Skip to main content
Type: rvn-aws-iam-role · Latest version: 0.2.1

Readme

AWS IAM role with configurable trust relationships, managed policies, inline policies, permission boundaries, and optional instance profiles.

Overview

Use this module to create an IAM role for AWS services, cross-account access, OIDC workloads, SAML federation, or EC2 instance profiles. The module builds the trust policy from structured inputs by default, attaches managed policies, and can add inline policy documents or structured inline statements. IAM roles are security-sensitive resources. Start with the narrowest trust relationship and policy permissions that work, then expand only when a workload needs additional access.

Use cases

Trust relationships

Trusted AWS services accepts service principals such as ecs-tasks.amazonaws.com, lambda.amazonaws.com, or ec2.amazonaws.com. Trusted AWS principals accepts 12-digit AWS account IDs or IAM ARNs for cross-account and delegated access. Trusted OIDC providers accepts provider ARNs and condition blocks. Use conditions to restrict subjects, audiences, repositories, service accounts, or other identity claims. Without specific conditions, an OIDC trust relationship can be broader than intended. Trusted SAML providers accepts IAM SAML provider ARNs for federated access. Custom assume role policy JSON is an escape hatch. When set, it replaces the generated trust policy from the structured trust inputs.

Permission policies

Managed policy ARNs attaches existing AWS managed or customer managed policies to the role. Inline JSON policies accepts a map where each key is the inline policy name and each value is a JSON IAM policy document. Inline policy statements builds one inline policy from structured statement entries. Each statement includes an effect, actions, resources, and optional conditions. Permission boundary ARN sets a maximum permissions boundary for the role. Use this when an organization requires roles to stay within a managed boundary policy.

Instance profiles

Enable Create instance profile when EC2 instances need to use this role. The instance profile name and path default to the role settings unless you provide specific values.

Configuration

Design decisions

The module definition asks for an explicit role name instead of exposing name prefixes. Stable names make downstream references and audits easier to understand. Trust relationships are structured by default so common service, cross-account, OIDC, and SAML roles can be configured without hand-writing full IAM JSON. Custom assume role policy JSON remains available for uncommon trust policies. Ravion adds standard tags for ownership and traceability. User-provided Tags are merged on top for team, cost, or environment metadata.

Learn more

Inputs reference

All inputs for rvn-aws-iam-role version 0.2.1. Use the name shown for each field as the input key in module config.

AWS account & region

aws_account_id
string
required
AWS account.
  • Immutable after creation
aws_region
string
required
Region.
  • Immutable after creation

IAM role

name
string
required
Role name. Name of the IAM role. AWS IAM role names must be unique in the account.
  • Default: <<project.given_id>>-<<environment.given_id>>-<<module.given_id>>
  • Immutable after creation
  • Pattern: ^[A-Za-z0-9+=,.@_-]{1,64}$ — Use 1-64 characters: letters, numbers, plus, equals, comma, period, at, underscore, or hyphen.
description
string
Description. Description stored on the IAM role.
path
string
required
Path. IAM path for the role. Most roles should use the root path.
  • Default: /
  • Immutable after creation
  • Pattern: ^/$|^/.*/$ — Start and end with a slash, for example / or /service-roles/.
max_session_duration
number
Maximum session duration seconds. Maximum STS session duration in seconds for this role.
  • Default: 3600
  • Min: 3600
  • Max: 43200
policy_force_detach_enabled
boolean
Force detach policies on destroy. Detach managed policies before destroying the role.
  • Default: true

Trust relationships

trusted_services
string_array
Trusted AWS services. AWS service principals that can assume this role.
  • Default: []
  • Pattern: .+\.(amazonaws\.com|amazonaws\.com\.cn)$ — Use an AWS service principal ending in .amazonaws.com or .amazonaws.com.cn.
trusted_aws_principals
string_array
Trusted AWS principals. AWS account IDs or IAM ARNs that can assume this role.
  • Default: []
  • Pattern: ^(\d{12}|arn:aws(-cn|-us-gov)?:iam::.+)$ — Use a 12-digit account ID or IAM ARN.
trusted_oidc_providers
object_array
Trusted OIDC providers. OIDC identity providers that can assume this role, with STS condition checks.
  • Default: []
trusted_saml_providers
string_array
Trusted SAML providers. SAML provider ARNs that can assume this role.
  • Default: []
  • Pattern: ^arn:aws(-cn|-us-gov)?:iam::\d{12}:saml-provider/.+$ — Use a valid IAM SAML provider ARN.
assume_role_conditions
object_array
Shared trust conditions. STS condition checks added to every generated trust policy statement.
  • Default: []
custom_assume_role_policy
text
Custom assume role policy JSON. Optional complete assume role policy JSON. When set, this overrides all trust relationship inputs above.

Permission policies

managed_policy_arns
string_array
Managed policy ARNs. AWS managed or customer managed policy ARNs to attach to the role.
  • Default: []
  • Pattern: ^arn:aws(-cn|-us-gov)?:iam::(aws|\d{12}):policy/.+$ — Use a valid IAM managed policy ARN.
inline_policies
object
Inline JSON policies. Map of inline policy names to JSON policy documents.
  • Default: {}
inline_policy_statements
object_array
Inline policy statements. Structured IAM statements combined into one inline policy.
  • Default: []
permission_boundary_arn
string
Permission boundary ARN. Optional permissions boundary policy ARN for the role.
  • Pattern: ^arn:aws(-cn|-us-gov)?:iam::(aws|\d{12}):policy/.+$ — Use a valid IAM managed policy ARN.

Instance profile

instance_profile_creation_enabled
boolean
Create instance profile. Create an IAM instance profile for EC2 instances to use this role.
  • Default: false
  • Immutable after creation
instance_profile_name
string
Instance profile name. Instance profile name. Defaults to the role name when empty.
  • Immutable after creation
  • Pattern: ^[A-Za-z0-9+=,.@_-]{1,128}$ — Use 1-128 characters: letters, numbers, plus, equals, comma, period, at, underscore, or hyphen.
  • Shown when: {"instance_profile_creation_enabled":true}
instance_profile_path
string
Instance profile path. IAM path for the instance profile. Defaults to the role path when empty.
  • Immutable after creation
  • Pattern: ^/$|^/.*/$ — Start and end with a slash, for example / or /service-roles/.
  • Shown when: {"instance_profile_creation_enabled":true}

Misc

tags
keyvalue
Tags. A map of tags to assign to all resources. Default tags are Owner, ProjectGivenId, EnvironmentGivenId, ModuleGivenId, ModuleId

Terraform settings

opentofu_version
string
OpenTofu version override. Override the environment’s default version for this module
ravion_state_backend_workspace
string
Ravion Terraform workspace name. Override Terraform state backend workspace name. Defaults to project + environment + module given ids.
  • Immutable after creation
advanced_terraform_variables
object
Advanced Terraform variables. Optional raw Terraform variable overrides for advanced module inputs or one-off overrides. Values here override the generated variables above.
  • Default: {}
execution_environment_id
string
Terraform execution environment. Override the execution environment for Terraform runners. Must use the same AWS account as selected above.