Terraform module for AWS accounts onboarding into Stacklet

This modules creates IAM roles and resources needed by Stacklet to operate on an AWS account.

To use this module:

module "account" {
    source = "stacklet/onboarding-account/aws"
    version = "0.1.0"
    
    resource_prefix = "<PREFIX>"
    regions         = ["<REGION-1>", "<REGION-2>"]

    stacklet_external_id        = "<EXTERNAL_ID>"
    stacklet_assetdb_role_arn   = "<ASSETDB_ROLE_ARN>"
    stacklet_execution_role_arn = "<EXECUTION_ROLE_ARN>"
}

where values for the stacklet_ prefixed variables are provided by Stacklet.

Requirements

Name	Version
terraform	>= 1
aws	~> 6.2

Providers

Name	Version
aws	6.2.0

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_event_rule.forward	resource
aws_cloudwatch_event_target.forward	resource
aws_iam_policy.forward	resource
aws_iam_role.discover	resource
aws_iam_role.execution	resource
aws_iam_role.execution_extra	resource
aws_iam_role.forward	resource
aws_iam_role_policy.discover_describe_augments	resource
aws_iam_role_policy.execution_describe_augments	resource
aws_iam_role_policy.execution_extra	resource
aws_iam_role_policy.execution_extra_describe_augments	resource
aws_iam_role_policy_attachment.forward	resource
aws_iam_role_policy_attachments_exclusive.discover	resource
aws_iam_role_policy_attachments_exclusive.execution	resource
aws_iam_role_policy_attachments_exclusive.execution_extra	resource
aws_arn.stacklet_assetdb_role_arn	data source
aws_caller_identity.current	data source
aws_iam_policy.readonly_access	data source
aws_iam_policy_document.describe_augments	data source
aws_iam_policy_document.discover_assume	data source
aws_iam_policy_document.execution_assume	data source
aws_iam_policy_document.execution_extra	data source
aws_iam_policy_document.forward	data source
aws_iam_policy_document.forward_assume	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
execution_extra_roles	Additional roles to grant to Stacklet for policies execution. If provided, this must be a map from the role name (which gets the prefix prepended) and a list of permissions to grant to the role in addition to the default read-only permissions.	map(list(string))	{}	no
iam_path	A path for created IAM roles. If set, it must include leading and trailing slashes.	string	"/"	no
regions	Regions in which resources should be created.	list(string)	n/a	yes
resource_prefix	An arbitrary prefix prepended to names of created resources.	string	n/a	yes
stacklet_assetdb_role_arn	ARN for the role used by AssetDB - Provided by Stacklet.	string	n/a	yes
stacklet_execution_role_arn	ARN for the role used by policies Execution - Provided by Stacklet.	string	n/a	yes
stacklet_external_id	ID of the Stacklet deployment to restrict what can assume the roles - Provided by Stacklet.	string	n/a	yes
stacklet_target_event_bus_name	Target event bus for event forwarding - Provided by Stacklet.	string	"default"	no

Outputs

Name	Description
discover_role	ARN for the resource-discovery role assumed by Stacklet AssetDB.
execution_extra_roles	ARNs for extra policy-execution roles assumed by Stacklet Execution.
execution_role	ARN for the default policy-execution role assumed by Stacklet Execution.
forward_role	ARN for the role used to forward cloud events to Stacklet.