Allow operator to pass in a list of managed IAM policy ARNs for the runner role (#361)

* Allow a user to pass in a list of managed IAM policy ARNs, to be attached to the instance role

* Update root module to allow passing in managed policies for runner role

Author: jpalomaki

main.tf

@@ -102,6 +102,8 @@ module "runners" {
   userdata_post_install = var.userdata_post_install
 
   create_service_linked_role_spot = var.create_service_linked_role_spot
+
+  runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns
 }
 
 module "runner_binaries" {

modules/runners/policies-runner.tf

@@ -39,3 +39,9 @@ resource "aws_iam_role_policy" "dist_bucket" {
     }
   )
 }
+
+resource "aws_iam_role_policy_attachment" "managed_policies" {
+  count      = length(var.runner_iam_role_managed_policy_arns)
+  role       = aws_iam_role.runner.name
+  policy_arn = element(var.runner_iam_role_managed_policy_arns, count.index)
+}

modules/runners/variables.tf

@@ -238,3 +238,9 @@ variable "create_service_linked_role_spot" {
   type        = bool
   default     = false
 }
+
+variable "runner_iam_role_managed_policy_arns" {
+  description = "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
+  type        = list(string)
+  default     = []
+}

variables.tf

@@ -256,3 +256,9 @@ variable "create_service_linked_role_spot" {
   type        = bool
   default     = false
 }
+
+variable "runner_iam_role_managed_policy_arns" {
+  description = "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"
+  type        = list(string)
+  default     = []
+}