From 82581fde574bba99ee8cb12109e97149ecc17dc6 Mon Sep 17 00:00:00 2001 From: kevinwochan Date: Thu, 28 Aug 2025 01:50:23 +1000 Subject: [PATCH 1/3] docs: added iam role inline policy --- examples/iam-role/main.tf | 42 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/examples/iam-role/main.tf b/examples/iam-role/main.tf index ba0fed97..fa27bef4 100644 --- a/examples/iam-role/main.tf +++ b/examples/iam-role/main.tf @@ -187,6 +187,48 @@ module "iam_role_saml" { tags = local.tags } +################################################################################ +# IAM Role - Inline Policy +################################################################################ + +module "iam_role_inline_policy" { + source = "../../modules/iam-role" + + name = "${local.name}-inline-policy" + + create = true + create_inline_policy = true + + trust_policy_permissions = { + ec2 = { + effect = "Allow" + actions = [ + "sts:AssumeRole" + ] + principals = [{ + type = "Service" + identifiers = ["ec2.amazonaws.com"] + }] + } + } + + inline_policy_permissions = { + S3ReadAccess = { + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:ListBucket" + ] + resources = [ + "arn:aws:s3:::example-bucket", + "arn:aws:s3:::example-bucket/*" + ] + } + } + + tags = local.tags +} + ################################################################################ # Supporting resources ################################################################################ From 2c002dfd63e4b76ebfaca3823347b80c16705852 Mon Sep 17 00:00:00 2001 From: kevinwochan Date: Thu, 28 Aug 2025 02:01:36 +1000 Subject: [PATCH 2/3] docs: added iam inline policy references to README --- examples/iam-role/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/iam-role/README.md b/examples/iam-role/README.md index 28a0c076..edd0215b 100644 --- a/examples/iam-role/README.md +++ b/examples/iam-role/README.md @@ -35,6 +35,7 @@ Run `terraform destroy` when you don't need these resources. | [iam\_role\_circleci\_oidc](#module\_iam\_role\_circleci\_oidc) | ../../modules/iam-role | n/a | | [iam\_role\_disabled](#module\_iam\_role\_disabled) | ../../modules/iam-role | n/a | | [iam\_role\_github\_oidc](#module\_iam\_role\_github\_oidc) | ../../modules/iam-role | n/a | +| [iam\_role\_inline\_policy](#module\_iam\_role\_inline\_policy) | ../../modules/iam-role | n/a | | [iam\_role\_instance\_profile](#module\_iam\_role\_instance\_profile) | ../../modules/iam-role | n/a | | [iam\_role\_saml](#module\_iam\_role\_saml) | ../../modules/iam-role | n/a | | [iam\_roles](#module\_iam\_roles) | ../../modules/iam-role | n/a | From f739f61cd5bcf46c42dc0cae553e23d352240819 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 27 Aug 2025 11:09:40 -0500 Subject: [PATCH 3/3] fix: Update example, add outputs --- examples/iam-role/README.md | 7 +++++++ examples/iam-role/main.tf | 4 ++-- examples/iam-role/outputs.tf | 39 ++++++++++++++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/examples/iam-role/README.md b/examples/iam-role/README.md index edd0215b..f41018b4 100644 --- a/examples/iam-role/README.md +++ b/examples/iam-role/README.md @@ -70,6 +70,13 @@ No inputs. | [github\_oidc\_iam\_role\_arn](#output\_github\_oidc\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | | [github\_oidc\_iam\_role\_name](#output\_github\_oidc\_iam\_role\_name) | The name of the IAM role | | [github\_oidc\_iam\_role\_unique\_id](#output\_github\_oidc\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | +| [inline\_policy\_iam\_instance\_profile\_arn](#output\_inline\_policy\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile | +| [inline\_policy\_iam\_instance\_profile\_id](#output\_inline\_policy\_iam\_instance\_profile\_id) | Instance profile's ID | +| [inline\_policy\_iam\_instance\_profile\_name](#output\_inline\_policy\_iam\_instance\_profile\_name) | Name of IAM instance profile | +| [inline\_policy\_iam\_instance\_profile\_unique\_id](#output\_inline\_policy\_iam\_instance\_profile\_unique\_id) | Stable and unique string identifying the IAM instance profile | +| [inline\_policy\_iam\_role\_arn](#output\_inline\_policy\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role | +| [inline\_policy\_iam\_role\_name](#output\_inline\_policy\_iam\_role\_name) | The name of the IAM role | +| [inline\_policy\_iam\_role\_unique\_id](#output\_inline\_policy\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role | | [instance\_profile\_iam\_instance\_profile\_arn](#output\_instance\_profile\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile | | [instance\_profile\_iam\_instance\_profile\_id](#output\_instance\_profile\_iam\_instance\_profile\_id) | Instance profile's ID | | [instance\_profile\_iam\_instance\_profile\_name](#output\_instance\_profile\_iam\_instance\_profile\_name) | Name of IAM instance profile | diff --git a/examples/iam-role/main.tf b/examples/iam-role/main.tf index fa27bef4..e30c8a45 100644 --- a/examples/iam-role/main.tf +++ b/examples/iam-role/main.tf @@ -196,8 +196,7 @@ module "iam_role_inline_policy" { name = "${local.name}-inline-policy" - create = true - create_inline_policy = true + create_instance_profile = true trust_policy_permissions = { ec2 = { @@ -212,6 +211,7 @@ module "iam_role_inline_policy" { } } + create_inline_policy = true inline_policy_permissions = { S3ReadAccess = { effect = "Allow" diff --git a/examples/iam-role/outputs.tf b/examples/iam-role/outputs.tf index db078f54..94d8adec 100644 --- a/examples/iam-role/outputs.tf +++ b/examples/iam-role/outputs.tf @@ -153,3 +153,42 @@ output "saml_iam_instance_profile_unique_id" { description = "Stable and unique string identifying the IAM instance profile" value = module.iam_role_saml.instance_profile_unique_id } + +################################################################################ +# IAM Role - Inline Policy +################################################################################ + +output "inline_policy_iam_role_name" { + description = "The name of the IAM role" + value = module.iam_role_inline_policy.name +} + +output "inline_policy_iam_role_arn" { + description = "The Amazon Resource Name (ARN) specifying the IAM role" + value = module.iam_role_inline_policy.arn +} + +output "inline_policy_iam_role_unique_id" { + description = "Stable and unique string identifying the IAM role" + value = module.iam_role_inline_policy.unique_id +} + +output "inline_policy_iam_instance_profile_arn" { + description = "ARN assigned by AWS to the instance profile" + value = module.iam_role_inline_policy.instance_profile_arn +} + +output "inline_policy_iam_instance_profile_id" { + description = "Instance profile's ID" + value = module.iam_role_inline_policy.instance_profile_id +} + +output "inline_policy_iam_instance_profile_name" { + description = "Name of IAM instance profile" + value = module.iam_role_inline_policy.instance_profile_name +} + +output "inline_policy_iam_instance_profile_unique_id" { + description = "Stable and unique string identifying the IAM instance profile" + value = module.iam_role_inline_policy.instance_profile_unique_id +}