Background

Some customers need to deploy IAM resources separately from application resources due to organizational security policies that restrict IAM management to dedicated security teams.

Current State

The Terraform module currently expects a single CloudFormation template with inline IAM resources:

• One CloudFormation stack containing everything
• IAM roles/policies defined within the template
• No mechanism to reference pre-existing IAM resources

Requested Feature

Support a two-stack architecture:

1. IAM Stack (deployed separately, managed by security team)

   • Contains ~20 IAM roles and ~4 managed policies
   • Exports ARNs via CloudFormation outputs

2. Application Stack (deployed via Terraform module)

   • References IAM resources via parameters
   • Receives IAM ARNs from the IAM stack outputs

Required Changes

1. Add new modules/iam/ module to deploy IAM stack
2. Update modules/quilt/ to:
   • Accept optional iam_stack_name variable
   • Query IAM stack outputs via data source when provided
   • Pass IAM ARNs as parameters to application stack
   • Maintain backward compatibility (inline IAM still works)
3. Update examples to demonstrate both patterns

IAM Resources Needed

Roles: SearchHandlerRole, EsIngestRole, ManifestIndexerRole, AccessCountsRole, PkgEventsRole, DuckDBSelectLambdaRole, PkgPushRole, PackagerRole, AmazonECSTaskExecutionRole, ManagedUserRole, MigrationLambdaRole, TrackingCronRole, ApiRole, TimestampResourceHandlerRole, TabulatorRole, TabulatorOpenQueryRole, IcebergLambdaRole, T4BucketReadRole, T4BucketWriteRole, S3ProxyRole, S3SNSToEventBridgeRole, S3HashLambdaRole, S3CopyLambdaRole, S3LambdaRole

Policies: BucketReadPolicy, BucketWritePolicy, RegistryAssumeRolePolicy, ManagedUserRoleBasePolicy, UserAthenaNonManagedRolePolicy, UserAthenaManagedRolePolicy, TabulatorOpenQueryPolicy, T4DefaultBucketReadPolicy

Benefit

Enables enterprise customers with strict IAM governance to adopt Quilt while maintaining their security compliance requirements.