Demonstrations

These step-by-step demonstrations walk you through complete workflows using the iam-role module. Each demonstration includes prerequisites, detailed instructions, and verification steps.

Getting Started

To follow any demonstration, ensure you have:

  1. Prerequisites met: Terraform >= 1.0, AWS CLI configured
  2. Authenticate with the registry: terraform login registry.patterneddesigns.ca
  3. Clone the demonstration repository: git clone <demo-repo-url>
  4. Follow the step-by-step instructions below

Step-by-Step Guides

Lambda Execution Role

Create an IAM role for Lambda functions

Step 1: Define Trust Policy

data "aws_iam_policy_document" "lambda_assume" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
  }
}

Step 2: Create the Role

module "lambda_role" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/iam-role/aws"
  version = "2.0.0"

  name               = "lambda-execution-role"
  assume_role_policy = data.aws_iam_policy_document.lambda_assume.json
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
  ]
}

Step 3: Verify the Role

Check the role was created with the correct permissions in the AWS Console.

Cross-Account Role

Create an IAM role for cross-account access

Prerequisites

  • Two AWS accounts (source and target)
  • Terraform >= 1.0
  • AWS credentials with IAM permissions

Step 1: Define Trust Policy

data "aws_iam_policy_document" "cross_account_assume" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::123456789012:root"]
    }
    condition {
      test     = "StringEquals"
      variable = "sts:ExternalId"
      values   = ["unique-external-id"]
    }
  }
}

Step 2: Create the Role

module "cross_account_role" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/iam-role/aws"
  version = "2.0.0"

  name               = "cross-account-admin"
  assume_role_policy = data.aws_iam_policy_document.cross_account_assume.json

  managed_policy_arns = [
    "arn:aws:iam::aws:policy/ReadOnlyAccess"
  ]

  max_session_duration = 3600
}

Step 3: Assume the Role

From the source account, assume the role:

aws sts assume-role \
  --role-arn "arn:aws:iam::TARGET_ACCOUNT:role/cross-account-admin" \
  --role-session-name "admin-session" \
  --external-id "unique-external-id"

Step 4: Verify Access

Test that the assumed role has the expected permissions in the target account.