feat: Fixed number of policies everywhere (#121)

afc9ffa0 · Anton Babenko · GitHub · 70e7898c · afc9ffa0 · afc9ffa0
Commit afc9ffa0 authored Dec 04, 2020 by Anton Babenko Committed by GitHub Dec 04, 2020
Showing with 31 additions and 4 deletions

main.tf examples/iam-assumable-role/main.tf +28 -1

README.md modules/iam-assumable-role/README.md +1 -1

main.tf modules/iam-assumable-role/main.tf +1 -1

variables.tf modules/iam-assumable-role/variables.tf +1 -1

No files found.
--- a/examples/iam-assumable-role/main.tf
+++ b/examples/iam-assumable-role/main.tf
@@ -53,6 +53,33 @@ module "iam_assumable_role_custom" {
  custom_role_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonCognitoReadOnly",
    "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",
+    module.iam_policy.arn
  ]
-  number_of_custom_role_policy_arns = 2
+  #  number_of_custom_role_policy_arns = 3
+}
+#########################################
+# IAM policy
+#########################################
+module "iam_policy" {
+  source = "../../modules/iam-policy"
+  name        = "example"
+  path        = "/"
+  description = "My example policy"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
 }
--- a/modules/iam-assumable-role/README.md
+++ b/modules/iam-assumable-role/README.md
@@ -32,7 +32,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
-| number\_of\_custom\_role\_policy\_arns | Number of IAM policies to attach to IAM role | `number` | `0` | no |
+| number\_of\_custom\_role\_policy\_arns | Number of IAM policies to attach to IAM role | `number` | `null` | no |
 | poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | `string` | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
 | readonly\_role\_policy\_arn | Policy ARN to use for readonly role | `string` | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
 | role\_description | IAM Role description | `string` | `""` | no |

--- a/modules/iam-assumable-role/main.tf
+++ b/modules/iam-assumable-role/main.tf
@@ -72,7 +72,7 @@ resource "aws_iam_role" "this" {
 }
 resource "aws_iam_role_policy_attachment" "custom" {
-  count = var.create_role ? var.number_of_custom_role_policy_arns : 0
+  count = var.create_role ? coalesce(var.number_of_custom_role_policy_arns, length(var.custom_role_policy_arns)) : 0
  role       = aws_iam_role.this[0].name
  policy_arn = element(var.custom_role_policy_arns, count.index)

--- a/modules/iam-assumable-role/variables.tf
+++ b/modules/iam-assumable-role/variables.tf
@@ -79,7 +79,7 @@ variable "custom_role_policy_arns" {
 variable "number_of_custom_role_policy_arns" {
  description = "Number of IAM policies to attach to IAM role"
  type        = number
-  default     = 0
+  default     = null
 }
 # Pre-defined policies