IAM Connector

The iam-connector module provisions an IAM role that the AWS IAM Strategy can use to escalate or de-escalate users via AWS IAM Groups.

This Connector will provision an IAM role for the Sym Runtime to use with the AWS IAM Strategy. The IAM Strategy allows Sym to add and remove users from AWS IAM groups based on workflow status.

module "iam_connector" {
  source  = "terraform.symops.com/symopsio/iam-connector/sym"
  version = ">= 1.0.0"

  environment = "sandbox"
  runtime_role_arns = [ var.runtime_role_arn ]
}

By default, the IAM connector can only modify groups that are within the /sym/ path. You can can configure the connector to access other groups by changing the group-config setting:

  group_config = [
    { path="/", name="EscalationGroups*" },
    { path="/other-path/", name="BreakGlass*" }
  ]

Outputs

NameDescription
settingsA map of settings to supply to a Sym Permission Context.

Inputs

NameTypeDefaultRequired
environmentstringn/ayes
runtime_role_arnslist(string)n/ayes
group_configlist(object)[{ "name": "*", "path": "/sym/"}]yes

Required Inputs

The following input variables are required:

environment

Description: An environment qualifier for the resources this module creates, to support a Terraform SDLC.

Type: string

group_config

Description: List of group resources the connector can modify. Each group resource is an object that contains a path and a name property. Both the path and name can contain wildcards.

Type:

list(object(
    { path = string, name = string }
  ))

Default:

[
  {
    "name": "*",
    "path": "/sym/"
  }
]

runtime_role_arns

Description: ARNs of the runtime connector roles that are trusted to assume the SSO role.

Type: list(string)


Did this page help you?