rvn-aws-iam-role · Latest version: 0.2.1
Readme
AWS IAM role with configurable trust relationships, managed policies, inline policies, permission boundaries, and optional instance profiles.Overview
Use this module to create an IAM role for AWS services, cross-account access, OIDC workloads, SAML federation, or EC2 instance profiles. The module builds the trust policy from structured inputs by default, attaches managed policies, and can add inline policy documents or structured inline statements. IAM roles are security-sensitive resources. Start with the narrowest trust relationship and policy permissions that work, then expand only when a workload needs additional access.Use cases
Trust relationships
Trusted AWS services accepts service principals such as ecs-tasks.amazonaws.com, lambda.amazonaws.com, or ec2.amazonaws.com. Trusted AWS principals accepts 12-digit AWS account IDs or IAM ARNs for cross-account and delegated access. Trusted OIDC providers accepts provider ARNs and condition blocks. Use conditions to restrict subjects, audiences, repositories, service accounts, or other identity claims. Without specific conditions, an OIDC trust relationship can be broader than intended. Trusted SAML providers accepts IAM SAML provider ARNs for federated access. Custom assume role policy JSON is an escape hatch. When set, it replaces the generated trust policy from the structured trust inputs.Permission policies
Managed policy ARNs attaches existing AWS managed or customer managed policies to the role. Inline JSON policies accepts a map where each key is the inline policy name and each value is a JSON IAM policy document. Inline policy statements builds one inline policy from structured statement entries. Each statement includes an effect, actions, resources, and optional conditions. Permission boundary ARN sets a maximum permissions boundary for the role. Use this when an organization requires roles to stay within a managed boundary policy.Instance profiles
Enable Create instance profile when EC2 instances need to use this role. The instance profile name and path default to the role settings unless you provide specific values.Configuration
Design decisions
The module definition asks for an explicit role name instead of exposing name prefixes. Stable names make downstream references and audits easier to understand. Trust relationships are structured by default so common service, cross-account, OIDC, and SAML roles can be configured without hand-writing full IAM JSON. Custom assume role policy JSON remains available for uncommon trust policies. Ravion adds standard tags for ownership and traceability. User-provided Tags are merged on top for team, cost, or environment metadata.Learn more
Inputs reference
All inputs forrvn-aws-iam-role version 0.2.1. Use the name shown for each field as the input key in module config.
AWS account & region
AWS account.
- Immutable after creation
Region.
- Immutable after creation
IAM role
Role name. Name of the IAM role. AWS IAM role names must be unique in the account.
- Default:
<<project.given_id>>-<<environment.given_id>>-<<module.given_id>> - Immutable after creation
- Pattern:
^[A-Za-z0-9+=,.@_-]{1,64}$— Use 1-64 characters: letters, numbers, plus, equals, comma, period, at, underscore, or hyphen.
Description. Description stored on the IAM role.
Path. IAM path for the role. Most roles should use the root path.
- Default:
/ - Immutable after creation
- Pattern:
^/$|^/.*/$— Start and end with a slash, for example / or /service-roles/.
Maximum session duration seconds. Maximum STS session duration in seconds for this role.
- Default:
3600 - Min:
3600 - Max:
43200
Force detach policies on destroy. Detach managed policies before destroying the role.
- Default:
true
Trust relationships
Trusted AWS services. AWS service principals that can assume this role.
- Default:
[] - Pattern:
.+\.(amazonaws\.com|amazonaws\.com\.cn)$— Use an AWS service principal ending in .amazonaws.com or .amazonaws.com.cn.
Trusted AWS principals. AWS account IDs or IAM ARNs that can assume this role.
- Default:
[] - Pattern:
^(\d{12}|arn:aws(-cn|-us-gov)?:iam::.+)$— Use a 12-digit account ID or IAM ARN.
Trusted OIDC providers. OIDC identity providers that can assume this role, with STS condition checks.
- Default:
[]
Trusted SAML providers. SAML provider ARNs that can assume this role.
- Default:
[] - Pattern:
^arn:aws(-cn|-us-gov)?:iam::\d{12}:saml-provider/.+$— Use a valid IAM SAML provider ARN.
Shared trust conditions. STS condition checks added to every generated trust policy statement.
- Default:
[]
Custom assume role policy JSON. Optional complete assume role policy JSON. When set, this overrides all trust relationship inputs above.
Permission policies
Managed policy ARNs. AWS managed or customer managed policy ARNs to attach to the role.
- Default:
[] - Pattern:
^arn:aws(-cn|-us-gov)?:iam::(aws|\d{12}):policy/.+$— Use a valid IAM managed policy ARN.
Inline JSON policies. Map of inline policy names to JSON policy documents.
- Default:
{}
Inline policy statements. Structured IAM statements combined into one inline policy.
- Default:
[]
Permission boundary ARN. Optional permissions boundary policy ARN for the role.
- Pattern:
^arn:aws(-cn|-us-gov)?:iam::(aws|\d{12}):policy/.+$— Use a valid IAM managed policy ARN.
Instance profile
Create instance profile. Create an IAM instance profile for EC2 instances to use this role.
- Default:
false - Immutable after creation
Instance profile name. Instance profile name. Defaults to the role name when empty.
- Immutable after creation
- Pattern:
^[A-Za-z0-9+=,.@_-]{1,128}$— Use 1-128 characters: letters, numbers, plus, equals, comma, period, at, underscore, or hyphen. - Shown when:
{"instance_profile_creation_enabled":true}
Instance profile path. IAM path for the instance profile. Defaults to the role path when empty.
- Immutable after creation
- Pattern:
^/$|^/.*/$— Start and end with a slash, for example / or /service-roles/. - Shown when:
{"instance_profile_creation_enabled":true}
Misc
Tags. A map of tags to assign to all resources. Default tags are
Owner, ProjectGivenId, EnvironmentGivenId, ModuleGivenId, ModuleIdTerraform settings
OpenTofu version override. Override the environment’s default version for this module
Ravion Terraform workspace name. Override Terraform state backend workspace name. Defaults to project + environment + module given ids.
- Immutable after creation
Advanced Terraform variables. Optional raw Terraform variable overrides for advanced module inputs or one-off overrides. Values here override the generated variables above.
- Default:
{}
Terraform execution environment. Override the execution environment for Terraform runners. Must use the same AWS account as selected above.