feat: Added number_of_ variables for iam-assumable-role submodules (#96)

f34e1035 · Zyntogz · GitHub · cf8f3cce · f34e1035 · f34e1035
Commit f34e1035 authored Oct 30, 2020 by Zyntogz Committed by GitHub Oct 30, 2020
8 changed files
--- a/examples/iam-assumable-role-with-oidc/main.tf
+++ b/examples/iam-assumable-role-with-oidc/main.tf
@@ -22,6 +22,7 @@ module "iam_assumable_role_admin" {
  role_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
  ]
+  number_of_role_policy_arns = 1

  oidc_fully_qualified_subjects = ["system:serviceaccount:default:sa1", "system:serviceaccount:default:sa2"]
 }
--- a/examples/iam-assumable-role/main.tf
+++ b/examples/iam-assumable-role/main.tf
@@ -54,4 +54,5 @@ module "iam_assumable_role_custom" {
    "arn:aws:iam::aws:policy/AmazonCognitoReadOnly",
    "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",
  ]
+  number_of_custom_role_policy_arns = 2
 }
--- a/modules/iam-assumable-role-with-oidc/README.md
+++ b/modules/iam-assumable-role-with-oidc/README.md
@@ -28,6 +28,7 @@ This module supports IAM Roles for kubernetes service accounts as described in t
 | create\_role | Whether to create a role | `bool` | `false` | no |
 | force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
+| number\_of\_role\_policy\_arns | Number of custom policies passed to variable role\_policy\_arns | `number` | `0` | no |
 | oidc\_fully\_qualified\_subjects | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
 | oidc\_subjects\_with\_wildcards | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
 | provider\_url | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no |

--- a/modules/iam-assumable-role-with-oidc/main.tf
+++ b/modules/iam-assumable-role-with-oidc/main.tf
@@ -68,7 +68,7 @@ resource "aws_iam_role" "this" {
 }

 resource "aws_iam_role_policy_attachment" "custom" {
-  count = var.create_role ? length(var.role_policy_arns) : 0
+  count = var.create_role ? var.number_of_role_policy_arns : 0

  role       = join("", aws_iam_role.this.*.name)
  policy_arn = var.role_policy_arns[count.index]

--- a/modules/iam-assumable-role-with-oidc/variables.tf
+++ b/modules/iam-assumable-role-with-oidc/variables.tf
@@ -70,6 +70,13 @@ variable "role_policy_arns" {
  default     = []
 }

+variable "number_of_role_policy_arns" {
+  description = "Number of IAM policies to attach to IAM role"
+  type        = number
+  default     = 0
+}
+
+
 variable "oidc_fully_qualified_subjects" {
  description = "The fully qualified OIDC subjects to be added to the role policy"
  type        = set(string)

--- a/modules/iam-assumable-role/README.md
+++ b/modules/iam-assumable-role/README.md
@@ -32,6 +32,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
+| number\_of\_custom\_role\_policy\_arns | Number of custom policies passed to variable custom\_role\_policy\_arns | `number` | `0` | no |
 | poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | `string` | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
 | readonly\_role\_policy\_arn | Policy ARN to use for readonly role | `string` | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
 | role\_description | IAM Role description | `string` | `""` | no |

--- a/modules/iam-assumable-role/main.tf
+++ b/modules/iam-assumable-role/main.tf
@@ -72,7 +72,7 @@ resource "aws_iam_role" "this" {
 }

 resource "aws_iam_role_policy_attachment" "custom" {
-  count = var.create_role ? length(var.custom_role_policy_arns) : 0
+  count = var.create_role ? var.number_of_custom_role_policy_arns : 0

  role       = aws_iam_role.this[0].name
  policy_arn = element(var.custom_role_policy_arns, count.index)

--- a/modules/iam-assumable-role/variables.tf
+++ b/modules/iam-assumable-role/variables.tf
@@ -76,6 +76,12 @@ variable "custom_role_policy_arns" {
  default     = []
 }

+variable "number_of_custom_role_policy_arns" {
+  description = "Number of IAM policies to attach to IAM role"
+  type        = number
+  default     = 0
+}
+
 # Pre-defined policies
 variable "admin_role_policy_arn" {
  description = "Policy ARN to use for admin role"