UPD: update iam-role module to support assume role policy

2024-09-27 10:45:20 +08:00 · 2024-09-27 10:45:20 +08:00 · 0d9b7d704b
commit 0d9b7d704b
parent 8052a71995
4 changed files with 52 additions and 56 deletions
--- a/modules/security_identity_compliance/iam-role/README.md
+++ b/modules/security_identity_compliance/iam-role/README.md
@ -1,35 +1,23 @@
 <!-- This readme file is generated with terraform-docs -->
+Inline policy for IAM role is not supported by this module. Use managed policies instead.
+
 ## Requirements

-No requirements.
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| aws | >= 5.4.0 |

 ## Providers

 | Name | Version |
 |------|---------|
-| aws | n/a |
+| aws | >= 5.4.0 |

 ## Modules

 No modules.

-## Example
-
-```hcl
-module "role1" {
-  source = ".../SecurityIdentityCompliance/iam-role"
-
-  role-name               = "${local.resource_prefix}-${var.application}-role1"
-  description             = "IAM role for ${var.application}"
-  trusted-entity          = "ec2.amazonaws.com"
-  create-instance-profile = true
-
-  managed-policy-arns = [
-    "arn:aws:iam::aws:policy/ReadOnlyAccess"
-  ]
-}
-```
-
 ## Resources

 | Name | Type |
@ -41,14 +29,13 @@ module "role1" {

 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| assume-role-policy | The actual assume role policy if trusted-entity is not provided. | `string` | `null` | no |
 | create-instance-profile | Determines whether instance profile will be created | `bool` | `false` | no |
 | description | Description of IAM role | `string` | n/a | yes |
-| inline-policy | Inline policy content | `string` | `null` | no |
-| inline-policy-name | Inline policy name | `string` | `null` | no |
 | managed-policy-arns | List of managed policies to be attached to role | `list(string)` | `null` | no |
 | path | Path of IAM role. Defaults to /Customer/ | `string` | `"/Customer/"` | no |
 | role-name | Name of IAM role | `string` | n/a | yes |
-| trusted-entity | AWS service allowed to assume this role | `string` | n/a | yes |
+| trusted-entity | AWS service allowed to assume this role. Either this or assume-role-policy must be provided. | `string` | n/a | yes |

 ## Outputs

--- a/modules/security_identity_compliance/iam-role/main.tf
+++ b/modules/security_identity_compliance/iam-role/main.tf
@ -1,14 +1,6 @@
-resource "aws_iam_instance_profile" "this" {
-  count = var.create-instance-profile ? 1 : 0
-  name  = "${var.role-name}-profile"
-  role  = aws_iam_role.this.name
-  path  = var.path
-}
-
-resource "aws_iam_role" "this" {
-  name                  = var.role-name
-  description           = var.description
-  assume_role_policy    = jsonencode(
+# Assume role policy can be provided as-is, or built using the trusted-entity variable
+locals {
+  assume-role-policy = var.assume-role-policy != null ? var.assume-role-policy : jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
@ -24,11 +16,25 @@ resource "aws_iam_role" "this" {
      ]
    }
  )
+}
+
+resource "aws_iam_instance_profile" "this" {
+  count = var.create-instance-profile ? 1 : 0
+  name  = "${var.role-name}-profile"
+  role  = aws_iam_role.this.name
+  path  = var.path
+}
+
+resource "aws_iam_role" "this" {
+  name                  = var.role-name
+  description           = var.description
+  assume_role_policy    = local.assume-role-policy
  managed_policy_arns   = var.managed-policy-arns
  force_detach_policies = true
  path                  = var.path
-  inline_policy {
-    name   = var.inline-policy-name
-    policy = var.inline-policy
-  }
+  # disable use of inline policy
+  #   inline_policy {
+  #     name   = var.inline-policy-name
+  #     policy = var.inline-policy
+  #   }
 }
--- a/modules/security_identity_compliance/iam-role/provider.tf
+++ b/modules/security_identity_compliance/iam-role/provider.tf
@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.4.0"
+    }
+  }
+}
--- a/modules/security_identity_compliance/iam-role/variables.tf
+++ b/modules/security_identity_compliance/iam-role/variables.tf
@ -15,30 +15,24 @@ variable "managed-policy-arns" {
  default     = null
 }

-variable role-name {
+variable "role-name" {
  description = "Name of IAM role"
  type        = string
 }

-variable path {
+variable "path" {
  description = "Path of IAM role. Defaults to /Customer/"
  type        = string
  default     = "/Customer/"
 }

-variable inline-policy-name {
-  description = "Inline policy name"
+variable "trusted-entity" {
+  description = "AWS service allowed to assume this role. Either this or assume-role-policy must be provided."
+  type        = string
+}
+
+variable "assume-role-policy" {
+  description = "The actual assume role policy if trusted-entity is not provided."
  type        = string
  default     = null
 }
-
-variable inline-policy {
-  description = "Inline policy content"
-  type = string
-  default = null
-}
-
-variable trusted-entity {
-  description = "AWS service allowed to assume this role"
-  type = string
-}