Added support for list of policies to attach to roles (#25)

* Additional Policies

* minor fixes

* Added support for list of policies to attach to roles

examples/iam-assumable-roles-with-saml/README.md

 # IAM assumable roles with SAML Identity Provider example
 
-Configuration in this directory creates several IAM roles which can be assumed from Users with a SAML Identity Provider
+Configuration in this directory creates several IAM roles which can be assumed by users with a SAML Identity Provider.
 
 # Usage
 

examples/iam-assumable-roles-with-saml/main.tf

@@ -12,7 +12,7 @@ resource "aws_iam_saml_provider" "idp_saml" {
 ###############################
 
 module "iam_assumable_roles_with_saml" {
-  source = "../../../terraform-aws-iam/modules/iam-assumable-roles-with-saml"
+  source = "../../modules/iam-assumable-roles-with-saml"
 
   create_admin_role = true
 
@@ -24,3 +24,17 @@ module "iam_assumable_roles_with_saml" {
   provider_name = "${aws_iam_saml_provider.idp_saml.name}"
   provider_id   = "${aws_iam_saml_provider.idp_saml.id}"
 }
+
+#################################################################
+# Create custom role with SAML idp trust and additional policies
+#################################################################
+module "iam_assumable_roles_with_saml_custom" {
+  source = "../../modules/iam-assumable-roles-with-saml"
+
+  create_poweruser_role      = true
+  poweruser_role_name        = "Billing-And-Support-Access"
+  poweruser_role_policy_arns = ["arn:aws:iam::aws:policy/job-function/Billing", "arn:aws:iam::aws:policy/AWSSupportAccess"]
+
+  provider_name = "${aws_iam_saml_provider.idp_saml.name}"
+  provider_id   = "${aws_iam_saml_provider.idp_saml.id}"
+}

examples/iam-assumable-roles/main.tf

@@ -15,8 +15,9 @@ module "iam_assumable_roles" {
 
   create_admin_role = true
 
-  create_poweruser_role = true
-  poweruser_role_name   = "developer"
+  create_poweruser_role      = true
+  poweruser_role_name        = "Billing-And-Support-Access"
+  poweruser_role_policy_arns = ["arn:aws:iam::aws:policy/job-function/Billing", "arn:aws:iam::aws:policy/AWSSupportAccess"]
 
   create_readonly_role       = true
   readonly_role_requires_mfa = false

modules/iam-assumable-roles-with-saml/README.md

@@ -14,7 +14,7 @@ Creates single IAM role which can be assumed by trusted resources using SAML Fed
 | admin\_role\_name | IAM role with admin access | string | `"admin"` | no |
 | admin\_role\_path | Path of admin IAM role | string | `"/"` | no |
 | admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
-| admin\_role\_policy\_arn | Policy ARN to use for admin role | string | `"arn:aws:iam::aws:policy/AdministratorAccess"` | no |
+| admin\_role\_policy\_arns | List of policy ARNs to use for admin role | list | `[ "arn:aws:iam::aws:policy/AdministratorAccess" ]` | no |
 | aws\_saml\_endpoint | AWS SAML Endpoint | list | `[ "https://signin.aws.amazon.com/saml" ]` | no |
 | create\_admin\_role | Whether to create admin role | string | `"false"` | no |
 | create\_poweruser\_role | Whether to create poweruser role | string | `"false"` | no |
@@ -23,13 +23,13 @@ Creates single IAM role which can be assumed by trusted resources using SAML Fed
 | poweruser\_role\_name | IAM role with poweruser access | string | `"poweruser"` | no |
 | poweruser\_role\_path | Path of poweruser IAM role | string | `"/"` | no |
 | poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | string | `""` | no |
-| poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | string | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
+| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
 | provider\_id | ID of the SAML Provider | string | n/a | yes |
 | provider\_name | Name of the SAML Provider | string | n/a | yes |
 | readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
 | readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
 | readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | string | `""` | no |
-| readonly\_role\_policy\_arn | Policy ARN to use for readonly role | string | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
+| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
 
 ## Outputs
 

modules/iam-assumable-roles-with-saml/main.tf

@@ -31,20 +31,13 @@ resource "aws_iam_role" "admin" {
 }
 
 resource "aws_iam_role_policy_attachment" "admin" {
-  count = "${var.create_admin_role ? 1 : 0}"
+  count = "${var.create_admin_role ? length(var.admin_role_policy_arns) : 0}"
 
   role       = "${aws_iam_role.admin.name}"
-  policy_arn = "${var.admin_role_policy_arn}"
+  policy_arn = "${element(var.admin_role_policy_arns, count.index)}"
 }
 
