Skip to content

Commit f3ef57c

Browse files
unfuncounfunco
committed
feat: Allow more managed policies to be attached
1 parent 1f606d6 commit f3ef57c

File tree

3 files changed

+101
-41
lines changed

3 files changed

+101
-41
lines changed

README.md

Lines changed: 49 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -66,53 +66,61 @@ applied, the JWT will contain an updated `iss` claim.
6666

6767
## Resources
6868

69-
| Name | Type |
70-
| ---------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
71-
| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
72-
| [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
73-
| [aws_iam_role_policy.inline_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
74-
| [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
75-
| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
76-
| [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
77-
| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
78-
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
79-
| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
80-
| [tls_certificate.github](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |
69+
| Name | Type |
70+
| ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
71+
| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
72+
| [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
73+
| [aws_iam_role_policy.inline_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
74+
| [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
75+
| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
76+
| [aws_iam_role_policy_attachment.ec2_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
77+
| [aws_iam_role_policy_attachment.lambda_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
78+
| [aws_iam_role_policy_attachment.rds_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
79+
| [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
80+
| [aws_iam_role_policy_attachment.s3_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
81+
| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
82+
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
83+
| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
84+
| [tls_certificate.github](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |
8185

8286
## Inputs
8387

84-
| Name | Description | Type | Default | Required |
85-
| ------------------------------- | ---------------------------------------------------------------------------- | -------------- | ---------------------------------------- | :------: |
86-
| additional_audiences | Additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no |
87-
| additional_thumbprints | Additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no |
88-
| attach_read_only_policy | Enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no |
89-
| create | Enable/disable the creation of all resources. | `bool` | `true` | no |
90-
| create_iam_role | Enable/disable creation of the IAM role. | `bool` | `true` | no |
91-
| create_oidc_provider | Enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no |
92-
| dangerously_attach_admin_policy | Enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no |
93-
| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no |
94-
| github_repositories | GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes |
95-
| iam_role_description | Description of the IAM role to be created. | `string` | `"Assumed by the GitHub OIDC provider."` | no |
96-
| iam_role_force_detach_policies | Force detachment of policies attached to the IAM role. | `bool` | `false` | no |
97-
| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |
98-
| iam_role_max_session_duration | The maximum session duration in seconds. | `number` | `3600` | no |
99-
| iam_role_name | The name of the IAM role to be created and made assumable by GitHub Actions. | `string` | `"GitHubActions"` | no |
100-
| iam_role_path | The path under which to create IAM role. | `string` | `"/"` | no |
101-
| iam_role_permissions_boundary | The ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no |
102-
| iam_role_policy_arns | IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no |
103-
| iam_role_tags | Additional tags to be applied to the IAM role. | `map(string)` | `{}` | no |
104-
| oidc_provider_tags | Tags to be applied to the OIDC provider. | `map(string)` | `{}` | no |
105-
| tags | Tags to be applied to all applicable resources. | `map(string)` | `{}` | no |
88+
| Name | Description | Type | Default | Required |
89+
| -------------------------------- | ---------------------------------------------------------------------------- | -------------- | ---------------------------------------- | :------: |
90+
| additional_audiences | Additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no |
91+
| additional_thumbprints | Additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no |
92+
| attach_ec2_full_access_policy | Enable/disable the attachment of the AmazonEC2FullAccess policy. | `bool` | `false` | no |
93+
| attach_lambda_full_access_policy | Enable/disable the attachment of the AWSLambda_FullAccess policy. | `bool` | `false` | no |
94+
| attach_rds_full_access_policy | Enable/disable the attachment of the AmazonRDSFullAccess policy. | `bool` | `false` | no |
95+
| attach_read_only_policy | Enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no |
96+
| attach_s3_full_access_policy | Enable/disable the attachment of the AmazonS3FullAccess policy. | `bool` | `false` | no |
97+
| create | Enable/disable the creation of all resources. | `bool` | `true` | no |
98+
| create_iam_role | Enable/disable creation of the IAM role. | `bool` | `true` | no |
99+
| create_oidc_provider | Enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no |
100+
| dangerously_attach_admin_policy | Enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no |
101+
| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no |
102+
| github_repositories | GitHub organization/repository names authorized to assume the role. | `list(string)` | `[]` | no |
103+
| iam_role_description | Description of the IAM role to be created. | `string` | `"Assumed by the GitHub OIDC provider."` | no |
104+
| iam_role_force_detach_policies | Force detachment of policies attached to the IAM role. | `bool` | `false` | no |
105+
| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |
106+
| iam_role_max_session_duration | The maximum session duration in seconds. | `number` | `3600` | no |
107+
| iam_role_name | The name of the IAM role to be created and made assumable by GitHub Actions. | `string` | `"GitHubActions"` | no |
108+
| iam_role_path | The path under which to create IAM role. | `string` | `"/"` | no |
109+
| iam_role_permissions_boundary | The ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no |
110+
| iam_role_policy_arns | IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no |
111+
| iam_role_tags | Additional tags to be applied to the IAM role. | `map(string)` | `{}` | no |
112+
| oidc_provider_tags | Tags to be applied to the OIDC provider. | `map(string)` | `{}` | no |
113+
| tags | Tags to be applied to all applicable resources. | `map(string)` | `{}` | no |
106114

