Terraform module to provision IAM Role and Policy resources across an AWS Organization using CloudFormation StackSets.
Important
The module uses a CloudFormation template to deploy the resources, so other type of resources can be deployed. However, the module is intended for IAM, as it will not include other features needed for other resources, such as the option to select multiple regions.
Create a CloudFormation template with your desired IAM Role and Policies. Define all your variables as template parameters. You can see an example of a template file here.
data "aws_caller_identity" "this" {}
data "aws_organizations_organization" "this" {}
module "organization_iam_role" {
source = "unicrons/organization-iam-role/aws"
stack_set_name = "example"
stack_set_description = "example"
template_path = "${path.root}/example/role.yaml"
template_parameters = {
RoleName = "example-organization-role"
PolicyName = "example-organization-policy"
TrustedAccount = data.aws_caller_identity.this.id
TrustedRole = "arn:aws:iam::012345678912:role/my-source-role"
}
organizational_unit_ids = [ data.aws_organizations_organization.this.roots[0].id ]
}
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 5.67 |
| Name | Version |
|---|---|
| aws | >= 5.67 |
No modules.
| Name | Type |
|---|---|
| aws_cloudformation_stack_instances.this | resource |
| aws_cloudformation_stack_set.this | resource |
| aws_caller_identity.this | data source |
| aws_organizations_organization.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| stack_set_description | CloudFormation StackSet description. | string |
n/a | yes |
| stack_set_name | CloudFormation StackSet name. | string |
n/a | yes |
| template_path | String containing the path of the CloudFormation template file. | string |
n/a | yes |
| account_filter_type | Limit deployment targets to individual accounts or include additional accounts with provided OUs. | string |
null |
no |
| accounts | List of accounts to deploy stack set updates. | list(string) |
null |
no |
| auto_deployment | Enable StackSet automatic deployment for new Organization Accounts. | bool |
true |
no |
| concurrency_mode | CloudFormation StackSet concurrency level during operations. | string |
null |
no |
| failure_tolerance_count | Number of accounts, per region, for which this operation can fail before CloudFormation stops the operation in that region. | number |
null |
no |
| failure_tolerance_percentage | Percentage of accounts, per region, for which this stack operation can fail before CloudFormation stops the operation in that region. | number |
null |
no |
| managed_execution | Allow CloudFormation StackSets operations in parallel. | bool |
true |
no |
| max_concurrent_count | Maximum number of accounts in which to perform this operation at one time. | number |
null |
no |
| max_concurrent_percentage | Maximum percentage of accounts in which to perform this operation at one time. | number |
null |
no |
| organizational_unit_ids | Organization root ID or organizational unit (OU) IDs to which StackSets deploys. | list(string) |
[] |
no |
| retain_stacks | Whether or not to retain stacks when the account is removed. | bool |
true |
no |
| template_parameters | Key-value map of input parameters for the StackSet template. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| stack_instance_summaries | List of stack instances created from an organizational unit deployment target. |
| stack_set_arn | CloudFormation StackSet ARN. |
| stack_set_id | CloudFormation StackSet Id. |
| stack_set_name | CloudFormation StackSet name. |