 # Poweruser
-resource "aws_iam_role_policy_attachment" "poweruser" {
-  count = "${var.create_poweruser_role ? 1 : 0}"
-
-  role       = "${aws_iam_role.poweruser.name}"
-  policy_arn = "${var.poweruser_role_policy_arn}"
-}
-
 resource "aws_iam_role" "poweruser" {
   count = "${var.create_poweruser_role ? 1 : 0}"
 
@@ -57,14 +50,14 @@ resource "aws_iam_role" "poweruser" {
   assume_role_policy = "${data.aws_iam_policy_document.assume_role_with_saml.json}"
 }
 
-# Readonly
-resource "aws_iam_role_policy_attachment" "readonly" {
-  count = "${var.create_readonly_role ? 1 : 0}"
+resource "aws_iam_role_policy_attachment" "poweruser" {
+  count = "${var.create_poweruser_role ? length(var.poweruser_role_policy_arns) : 0}"
 
-  role       = "${aws_iam_role.readonly.name}"
-  policy_arn = "${var.readonly_role_policy_arn}"
+  role       = "${aws_iam_role.poweruser.name}"
+  policy_arn = "${element(var.poweruser_role_policy_arns, count.index)}"
 }
 
+# Readonly
 resource "aws_iam_role" "readonly" {
   count = "${var.create_readonly_role ? 1 : 0}"
 
@@ -76,3 +69,10 @@ resource "aws_iam_role" "readonly" {
 
   assume_role_policy = "${data.aws_iam_policy_document.assume_role_with_saml.json}"
 }
+
+resource "aws_iam_role_policy_attachment" "readonly" {
+  count = "${var.create_readonly_role ? length(var.readonly_role_policy_arns) : 0}"
+
+  role       = "${aws_iam_role.readonly.name}"
+  policy_arn = "${element(var.readonly_role_policy_arns, count.index)}"
+}

modules/iam-assumable-roles-with-saml/variables.tf

@@ -28,9 +28,10 @@ variable "admin_role_path" {
   default     = "/"
 }
 
-variable "admin_role_policy_arn" {
-  description = "Policy ARN to use for admin role"
-  default     = "arn:aws:iam::aws:policy/AdministratorAccess"
+variable "admin_role_policy_arns" {
+  description = "List of policy ARNs to use for admin role"
+  type        = "list"
+  default     = ["arn:aws:iam::aws:policy/AdministratorAccess"]
 }
 
 variable "admin_role_permissions_boundary_arn" {
@@ -54,9 +55,10 @@ variable "poweruser_role_path" {
   default     = "/"
 }
 
-variable "poweruser_role_policy_arn" {
-  description = "Policy ARN to use for poweruser role"
-  default     = "arn:aws:iam::aws:policy/PowerUserAccess"
+variable "poweruser_role_policy_arns" {
+  description = "List of policy ARNs to use for poweruser role"
+  type        = "list"
+  default     = ["arn:aws:iam::aws:policy/PowerUserAccess"]
 }
 
 variable "poweruser_role_permissions_boundary_arn" {
@@ -80,9 +82,10 @@ variable "readonly_role_path" {
   default     = "/"
 }
 
-variable "readonly_role_policy_arn" {
-  description = "Policy ARN to use for readonly role"
-  default     = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+variable "readonly_role_policy_arns" {
+  description = "List of policy ARNs to use for readonly role"
+  type        = "list"
+  default     = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
 }
 
 variable "readonly_role_permissions_boundary_arn" {

modules/iam-assumable-roles/README.md

@@ -12,7 +12,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | admin\_role\_name | IAM role with admin access | string | `"admin"` | no |
 | admin\_role\_path | Path of admin IAM role | string | `"/"` | no |
 | admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
-| admin\_role\_policy\_arn | Policy ARN to use for admin role | string | `"arn:aws:iam::aws:policy/AdministratorAccess"` | no |
+| admin\_role\_policy\_arns | List of policy ARNs to use for admin role | list | `[ "arn:aws:iam::aws:policy/AdministratorAccess" ]` | no |
 | admin\_role\_requires\_mfa | Whether admin role requires MFA | string | `"true"` | no |
 | create\_admin\_role | Whether to create admin role | string | `"false"` | no |
 | create\_poweruser\_role | Whether to create poweruser role | string | `"false"` | no |
@@ -22,12 +22,12 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | poweruser\_role\_name | IAM role with poweruser access | string | `"poweruser"` | no |
 | poweruser\_role\_path | Path of poweruser IAM role | string | `"/"` | no |
 | poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | string | `""` | no |
-| poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | string | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
+| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
 | poweruser\_role\_requires\_mfa | Whether poweruser role requires MFA | string | `"true"` | no |
 | readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
 | readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
 | readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | string | `""` | no |
-| readonly\_role\_policy\_arn | Policy ARN to use for readonly role | string | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
+| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
 | readonly\_role\_requires\_mfa | Whether readonly role requires MFA | string | `"true"` | no |
 | trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list | `[]` | no |
 

