feat: Enable override policy name iam-group-with-assumable-roles-policy (#468)

Co-authored-by: Oliver Schoenborn <[email protected]>

Author: schollii

examples/iam-group-with-assumable-roles-policy/main.tf

@@ -107,7 +107,8 @@ module "iam_group_with_assumable_roles_policy_production_readonly" {
 module "iam_group_with_assumable_roles_policy_production_admin" {
   source = "../../modules/iam-group-with-assumable-roles-policy"
 
-  name = "production-admin"
+  name                               = "production-admin"
+  assumable_roles_policy_name_suffix = "-assumable-roles"
 
   assumable_roles = [module.iam_assumable_roles_in_prod.admin_iam_role_arn]
 

modules/iam-group-with-assumable-roles-policy/README.md

@@ -35,6 +35,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_assumable_roles"></a> [assumable\_roles](#input\_assumable\_roles) | List of IAM roles ARNs which can be assumed by the group | `list(string)` | `[]` | no |
+| <a name="input_assumable_roles_policy_name_suffix"></a> [assumable\_roles\_policy\_name\_suffix](#input\_assumable\_roles\_policy\_name\_suffix) | Append this name to the policy name that will be created for assuming the given roles (default: null -- the policy name will be group name) | `string` | `""` | no |
 | <a name="input_group_users"></a> [group\_users](#input\_group\_users) | List of IAM users to have in an IAM group which can assume the role | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of IAM policy and IAM group | `string` | n/a | yes |
 | <a name="input_path"></a> [path](#input\_path) | Path of IAM policy and IAM group | `string` | `"/"` | no |

modules/iam-group-with-assumable-roles-policy/main.tf

@@ -7,7 +7,7 @@ data "aws_iam_policy_document" "assume_role" {
 }
 
 resource "aws_iam_policy" "this" {
-  name        = var.name
+  name        = "${var.name}${var.assumable_roles_policy_name_suffix}"
   path        = var.path
   description = "Allows to assume role in another AWS account"
   policy      = data.aws_iam_policy_document.assume_role.json

modules/iam-group-with-assumable-roles-policy/variables.tf

@@ -15,6 +15,12 @@ variable "assumable_roles" {
   default     = []
 }
 
+variable "assumable_roles_policy_name_suffix" {
+  description = "Append this name to the policy name that will be created for assuming the given roles (default: null -- the policy name will be group name)"
+  type        = string
+  default     = ""
+}
+
 variable "group_users" {
   description = "List of IAM users to have in an IAM group which can assume the role"
   type        = list(string)

wrappers/iam-group-with-assumable-roles-policy/main.tf

@@ -3,9 +3,10 @@ module "wrapper" {
 
   for_each = var.items
 
-  assumable_roles = try(each.value.assumable_roles, var.defaults.assumable_roles, [])
-  group_users     = try(each.value.group_users, var.defaults.group_users, [])
-  name            = try(each.value.name, var.defaults.name)
-  path            = try(each.value.path, var.defaults.path, "/")
-  tags            = try(each.value.tags, var.defaults.tags, {})
+  assumable_roles                    = try(each.value.assumable_roles, var.defaults.assumable_roles, [])
+  assumable_roles_policy_name_suffix = try(each.value.assumable_roles_policy_name_suffix, var.defaults.assumable_roles_policy_name_suffix, "")
+  group_users                        = try(each.value.group_users, var.defaults.group_users, [])
+  name                               = try(each.value.name, var.defaults.name)
+  path                               = try(each.value.path, var.defaults.path, "/")
+  tags                               = try(each.value.tags, var.defaults.tags, {})
 }