\_path) | The path of the policy in IAM | `string` | `"/"` | no | | [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | -| [web\_console\_services](#input\_web\_console\_services) | List of web console services to allow | `list(string)` |
[
"resource-groups",
"tag",
"health",
"ce"
]
| no | +| [web\_console\_services](#input\_web\_console\_services) | List of web console services to allow | `list(string)` |
[
"resource-groups",
"tag",
"health",
"ce"
]
| no | ## Outputs @@ -60,4 +60,4 @@ No modules. | [path](#output\_path) | The path of the policy in IAM | | [policy](#output\_policy) | The policy document | | [policy\_json](#output\_policy\_json) | Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies | - + diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index b335f311..dd310b09 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -100,7 +100,7 @@ module "eks" { } ``` - + ## Requirements | Name | Version | @@ -189,7 +189,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no | -| [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` |
[
"*"
]
| no | +| [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` |
[
"*"
]
| no | | [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no | | [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no | | [attach\_appmesh\_controller\_policy](#input\_attach\_appmesh\_controller\_policy) | Determines whether to attach the Appmesh Controller policy to the role | `bool` | `false` | no | @@ -210,32 +210,32 @@ No modules. | [attach\_node\_termination\_handler\_policy](#input\_attach\_node\_termination\_handler\_policy) | Determines whether to attach the Node Termination Handler policy to the role | `bool` | `false` | no | | [attach\_velero\_policy](#input\_attach\_velero\_policy) | Determines whether to attach the Velero IAM policy to the role | `bool` | `false` | no | | [attach\_vpc\_cni\_policy](#input\_attach\_vpc\_cni\_policy) | Determines whether to attach the VPC CNI IAM policy to the role | `bool` | `false` | no | -| [cert\_manager\_hosted\_zone\_arns](#input\_cert\_manager\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow Cert manager to manage records | `list(string)` |
[
"arn:aws:route53:::hostedzone/*"
]
| no | +| [cert\_manager\_hosted\_zone\_arns](#input\_cert\_manager\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow Cert manager to manage records | `list(string)` |
[
"arn:aws:route53:::hostedzone/*"
]
| no | | [cluster\_autoscaler\_cluster\_ids](#input\_cluster\_autoscaler\_cluster\_ids) | [Deprecated - use `cluster_autoscaler_cluster_names`] List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no | | [cluster\_autoscaler\_cluster\_names](#input\_cluster\_autoscaler\_cluster\_names) | List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no | | [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no | | [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no | | [enable\_karpenter\_instance\_profile\_creation](#input\_enable\_karpenter\_instance\_profile\_creation) | Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1/v0.32+) | `bool` | `false` | no | -| [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` |
[
"arn:aws:route53:::hostedzone/*"
]
| no | -| [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` |
[
"arn:aws:kms:*:*:key/*"
]
| no | -| [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` |
[
"arn:aws:secretsmanager:*:*:secret:*"
]
| no | +| [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` |
[
"arn:aws:route53:::hostedzone/*"
]
| no | +| [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` |
[
"arn:aws:kms:*:*:key/*"
]
| no | +| [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` |
[
"arn:aws:secretsmanager:*:*:secret:*"
]
| no | | [external\_secrets\_secrets\_manager\_create\_permission](#input\_external\_secrets\_secrets\_manager\_create\_permission) | Determins whether External Secrets may use secretsmanager:CreateSecret | `bool` | `false` | no | -| [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` |
[
"arn:aws:ssm:*:*:parameter/*"
]
| no | +| [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` |
[
"arn:aws:ssm:*:*:parameter/*"
]
| no | | [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no | -| [fsx\_lustre\_csi\_service\_role\_arns](#input\_fsx\_lustre\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles | `list(string)` |
[
"arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"
]
| no | +| [fsx\_lustre\_csi\_service\_role\_arns](#input\_fsx\_lustre\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles | `list(string)` |
[
"arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"
]
| no | | [karpenter\_controller\_cluster\_id](#input\_karpenter\_controller\_cluster\_id) | [Deprecated - use `karpenter_controller_cluster_name`] The name of the cluster where the Karpenter controller is provisioned/managing | `string` | `"*"` | no | | [karpenter\_controller\_cluster\_name](#input\_karpenter\_controller\_cluster\_name) | The name of the cluster where the Karpenter controller is provisioned/managing | `string` | `"*"` | no | -| [karpenter\_controller\_node\_iam\_role\_arns](#input\_karpenter\_controller\_node\_iam\_role\_arns) | List of node IAM role ARNs Karpenter can use to launch nodes | `list(string)` |
