feat: allow additional custom IAM policy to attached EC2 role (#52)

oycyc · web-flow · commit 93a77571a32d · 2025-08-27T21:27:27.000-04:00
## what

- Add `resource "aws_iam_role_policy" "custom"` to allow for a custom
policy document to be attached to the role that is associated with the
EC2 instance.

## why

- There are times where commands will be ran in the EC2 instance as the
`ec2-user`, either manually or via the `user_data`. This additional IAM
policy document will allow that.

&lt;!-- This is an auto-generated comment: release notes by coderabbit.ai
--&gt;

## Summary by CodeRabbit

- New Features
- Optional custom permissions: You can now attach a custom inline policy
to the default role by supplying a JSON policy.
- Configurable policy name: Provide a custom name for the attached
policy when using a custom policy.
- Non-intrusive default: If no custom policy is provided, nothing
changes for existing setups.
- Flexible integration: Enables tailoring role permissions to specific
organizational or workload needs without altering core configuration.

&lt;!-- end of auto-generated comment: release notes by coderabbit.ai --&gt;
diff --git a/.trunk/.gitignore b/.trunk/.gitignore
@@ -6,4 +6,4 @@
 plugins
 user_trunk.yaml
 user.yaml
-tmp
+tmp
diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
@@ -2,12 +2,12 @@
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
-  version: 1.24.0
+  version: 1.25.0
 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
 plugins:
   sources:
     - id: trunk
-      ref: v1.7.1
+      ref: v1.7.2
       uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
@@ -20,16 +20,16 @@ lint:
     # Incompatible with some Terraform features: https://github.com/tenable/terrascan/issues/1331
     - terrascan
   enabled:
-    - renovate@41.46.8
-    - tofu@1.10.4
+    - renovate@41.87.0
+    - tofu@1.10.5
     - actionlint@1.7.7
-    - checkov@3.2.447
+    - checkov@3.2.467
     - git-diff-check
     - markdownlint@0.45.0
     - prettier@3.6.2
-    - tflint@0.58.0
-    - trivy@0.63.0
-    - trufflehog@3.89.2
+    - tflint@0.58.1
+    - trivy@0.65.0
+    - trufflehog@3.90.5
     - yamllint@1.37.1
   ignore:
     - linters: [tofu]
diff --git a/README.md b/README.md
@@ -111,6 +111,7 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).
 | [aws_cloudwatch_log_group.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_iam_instance_profile.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_launch_template.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
@@ -141,6 +142,8 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).
 | <a name="input_cloudwatch_retention_in_days"></a> [cloudwatch\_retention\_in\_days](#input\_cloudwatch\_retention\_in\_days) | The number of days to retain session logs in CloudWatch. This is only relevant if the session\_logging\_enabled variable is `true`. | `number` | `365` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br/>See description of individual variables for details.<br/>Leave string and numeric variables as `null` to use default value.<br/>Individual variable settings (non-null) override settings in context object,<br/>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br/>  "additional_tag_map": {},<br/>  "attributes": [],<br/>  "delimiter": null,<br/>  "descriptor_formats": {},<br/>  "enabled": true,<br/>  "environment": null,<br/>  "id_length_limit": null,<br/>  "label_key_case": null,<br/>  "label_order": [],<br/>  "label_value_case": null,<br/>  "labels_as_tags": [<br/>    "unset"<br/>  ],<br/>  "name": null,<br/>  "namespace": null,<br/>  "regex_replace_chars": null,<br/>  "stage": null,<br/>  "tags": {},<br/>  "tenant": null<br/>}</pre> | no |
 | <a name="input_create_run_shell_document"></a> [create\_run\_shell\_document](#input\_create\_run\_shell\_document) | Whether or not to create the SSM-SessionManagerRunShell SSM Document. | `bool` | `true` | no |
+| <a name="input_custom_policy_document"></a> [custom\_policy\_document](#input\_custom\_policy\_document) | JSON policy document for custom permissions to attach to the SSM Agent role. If not provided, no custom policy will be attached. | `string` | `""` | no |
+| <a name="input_custom_policy_name"></a> [custom\_policy\_name](#input\_custom\_policy\_name) | Name for the custom policy. Only used if custom\_policy\_document is provided. | `string` | `"custom-policy"` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br/>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br/>Map of maps. Keys are names of descriptors. Values are maps of the form<br/>`{<br/>   format = string<br/>   labels = list(string)<br/>}`<br/>(Type is `any` so the map values can later be enhanced to provide additional options.)<br/>`format` is a Terraform format string to be passed to the `format()` function.<br/>`labels` is a list of labels, in order, to pass to `format()` function.<br/>Label values will be normalized before being passed to `format()` so they will be<br/>identical to how they appear in `id`.<br/>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_desired_capacity"></a> [desired\_capacity](#input\_desired\_capacity) | Desired number of instances in the Auto Scaling Group | `number` | `1` | no |
diff --git a/main.tf b/main.tf
@@ -139,6 +139,14 @@ resource "aws_iam_role_policy" "session_logging" {
   policy = join("", data.aws_iam_policy_document.session_logging.*.json)
 }
 
+resource "aws_iam_role_policy" "custom" {
+  count = length(var.custom_policy_document) > 0 ? 1 : 0
+
+  name   = "${module.role_label.id}-${var.custom_policy_name}"
+  role   = aws_iam_role.default.name
+  policy = var.custom_policy_document
+}
+
 resource "aws_iam_instance_profile" "default" {
   name = module.role_label.id
   role = aws_iam_role.default.name
diff --git a/variables.tf b/variables.tf
@@ -212,3 +212,15 @@ variable "scale_in_protected_instances" {
     error_message = "scale_in_protected_instances must be one of Refresh, Ignore, or Wait"
   }
 }
+
+variable "custom_policy_document" {
+  description = "JSON policy document for custom permissions to attach to the SSM Agent role. If not provided, no custom policy will be attached."
+  type        = string
+  default     = ""
+}
+
+variable "custom_policy_name" {
+  description = "Name for the custom policy. Only used if custom_policy_document is provided."
+  type        = string
+  default     = "custom-policy"
+}
