IamConfig | Landing Zone Accelerator on AWS

IAM configuration

Hierarchy

IamConfig

Implements

TypeOf<typeof iamConfig>

Index

Constructors

constructor

Properties

Methods

Constructors

constructor

new IamConfig(values?: { groupSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; groups: { ...; }[]; }[]; policySets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; policies: { ...; }[]; }[]; providers: undefined | { name: string; metadataDocument: string; }[]; roleSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; roles: { ...; }[]; }[]; userSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; users: { ...; }[]; }[] }, configDir?: string): IamConfig

Parameters
- Optional values: { groupSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; groups: { ...; }[]; }[]; policySets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; policies: { ...; }[]; }[]; providers: undefined | { name: string; metadataDocument: string; }[]; roleSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; roles: { ...; }[]; }[]; userSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; users: { ...; }[]; }[] }
  - groupSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; groups: { ...; }[]; }[]
  - policySets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; policies: { ...; }[]; }[]
  - providers: undefined | { name: string; metadataDocument: string; }[]
  - roleSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; roles: { ...; }[]; }[]
  - userSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; users: { ...; }[]; }[]
- Optional configDir: string
Returns IamConfig

Properties

Readonly groupSets

groupSets: GroupSetConfig[] = []

Group set configuration

To configure IAM group named Administrators into Root and Infrastructure organizational units, you need to provide following values for this parameter.

example

groupSets:
  - deploymentTargets:
      organizationalUnits:
        - Root
    groups:
      - name: Administrators
        policies:
          awsManaged:
            - AdministratorAccess

Readonly policySets

policySets: PolicySetConfig[] = []

Policy set configuration.

To configure IAM policy named Default-Boundary-Policy with permission boundary defined in iam-policies/boundary-policy.json file, you need to provide following values for this parameter.

example

policySets:
  - deploymentTargets:
      organizationalUnits:
        - Root
    policies:
      - name: Default-Boundary-Policy
        policy: iam-policies/boundary-policy.json

Readonly providers

providers: SamlProviderConfig[] = []

SAML provider configuration To configure SAML configuration, you need to provide the following values for this parameter. Replace provider name and metadata document file. Document file must be in config repository

example

providers:
 name: <PROVIDER_NAME>,
 metadataDocument: <METADATA_DOCUMENT_FILE>,

Readonly roleSets

roleSets: RoleSetConfig[] = []

Role sets configuration

To configure EC2-Default-SSM-AD-Role role to be assumed by ec2 service into Root and Infrastructure organizational units, you need to provide following values for this parameter. This role will have AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess and CloudWatchAgentServerPolicy policy with permission boundary defined by Default-Boundary-Policy

example

roleSets:
  - deploymentTargets:
      organizationalUnits:
        - Root
    roles:
      - name: EC2-Default-SSM-AD-Role
        assumedBy:
          - type: service
            principal: ec2.amazonaws.com
        policies:
          awsManaged:
            - AmazonSSMManagedInstanceCore
            - AmazonSSMDirectoryServiceAccess
            - CloudWatchAgentServerPolicy
        boundaryPolicy: Default-Boundary-Policy

Readonly userSets

userSets: UserSetConfig[] = []

User set configuration

To configure breakGlassUser01 user into Administrators in Management account, you need to provide following values for this parameter.

example

userSets:
  - deploymentTargets:
      accounts:
        - Management
    users:
      - username: breakGlassUser01
        group: Administrators
        boundaryPolicy: Default-Boundary-Policy

Static Readonly FILENAME

FILENAME: "iam-config.yaml" = 'iam-config.yaml'

A name for the iam config file in config repository

default: iam-config.yaml

Methods

Static load

load(dir: string): IamConfig

Load from config file content

Parameters
- dir: string
Returns IamConfig

Static loadFromString

loadFromString(content: string): undefined | IamConfig

Load from string content

Parameters
- content: string
Returns undefined | IamConfig

Hierarchy

Implements

Index

Constructors

Properties

Methods

Constructors

constructor

Parameters

groupSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; groups: { ...; }[]; }[]

policySets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; policies: { ...; }[]; }[]

providers: undefined | { name: string; metadataDocument: string; }[]

roleSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; roles: { ...; }[]; }[]

userSets: undefined | { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; users: { ...; }[]; }[]

Optional configDir: string

Returns IamConfig

Properties

Readonly groupSets

Readonly policySets

Readonly providers

Readonly roleSets

Readonly userSets

Static Readonly FILENAME

Methods

Static load

Parameters

dir: string

Returns IamConfig

Static loadFromString

Parameters

content: string

Returns undefined | IamConfig