[
"*"
]
| no | -| [karpenter\_controller\_ssm\_parameter\_arns](#input\_karpenter\_controller\_ssm\_parameter\_arns) | List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter | `list(string)` |
[
"arn:aws:ssm:*:*:parameter/aws/service/*"
]
| no | +| [karpenter\_controller\_node\_iam\_role\_arns](#input\_karpenter\_controller\_node\_iam\_role\_arns) | List of node IAM role ARNs Karpenter can use to launch nodes | `list(string)` |
[
"*"
]
| no | +| [karpenter\_controller\_ssm\_parameter\_arns](#input\_karpenter\_controller\_ssm\_parameter\_arns) | List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter | `list(string)` |
[
"arn:aws:ssm:*:*:parameter/aws/service/*"
]
| no | | [karpenter\_sqs\_queue\_arn](#input\_karpenter\_sqs\_queue\_arn) | (Optional) ARN of SQS used by Karpenter when native node termination handling is enabled | `string` | `null` | no | | [karpenter\_subnet\_account\_id](#input\_karpenter\_subnet\_account\_id) | Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account | `string` | `""` | no | | [karpenter\_tag\_key](#input\_karpenter\_tag\_key) | Tag key (`{key = value}`) applied to resources launched by Karpenter through the Karpenter provisioner | `string` | `"karpenter.sh/discovery"` | no | -| [load\_balancer\_controller\_targetgroup\_arns](#input\_load\_balancer\_controller\_targetgroup\_arns) | List of Target groups ARNs using Load Balancer Controller | `list(string)` |
[
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
]
| no | +| [load\_balancer\_controller\_targetgroup\_arns](#input\_load\_balancer\_controller\_targetgroup\_arns) | List of Target groups ARNs using Load Balancer Controller | `list(string)` |
[
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
]
| no | | [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no | | [mountpoint\_s3\_csi\_bucket\_arns](#input\_mountpoint\_s3\_csi\_bucket\_arns) | S3 bucket ARNs to allow Mountpoint S3 CSI to list buckets | `list(string)` | `[]` | no | | [mountpoint\_s3\_csi\_kms\_arns](#input\_mountpoint\_s3\_csi\_kms\_arns) | KMS Key ARNs to allow Mountpoint S3 CSI driver to download and upload Objects of a S3 bucket using `aws:kms` SSE | `list(string)` | `[]` | no | | [mountpoint\_s3\_csi\_path\_arns](#input\_mountpoint\_s3\_csi\_path\_arns) | S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true` | `list(string)` | `[]` | no | -| [node\_termination\_handler\_sqs\_queue\_arns](#input\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` |
[
"*"
]
| no | +| [node\_termination\_handler\_sqs\_queue\_arns](#input\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` |
[
"*"
]
| no | | [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provider map should contain the `provider_arn` and `namespace_service_accounts` | `any` | `{}` | no | | [policy\_name\_prefix](#input\_policy\_name\_prefix) | IAM policy name prefix | `string` | `"AmazonEKS_"` | no | | [role\_description](#input\_role\_description) | IAM Role description | `string` | `null` | no | @@ -245,7 +245,7 @@ No modules. | [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | | [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no | | [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no | -| [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` |
[
"*"
]
| no | +| [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` |
[
"*"
]
| no | | [vpc\_cni\_enable\_cloudwatch\_logs](#input\_vpc\_cni\_enable\_cloudwatch\_logs) | Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events | `bool` | `false` | no | | [vpc\_cni\_enable\_ipv4](#input\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no | | [vpc\_cni\_enable\_ipv6](#input\_vpc\_cni\_enable\_ipv6) | Determines whether to enable IPv6 permissions for VPC CNI policy | `bool` | `false` | no | @@ -258,4 +258,4 @@ No modules. | [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role | | [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role | | [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | - + diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index a84c8c9e..b710efd2 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -1402,6 +1402,7 @@ data "aws_iam_policy_document" "velero" { "s3:GetObject", "s3:DeleteObject", "s3:PutObject", + "s3:PutObjectTagging", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", ] diff --git a/modules/iam-user/README.md b/modules/iam-user/README.md index f3631573..16931a5f 100644 --- a/modules/iam-user/README.md +++ b/modules/iam-user/README.md @@ -20,7 +20,7 @@ This module outputs commands and PGP messages which can be decrypted either usin - `keybase_secret_key_pgp_message` - `keybase_ses_smtp_password_v4_pgp_message` - + ## Requirements | Name | Version | @@ -97,4 +97,4 @@ No modules. | [keybase\_ses\_smtp\_password\_v4\_pgp\_message](#output\_keybase\_ses\_smtp\_password\_v4\_pgp\_message) | Encrypted SES SMTP password | | [pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) | | [policy\_arns](#output\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | - +