feat: allow additional custom IAM policy to attached EC2 role

main.tf

@@ -139,6 +139,14 @@ resource "aws_iam_role_policy" "session_logging" {
   policy = join("", data.aws_iam_policy_document.session_logging.*.json)
 }
 
+resource "aws_iam_role_policy" "custom" {
+  count = length(var.custom_policy_document) > 0 ? 1 : 0
+
+  name   = "${module.role_label.id}-${var.custom_policy_name}"
+  role   = aws_iam_role.default.name
+  policy = var.custom_policy_document
+}
+
 resource "aws_iam_instance_profile" "default" {
   name = module.role_label.id
   role = aws_iam_role.default.name

variables.tf

@@ -212,3 +212,15 @@ variable "scale_in_protected_instances" {
     error_message = "scale_in_protected_instances must be one of Refresh, Ignore, or Wait"
   }
 }
+
+variable "custom_policy_document" {
+  description = "JSON policy document for custom permissions to attach to the SSM Agent role. If not provided, no custom policy will be attached."
+  type        = string
+  default     = ""
+}
+
+variable "custom_policy_name" {
+  description = "Name for the custom policy. Only used if custom_policy_document is provided."
+  type        = string
+  default     = "custom-policy"
+}