feat: Added number_of_ variables for iam-assumable-role submodules (#96)

Author: Zyntogz

examples/iam-assumable-role-with-oidc/main.tf

@@ -22,6 +22,7 @@ module "iam_assumable_role_admin" {
   role_policy_arns = [
     "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
   ]
+  number_of_role_policy_arns = 1
 
   oidc_fully_qualified_subjects = ["system:serviceaccount:default:sa1", "system:serviceaccount:default:sa2"]
 }

examples/iam-assumable-role/main.tf

@@ -54,4 +54,5 @@ module "iam_assumable_role_custom" {
     "arn:aws:iam::aws:policy/AmazonCognitoReadOnly",
     "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",
   ]
+  number_of_custom_role_policy_arns = 2
 }

modules/iam-assumable-role-with-oidc/README.md

@@ -28,6 +28,7 @@ This module supports IAM Roles for kubernetes service accounts as described in t
 | create\_role | Whether to create a role | `bool` | `false` | no |
 | force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
+| number\_of\_role\_policy\_arns | Number of custom policies passed to variable role\_policy\_arns | `number` | `0` | no |
 | oidc\_fully\_qualified\_subjects | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
 | oidc\_subjects\_with\_wildcards | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
 | provider\_url | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no |

modules/iam-assumable-role-with-oidc/main.tf

@@ -68,7 +68,7 @@ resource "aws_iam_role" "this" {
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
-  count = var.create_role ? length(var.role_policy_arns) : 0
+  count = var.create_role ? var.number_of_role_policy_arns : 0
 
   role       = join("", aws_iam_role.this.*.name)
   policy_arn = var.role_policy_arns[count.index]

modules/iam-assumable-role-with-oidc/variables.tf

@@ -70,6 +70,13 @@ variable "role_policy_arns" {
   default     = []
 }
 
+variable "number_of_role_policy_arns" {
+  description = "Number of IAM policies to attach to IAM role"
+  type        = number
+  default     = 0
+}
+
+
 variable "oidc_fully_qualified_subjects" {
   description = "The fully qualified OIDC subjects to be added to the role policy"
   type        = set(string)

modules/iam-assumable-role/README.md

@@ -32,6 +32,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
+| number\_of\_custom\_role\_policy\_arns | Number of custom policies passed to variable custom\_role\_policy\_arns | `number` | `0` | no |
 | poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | `string` | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
 | readonly\_role\_policy\_arn | Policy ARN to use for readonly role | `string` | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
 | role\_description | IAM Role description | `string` | `""` | no |

modules/iam-assumable-role/main.tf

@@ -72,7 +72,7 @@ resource "aws_iam_role" "this" {
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
-  count = var.create_role ? length(var.custom_role_policy_arns) : 0
+  count = var.create_role ? var.number_of_custom_role_policy_arns : 0
 
   role       = aws_iam_role.this[0].name
   policy_arn = element(var.custom_role_policy_arns, count.index)

modules/iam-assumable-role/variables.tf

@@ -76,6 +76,12 @@ variable "custom_role_policy_arns" {
   default     = []
 }
 
+variable "number_of_custom_role_policy_arns" {
+  description = "Number of IAM policies to attach to IAM role"
+  type        = number
+  default     = 0
+}
+
 # Pre-defined policies
 variable "admin_role_policy_arn" {
   description = "Policy ARN to use for admin role"