AWS IAM Connector

The iam-connector module provisions an IAM role that the AWS IAM Strategy can use to escalate or deescalate users via AWS IAM Groups.

Overview

This Connector will provision an IAM role for the Sym Runtime to use with the AWS IAM Strategy. The IAM Strategy allows Sym to add and remove users from AWS IAM groups based on workflow status.

module "iam_connector" {
  source  = "terraform.symops.com/symopsio/iam-connector/sym"
  version = ">= 1.0.0"

  environment = "sandbox"
  runtime_role_arns = [ var.runtime_role_arn ]
}

By default, the IAM connector can only modify groups that are within the /sym/ path. You can can configure the connector to access other groups by changing the group-config setting:

group_config = [
    { path="/", name="EscalationGroups*" },
    { path="/other-path/", name="BreakGlass*" }
  ]

Outputs

Name

Type

Description

settings

map

A map of settings to supply to a Sym Permission Context

Inputs

Name

Type

Description

Required

environment

string

An environment qualifier for the resources this module creates, to support a Terraform SDLC.

yes

runtime_role_arns

list(string)

ARNs of the runtime connector roles that are trusted to assume the SSO role.

yes

group_config

list(object)

List of group resources the connector can modify. Each group resource is an object that contains a path and a name property. Both the path and name can contain wildcards.

Defaults to:
[{ "name": "*", "path": "/sym/"}]

yes


Did this page help you?