feat: Fixed number of policies everywhere (#121)

antonbabenko · web-flow · commit afc9ffa08ad4 · 2020-12-04T12:52:40.000+01:00
diff --git a/examples/iam-assumable-role/main.tf b/examples/iam-assumable-role/main.tf
@@ -53,6 +53,33 @@ module "iam_assumable_role_custom" {
   custom_role_policy_arns = [
     "arn:aws:iam::aws:policy/AmazonCognitoReadOnly",
     "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",
+    module.iam_policy.arn
   ]
-  number_of_custom_role_policy_arns = 2
+  #  number_of_custom_role_policy_arns = 3
+}
+
+#########################################
+# IAM policy
+#########################################
+module "iam_policy" {
+  source = "../../modules/iam-policy"
+
+  name        = "example"
+  path        = "/"
+  description = "My example policy"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
 }
diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md
@@ -32,7 +32,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
-| number\_of\_custom\_role\_policy\_arns | Number of IAM policies to attach to IAM role | `number` | `0` | no |
+| number\_of\_custom\_role\_policy\_arns | Number of IAM policies to attach to IAM role | `number` | `null` | no |
 | poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | `string` | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
 | readonly\_role\_policy\_arn | Policy ARN to use for readonly role | `string` | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
 | role\_description | IAM Role description | `string` | `""` | no |
diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf
@@ -72,7 +72,7 @@ resource "aws_iam_role" "this" {
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
-  count = var.create_role ? var.number_of_custom_role_policy_arns : 0
+  count = var.create_role ? coalesce(var.number_of_custom_role_policy_arns, length(var.custom_role_policy_arns)) : 0
 
   role       = aws_iam_role.this[0].name
   policy_arn = element(var.custom_role_policy_arns, count.index)
diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf
@@ -79,7 +79,7 @@ variable "custom_role_policy_arns" {
 variable "number_of_custom_role_policy_arns" {
   description = "Number of IAM policies to attach to IAM role"
   type        = number
-  default     = 0
+  default     = null
 }
 
 # Pre-defined policies

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ resource "aws_iam_role" "this" {`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`resource "aws_iam_role_policy_attachment" "custom" {`
`75`		`- count = var.create_role ? var.number_of_custom_role_policy_arns : 0`
	`75`	`+ count = var.create_role ? coalesce(var.number_of_custom_role_policy_arns, length(var.custom_role_policy_arns)) : 0`
`76`	`76`
`77`	`77`	`role = aws_iam_role.this[0].name`
`78`	`78`	`policy_arn = element(var.custom_role_policy_arns, count.index)`
Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ variable "custom_role_policy_arns" {`
`79`	`79`	`variable "number_of_custom_role_policy_arns" {`
`80`	`80`	`description = "Number of IAM policies to attach to IAM role"`
`81`	`81`	`type = number`
`82`		`- default = 0`
	`82`	`+ default = null`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`# Pre-defined policies`