UPD: update iam-role module to support assume role policy

This commit is contained in:
xpk 2024-09-27 10:45:20 +08:00
parent 8052a71995
commit 0d9b7d704b
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
4 changed files with 52 additions and 56 deletions

View File

@ -1,35 +1,23 @@
<!-- This readme file is generated with terraform-docs -->
Inline policy for IAM role is not supported by this module. Use managed policies instead.
## Requirements
No requirements.
| Name | Version |
|------|---------|
| terraform | >= 1.3.0 |
| aws | >= 5.4.0 |
## Providers
| Name | Version |
|------|---------|
| aws | n/a |
| aws | >= 5.4.0 |
## Modules
No modules.
## Example
```hcl
module "role1" {
source = ".../SecurityIdentityCompliance/iam-role"
role-name = "${local.resource_prefix}-${var.application}-role1"
description = "IAM role for ${var.application}"
trusted-entity = "ec2.amazonaws.com"
create-instance-profile = true
managed-policy-arns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
}
```
## Resources
| Name | Type |
@ -41,14 +29,13 @@ module "role1" {
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| assume-role-policy | The actual assume role policy if trusted-entity is not provided. | `string` | `null` | no |
| create-instance-profile | Determines whether instance profile will be created | `bool` | `false` | no |
| description | Description of IAM role | `string` | n/a | yes |
| inline-policy | Inline policy content | `string` | `null` | no |
| inline-policy-name | Inline policy name | `string` | `null` | no |
| managed-policy-arns | List of managed policies to be attached to role | `list(string)` | `null` | no |
| path | Path of IAM role. Defaults to /Customer/ | `string` | `"/Customer/"` | no |
| role-name | Name of IAM role | `string` | n/a | yes |
| trusted-entity | AWS service allowed to assume this role | `string` | n/a | yes |
| trusted-entity | AWS service allowed to assume this role. Either this or assume-role-policy must be provided. | `string` | n/a | yes |
## Outputs

View File

@ -1,14 +1,6 @@
resource "aws_iam_instance_profile" "this" {
count = var.create-instance-profile ? 1 : 0
name = "${var.role-name}-profile"
role = aws_iam_role.this.name
path = var.path
}
resource "aws_iam_role" "this" {
name = var.role-name
description = var.description
assume_role_policy = jsonencode(
# Assume role policy can be provided as-is, or built using the trusted-entity variable
locals {
assume-role-policy = var.assume-role-policy != null ? var.assume-role-policy : jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
@ -24,11 +16,25 @@ resource "aws_iam_role" "this" {
]
}
)
}
resource "aws_iam_instance_profile" "this" {
count = var.create-instance-profile ? 1 : 0
name = "${var.role-name}-profile"
role = aws_iam_role.this.name
path = var.path
}
resource "aws_iam_role" "this" {
name = var.role-name
description = var.description
assume_role_policy = local.assume-role-policy
managed_policy_arns = var.managed-policy-arns
force_detach_policies = true
path = var.path
inline_policy {
name = var.inline-policy-name
policy = var.inline-policy
}
# disable use of inline policy
# inline_policy {
# name = var.inline-policy-name
# policy = var.inline-policy
# }
}

View File

@ -0,0 +1,9 @@
terraform {
required_version = ">= 1.3.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.4.0"
}
}
}

View File

@ -15,30 +15,24 @@ variable "managed-policy-arns" {
default = null
}
variable role-name {
variable "role-name" {
description = "Name of IAM role"
type = string
type = string
}
variable path {
variable "path" {
description = "Path of IAM role. Defaults to /Customer/"
type = string
default = "/Customer/"
type = string
default = "/Customer/"
}
variable inline-policy-name {
description = "Inline policy name"
type = string
default = null
variable "trusted-entity" {
description = "AWS service allowed to assume this role. Either this or assume-role-policy must be provided."
type = string
}
variable inline-policy {
description = "Inline policy content"
type = string
default = null
}
variable trusted-entity {
description = "AWS service allowed to assume this role"
type = string
variable "assume-role-policy" {
description = "The actual assume role policy if trusted-entity is not provided."
type = string
default = null
}