initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,12 @@
+BSD Zero Clause License
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
@@ -0,0 +1,52 @@
+<!-- This readme file is generated with terraform-docs -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| aws | ~> 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | ~> 5.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_instance_profile.ip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_policy.p](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.r](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.pa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| create-instance-profile | Determines whether instance profile will be created | `bool` | `false` | no |
+| description | Description of IAM role | `string` | n/a | yes |
+| max-session-duration | Max session duration in seconds | `number` | `3600` | no |
+| path | Path of IAM role. Defaults to /Customer/ | `string` | `"/Customer/"` | no |
+| policies | Map of policies to be created and attached | <pre>map(<br>    object(<br>      {<br>        description = string<br>        policy      = string<br>      }<br>    )<br>  )</pre> | `{}` | no |
+| role-name | Name of IAM role | `string` | n/a | yes |
+| tags | Tags additional to default tags | `map(string)` | `{}` | no |
+| trusted-entity | AWS service allowed to assume this role or a full assume role policy | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| instance-profile-arn | ARN of IAM instance profile |
+| name | Name of IAM role |
+| profile-name | Name of IAM instance profile |
+| role-arn | IAM role ARN |
+ 
+---
+## Authorship
+This module was developed by xpk.
@@ -0,0 +1,50 @@
+# Assume role policy can be provided as-is, or built using the trusted-entity variable
+locals {
+  assume-role-policy = endswith(var.trusted-entity, ".com") ? jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : [
+              var.trusted-entity
+            ]
+          },
+          "Action" : "sts:AssumeRole"
+        }
+      ]
+    }
+  ) : var.trusted-entity
+}
+
+resource "aws_iam_instance_profile" "ip" {
+  count = var.create-instance-profile ? 1 : 0
+  name  = "${var.role-name}-profile"
+  role  = aws_iam_role.r.name
+  path  = var.path
+}
+
+resource "aws_iam_role" "r" {
+  name                  = var.role-name
+  description           = var.description
+  assume_role_policy    = local.assume-role-policy
+  force_detach_policies = true
+  path                  = var.path
+  max_session_duration  = var.max-session-duration
+  tags                  = var.tags
+}
+
+resource "aws_iam_policy" "p" {
+  for_each    = var.policies
+  description = each.value.description
+  name        = each.key
+  policy      = each.value.policy
+  tags        = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "pa" {
+  for_each   = aws_iam_policy.p
+  role       = aws_iam_role.r.name
+  policy_arn = each.value.arn
+}
@@ -0,0 +1,19 @@
+output "profile-name" {
+  description = "Name of IAM instance profile"
+  value       = aws_iam_instance_profile.ip[*].name
+}
+
+output "role-arn" {
+  description = "IAM role ARN"
+  value       = aws_iam_role.r.arn
+}
+
+output "name" {
+  description = "Name of IAM role"
+  value       = aws_iam_role.r.name
+}
+
+output "instance-profile-arn" {
+  description = "ARN of IAM instance profile"
+  value       = aws_iam_instance_profile.ip.*.arn
+}
@@ -0,0 +1,51 @@
+variable "create-instance-profile" {
+  description = "Determines whether instance profile will be created"
+  type        = bool
+  default     = false
+}
+
+variable "description" {
+  description = "Description of IAM role"
+  type        = string
+}
+
+variable "policies" {
+  description = "Map of policies to be created and attached"
+  type = map(
+    object(
+      {
+        description = string
+        policy      = string
+      }
+    )
+  )
+  default = {}
+}
+
+variable "role-name" {
+  description = "Name of IAM role"
+  type        = string
+}
+
+variable "path" {
+  description = "Path of IAM role. Defaults to /Customer/"
+  type        = string
+  default     = "/Customer/"
+}
+
+variable "trusted-entity" {
+  description = "AWS service allowed to assume this role or a full assume role policy"
+  type        = string
+}
+
+variable "max-session-duration" {
+  description = "Max session duration in seconds"
+  type        = number
+  default     = 3600
+}
+
+variable "tags" {
+  description = "Tags additional to default tags"
+  type        = map(string)
+  default     = {}
+}