Control Tower Execution Role
Creates an IAM Role that allows Control Tower to manage the AWS account in which you deploy this role. If you create an AWS account using Control Tower, Control Tower will create this IAM role itself, but if you are importing an existing account into Control Tower, you have to create this IAM role yourself, which is where this module comes in handy.
https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S CONTROL-TOWER-EXECUTION-ROLE MODULE
# ------------------------------------------------------------------------------------------------------
module "control_tower_execution_role" {
source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-execution-role?ref=v2.0.2"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The ID of the your management (root) AWS account where Control Tower is
# enabled. This is the AWS account that will get access to the IAM role
# created by this module.
control_tower_management_account_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# The description to set on the Control Tower Execution IAM role. When
# importing an existing role that already has a description, set this to match
# the existing value. If Control Tower has been enabled, an SCP may prevent
# modifying this role, so a mismatch here will cause apply to fail. Set to
# null to leave the description unset.
description = null
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S CONTROL-TOWER-EXECUTION-ROLE MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-execution-role?ref=v2.0.2"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The ID of the your management (root) AWS account where Control Tower is
# enabled. This is the AWS account that will get access to the IAM role
# created by this module.
control_tower_management_account_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# The description to set on the Control Tower Execution IAM role. When
# importing an existing role that already has a description, set this to match
# the existing value. If Control Tower has been enabled, an SCP may prevent
# modifying this role, so a mismatch here will cause apply to fail. Set to
# null to leave the description unset.
description = null
}
Reference
- Inputs
- Outputs
Required
The ID of the your management (root) AWS account where Control Tower is enabled. This is the AWS account that will get access to the IAM role created by this module.
Optional
descriptionstringThe description to set on the Control Tower Execution IAM role. When importing an existing role that already has a description, set this to match the existing value. If Control Tower has been enabled, an SCP may prevent modifying this role, so a mismatch here will cause apply to fail. Set to null to leave the description unset.
nullThe ARN of the Control Tower Execution Role