Skip to content

Latest commit

 

History

History
63 lines (44 loc) · 3.03 KB

README.md

File metadata and controls

63 lines (44 loc) · 3.03 KB

Lucid AWS Import Role Module

This module should be set up in any AWS account you'd like Lucid to import.

For Non-Org Level Imports

This module will create an IAM role that can be assumed by Lucid's proxy AWS import account. It will create the IAM policy required for Lucid AWS imports and attach it to the role. Lucid's AWS import proxy account can then assume the role in this member account and do Lucid AWS imports.

For Org Level Imports

This module will create an IAM role that can be assumed by the bastion account. It will also create the IAM policy required for Lucid AWS imports and attach it to the role. The bastion account can then assume the role in this account and do Lucid AWS imports.

Usage

Non-Org Level Imports

module "import_role" {
  source = "../modules/import-role"

  assume_role_account_id = "your_assume_role_account_id"
  external_id            = "lucid_generated_external_id"
  non_org_import         = true
  policy_name            = "your_policy_name"
  role_name              = "your_role_name"
}

Org Level Imports

module "import_role" {
  source = "../modules/import-role"

  assume_role_account_id = "your_assume_role_account_id"
  policy_name            = "your_policy_name"
  role_name              = "your_role_name"
}

Requirements

Name Version
terraform >= 1.4
aws >= 5.0

Inputs

Name Description Type Default Required
assume_role_account_id The ID of the account to assume the role (used to set up role assumption permissions). This should be the bastion account id for org level imports. For non-org level imports, it should use Lucid's AWS import proxy account id - 799803075172 for commercial and 239369393023 for govcloud string n/a yes
external_id The external id generated by Lucid that uniquely associates this role with the Lucid AWS proxy account. Only used for non-org imports (for org import this is provided on the bastion import role instead) string null no
non_org_import If this role is used for non-org import. This variable is to work around a bug where sensitive values can't be used in a dynamic for_each bool false no
policy_name The name of the policy to give permission to Lucid to do imports string "lucid_import" no
role_name The name of the member account role string "lucid_import" no

Outputs

Name Description
import_role The IAM role to allow Lucid to do AWS imports