107115
## Outputs
108116

109-
| Name | Description |
110-
| --------------------------- | ----------------------------------------------------------------------- |
111-
| assume_role_policy_document | The assume role policy document that can be attached to your IAM roles. |
112-
| iam_role_arn | The ARN of the IAM role. |
113-
| iam_role_name | The name of the IAM role. |
114-
| oidc_provider_arn | The ARN of the OIDC provider. |
115-
| oidc_provider_url | The URL of the OIDC provider. |
117+
| Name | Description |
118+
| -------------------------------- | ---------------------------------------------------------------------------- |
119+
| assume_role_policy_document_json | The assume role policy JSON document that can be attached to your IAM roles. |
120+
| iam_role_arn | The ARN of the IAM role. |
121+
| iam_role_name | The name of the IAM role. |
122+
| oidc_provider_arn | The ARN of the OIDC provider. |
123+
| oidc_provider_url | The URL of the OIDC provider. |
116124

117125
<!-- END_TF_DOCS -->
118126

main.tf

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,13 +47,41 @@ resource "aws_iam_role_policy_attachment" "admin" {
4747
role = aws_iam_role.github[0].id
4848
}
4949

50+
resource "aws_iam_role_policy_attachment" "ec2_full_access" {
51+
count = local.create_iam_role && var.attach_ec2_full_access_policy ? 1 : 0
52+
53+
policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/AmazonEC2FullAccess"
54+
role = aws_iam_role.github[0].id
55+
}
56+
57+
resource "aws_iam_role_policy_attachment" "lambda_full_access" {
58+
count = local.create_iam_role && var.attach_lambda_full_access_policy ? 1 : 0
59+
60+
policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/AWSLambda_FullAccess"
61+
role = aws_iam_role.github[0].id
62+
}
63+
64+
resource "aws_iam_role_policy_attachment" "rds_full_access" {
65+
count = local.create_iam_role && var.attach_rds_full_access_policy ? 1 : 0
66+
67+
policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/AmazonRDSFullAccess"
68+
role = aws_iam_role.github[0].id
69+
}
70+
5071
resource "aws_iam_role_policy_attachment" "read_only" {
5172
count = local.create_iam_role && var.attach_read_only_policy ? 1 : 0
5273

5374
policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/ReadOnlyAccess"
5475
role = aws_iam_role.github[0].id
5576
}
5677

78+
resource "aws_iam_role_policy_attachment" "s3_full_access" {
79+
count = local.create_iam_role && var.attach_s3_full_access_policy ? 1 : 0
80+
81+
policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/AmazonS3FullAccess"
82+
role = aws_iam_role.github[0].id
83+
}
84+
5785
resource "aws_iam_role_policy_attachment" "custom" {
5886
count = local.create_iam_role ? length(var.iam_role_policy_arns) : 0
5987

variables.tf

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,36 @@ variable "additional_thumbprints" {
1818
}
1919
}
2020

21+
variable "attach_ec2_full_access_policy" {
22+
default = false
23+
description = "Enable/disable the attachment of the AmazonEC2FullAccess policy."
24+
type = bool
25+
}
26+
27+
variable "attach_lambda_full_access_policy" {
28+
default = false
29+
description = "Enable/disable the attachment of the AWSLambda_FullAccess policy."
30+
type = bool
31+
}
32+
33+
variable "attach_rds_full_access_policy" {
34+
default = false
35+
description = "Enable/disable the attachment of the AmazonRDSFullAccess policy."
36+
type = bool
37+
}
38+
2139
variable "attach_read_only_policy" {
2240
default = false
2341
description = "Enable/disable the attachment of the ReadOnly policy."
2442
type = bool
2543
}
2644

45+
variable "attach_s3_full_access_policy" {
46+
default = false
47+
description = "Enable/disable the attachment of the AmazonS3FullAccess policy."
48+
type = bool
49+
}
50+
2751
variable "create" {
2852
default = true
2953
description = "Enable/disable the creation of all resources."

0 commit comments

Comments
 (0)