feat: Add iam_policy_enabled to allow IAM roles without policies

[dennislapchenko]

what

• New variable iam_policy_enabled which allows creating iam eks role without a policy.
• Also changed ["{}"] to [] in module "eks_iam_role".aws_iam_policy_document when iam_policy_enabled is true. as "{}" is still an item and the module was still attempting to create a policy. (because its based on length(var. aws_iam_policy_document))

why

• When utilizing resource-based-policies access is granted on that specific resource, role that is granted access can have no policies at all, which is often a desired case.
• On this issue it was suggested that deny * policy can always be used when no policy is desired. But this does not work when using resource based policies, as the role is denied all access, including the on in resource's policy
• In my particular case I had a KMS key that allowed a role to decrypt using this key. The role needed no policies, so following the suggestion mention above I added deny all policy, which prevented by role from using the key. Removing the policy made things work, so this feature clearly has a valid use case.

references

• Fixes Create an IRSA without an IAM policy #37
• From AWS IAM documentation: Evaluating identity-based policies with resource-based policies

Identity-based policies and resource-based policies grant permissions to the identities or resources to which they are attached. When an IAM entity (user or role) requests access to a resource within the same account, AWS evaluates all the permissions granted by the identity-based and resource-based policies. The resulting permissions are the total permissions of the two types. If an action is allowed by an identity-based policy, a resource-based policy, or both, then AWS allows the action. An explicit deny in either of these policies overrides the allow.

[Nuru]

/terratest

[Nuru]

This is an unusual use case. Thank you for providing a concrete example of how this could be useful, and thank you for the PR.