modules/iam-assumable-roles/main.tf

@@ -50,20 +50,13 @@ resource "aws_iam_role" "admin" {
 }
 
 resource "aws_iam_role_policy_attachment" "admin" {
-  count = "${var.create_admin_role ? 1 : 0}"
+  count = "${var.create_admin_role ? length(var.admin_role_policy_arns) : 0}"
 
   role       = "${aws_iam_role.admin.name}"
-  policy_arn = "${var.admin_role_policy_arn}"
+  policy_arn = "${element(var.admin_role_policy_arns, count.index)}"
 }
 
 # Poweruser
-resource "aws_iam_role_policy_attachment" "poweruser" {
-  count = "${var.create_poweruser_role ? 1 : 0}"
-
-  role       = "${aws_iam_role.poweruser.name}"
-  policy_arn = "${var.poweruser_role_policy_arn}"
-}
-
 resource "aws_iam_role" "poweruser" {
   count = "${var.create_poweruser_role ? 1 : 0}"
 
@@ -76,14 +69,14 @@ resource "aws_iam_role" "poweruser" {
   assume_role_policy = "${var.poweruser_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
 }
 
-# Readonly
-resource "aws_iam_role_policy_attachment" "readonly" {
-  count = "${var.create_readonly_role ? 1 : 0}"
+resource "aws_iam_role_policy_attachment" "poweruser" {
+  count = "${var.create_poweruser_role ? length(var.poweruser_role_policy_arns) : 0}"
 
-  role       = "${aws_iam_role.readonly.name}"
-  policy_arn = "${var.readonly_role_policy_arn}"
+  role       = "${aws_iam_role.poweruser.name}"
+  policy_arn = "${element(var.poweruser_role_policy_arns, count.index)}"
 }
 
+# Readonly
 resource "aws_iam_role" "readonly" {
   count = "${var.create_readonly_role ? 1 : 0}"
 
@@ -95,3 +88,10 @@ resource "aws_iam_role" "readonly" {
 
   assume_role_policy = "${var.readonly_role_requires_mfa ?  data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
 }
+
+resource "aws_iam_role_policy_attachment" "readonly" {
+  count = "${var.create_readonly_role ? length(var.readonly_role_policy_arns) : 0}"
+
+  role       = "${aws_iam_role.readonly.name}"
+  policy_arn = "${element(var.readonly_role_policy_arns, count.index)}"
+}

modules/iam-assumable-roles/variables.tf

@@ -29,9 +29,10 @@ variable "admin_role_requires_mfa" {
   default     = true
 }
 
-variable "admin_role_policy_arn" {
-  description = "Policy ARN to use for admin role"
-  default     = "arn:aws:iam::aws:policy/AdministratorAccess"
+variable "admin_role_policy_arns" {
+  description = "List of policy ARNs to use for admin role"
+  type        = "list"
+  default     = ["arn:aws:iam::aws:policy/AdministratorAccess"]
 }
 
 variable "admin_role_permissions_boundary_arn" {
@@ -60,9 +61,10 @@ variable "poweruser_role_requires_mfa" {
   default     = true
 }
 
-variable "poweruser_role_policy_arn" {
-  description = "Policy ARN to use for poweruser role"
-  default     = "arn:aws:iam::aws:policy/PowerUserAccess"
+variable "poweruser_role_policy_arns" {
+  description = "List of policy ARNs to use for poweruser role"
+  type        = "list"
+  default     = ["arn:aws:iam::aws:policy/PowerUserAccess"]
 }
 
 variable "poweruser_role_permissions_boundary_arn" {
@@ -91,9 +93,10 @@ variable "readonly_role_requires_mfa" {
   default     = true
 }
 
-variable "readonly_role_policy_arn" {
-  description = "Policy ARN to use for readonly role"
-  default     = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+variable "readonly_role_policy_arns" {
+  description = "List of policy ARNs to use for readonly role"
+  type        = "list"
+  default     = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
 }
 
 variable "readonly_role_permissions_boundary_arn" {