Update "inline" policy support with additional fields

Based on changes in terraform-aws-modules/terraform-aws-eks#3087
MoloFinance · Jul 2, 2024 · e374309 · e374309
1 parent ae6789b
commit e374309
Show file tree

Hide file tree

Showing 4 changed files with 105 additions and 37 deletions.
diff --git a/modules/iam-assumable-role-with-oidc/main.tf b/modules/iam-assumable-role-with-oidc/main.tf
@@ -108,22 +108,61 @@ resource "aws_iam_role_policy_attachment" "custom" {
   policy_arn = var.role_policy_arns[count.index]
 }
 
+###############################
+# IAM Role Inline policy
+###############################
+
+locals {
+  create_iam_role_inline_policy = var.create_role && length(var.inline_policy_statements) > 0
+}
+
 data "aws_iam_policy_document" "inline" {
-  count = var.create_role && length(var.inline_policy_statements) > 0 ? 1 : 0
+  count = local.create_iam_role_inline_policy ? 1 : 0
 
   dynamic "statement" {
     for_each = var.inline_policy_statements
+
     content {
-      sid       = statement.value.sid
-      actions   = statement.value.actions
-      effect    = statement.value.effect
-      resources = statement.value.resources
+      sid           = try(statement.value.sid, null)
+      actions       = try(statement.value.actions, null)
+      not_actions   = try(statement.value.not_actions, null)
+      effect        = try(statement.value.effect, null)
+      resources     = try(statement.value.resources, null)
+      not_resources = try(statement.value.not_resources, null)
+
+      dynamic "principals" {
+        for_each = try(statement.value.principals, [])
+
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+
+      dynamic "not_principals" {
+        for_each = try(statement.value.not_principals, [])
+
+        content {
+          type        = not_principals.value.type
+          identifiers = not_principals.value.identifiers
+        }
+      }
+
+      dynamic "condition" {
+        for_each = try(statement.value.conditions, [])
+
+        content {
+          test     = condition.value.test
+          values   = condition.value.values
+          variable = condition.value.variable
+        }
+      }
     }
   }
 }
 
 resource "aws_iam_role_policy" "inline" {
-  count = var.create_role && length(var.inline_policy_statements) > 0 ? 1 : 0
+  count = local.create_iam_role_inline_policy ? 1 : 0
 
   role        = aws_iam_role.this[0].name
   name_prefix = "${var.role_name}_inline_"

diff --git a/modules/iam-assumable-role-with-oidc/variables.tf b/modules/iam-assumable-role-with-oidc/variables.tf
@@ -77,14 +77,9 @@ variable "number_of_role_policy_arns" {
 }
 
 variable "inline_policy_statements" {
-  description = "List of inline policy statements to attach to IAM role as an inline policy"
-  type = list(object({
-    sid       = string
-    actions   = list(string)
-    effect    = string
-    resources = list(string)
-  }))
-  default = []
+  description = "List of inline policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) to attach to IAM role as an inline policy"
+  type        = any
+  default     = []
 }
 
 variable "oidc_fully_qualified_subjects" {

diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf
@@ -189,33 +189,72 @@ resource "aws_iam_role_policy_attachment" "readonly" {
   policy_arn = var.readonly_role_policy_arn
 }
 
+resource "aws_iam_instance_profile" "this" {
+  count = var.create_role && var.create_instance_profile ? 1 : 0
+  name  = var.role_name
+  path  = var.role_path
+  role  = aws_iam_role.this[0].name
+
+  tags = var.tags
+}
+
+###############################
+# IAM Role Inline policy
+###############################
+
+locals {
+  create_iam_role_inline_policy = var.create_role && length(var.inline_policy_statements) > 0
+}
+
 data "aws_iam_policy_document" "inline" {
-  count = var.create_role && length(var.inline_policy_statements) > 0 ? 1 : 0
+  count = local.create_iam_role_inline_policy ? 1 : 0
 
   dynamic "statement" {
     for_each = var.inline_policy_statements
+
     content {
-      sid       = statement.value.sid
-      actions   = statement.value.actions
-      effect    = statement.value.effect
-      resources = statement.value.resources
+      sid           = try(statement.value.sid, null)
+      actions       = try(statement.value.actions, null)
+      not_actions   = try(statement.value.not_actions, null)
+      effect        = try(statement.value.effect, null)
+      resources     = try(statement.value.resources, null)
+      not_resources = try(statement.value.not_resources, null)
+
+      dynamic "principals" {
+        for_each = try(statement.value.principals, [])
+
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+
+      dynamic "not_principals" {
+        for_each = try(statement.value.not_principals, [])
+
+        content {
+          type        = not_principals.value.type
+          identifiers = not_principals.value.identifiers
+        }
+      }
+
+      dynamic "condition" {
+        for_each = try(statement.value.conditions, [])
+
+        content {
+          test     = condition.value.test
+          values   = condition.value.values
+          variable = condition.value.variable
+        }
+      }
     }
   }
 }
 
 resource "aws_iam_role_policy" "inline" {
-  count = var.create_role && length(var.inline_policy_statements) > 0 ? 1 : 0
+  count = local.create_iam_role_inline_policy ? 1 : 0
 
   role        = aws_iam_role.this[0].name
   name_prefix = "${var.role_name}_inline_"
   policy      = data.aws_iam_policy_document.inline[0].json
 }
-
-resource "aws_iam_instance_profile" "this" {
-  count = var.create_role && var.create_instance_profile ? 1 : 0
-  name  = var.role_name
-  path  = var.role_path
-  role  = aws_iam_role.this[0].name
-
-  tags = var.tags
-}
diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf
@@ -101,14 +101,9 @@ variable "number_of_custom_role_policy_arns" {
 }
 
 variable "inline_policy_statements" {
-  description = "List of inline policy statements to attach to IAM role as an inline policy"
-  type = list(object({
-    sid       = string
-    actions   = list(string)
-    effect    = string
-    resources = list(string)
-  }))
-  default = []
+  description = "List of inline policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) to attach to IAM role as an inline policy"
+  type        = any
+  default     = []
 }
 
 # Pre-defined policies