Using External IAM Roles to Install Turbot

Organizations with strict role requirements will be unable to use the pre-defined roles in the TEF, TED, and TE stacks. This guide provides instructions for creating roles using AWS CloudFormation templates.

Create Turbot Parameters Custom Resource IAM Role

Start by creating the role required for Turbot Parameters. The link below contains the necessary CloudFormation template:

• Turbot Parameters Custom IAM Roles YAML

Refer to

AWS Documentation for how to create a new CloudFormation stack.

Once the template is downloaded, create a new CloudFormation stack in the AWS account designated as the install account. Label the stack to make it recognizable, such as Turbot Parameter IAM Role.

Create Turbot Guardrails Enterprise Foundation (TEF) Customer IAM Roles

Again, Turbot provides a CloudFormation template that can be used to deploy roles required for a successful installation. Both the above Turbot Guardrails Parameters Custom Resource IAM role and the TEF customer IAM role MUST BE CREATED PRIOR TO BEGINNING THE TURBOT INSTALL! Follow the below link for the TEF Custom IAM Roles CloudFormation template:

• TEF Custom IAM Roles YAML

Refer to

AWS Documentation for how to create a new CloudFormation stack.

Once the template is downloaded, create a new CloudFormation stack in the AWS account designated as the install account. Label the stack to make it recognizable, such as TEF IAM Role.

Install TEF Stack with Custom Options

Install TEF using the Turbot Guardrails Enterprise Foundation Installation Guide with the following custom options:

• Turbot Parameter Role: The ARN of the Turbot Parameters Custom Resource IAM Roles
• Role Creation Scheme: None

Install Turbot Guardrails Enterprise Database (TED) Stack

No custom options are necessary for the TED stack. Follow the Turbot Guardrails Enterprise Database Installation Guide to complete this step.

Create IAM Roles and Policies For Turbot Guardrails Enterprise (TE) Stack

Use the below provided CloudFormation template to create the required roles and policies for the TE stack. This step is REQUIRED to successfully install the TE stack:

• TE IAM Roles and Policies YAML

Refer to

AWS Documentation for how to create a new CloudFormation stack.

Once the template is downloaded, create a new CloudFormation stack in the AWS account designated as the install account. Label the stack to make it recognizable, such as TE Custom Roles and Policies.

Install the Turbot Guardrails Enterprise (TE) Stack

After the TEF and TED stack, along with all IAM roles and policies, are created, it is time to move onto installing the TE stack. Refer to our Turbot Guardrails Enterprise Installation Guide, setting the following custom option:

• Role Creation Scheme: None

Completing the Turbot Install

Once the TEF, TED, and TE stacks are successful and in the OK state, the Workspace stack can be configured and subsequent post installation steps taken care of. Post installation steps can include updating internal DNS records, installing and updating mods and creating a new directory for authentication.

• Guide to install the Workspace Manager
• Post Installation

Additional Resources

• Guardrails Samples Repo - Public repository with Terraform and GraphQL examples.
• 7-Minute Labs - Labs to help further the understanding of Turbot and its features.
• Turbot Guides - Multitude of guides covering a wide range of topics, from policy examples, Turbot files, and folders.