initial commit

modules/security_identity_compliance/iam-role-v2/main.tf

@@ -0,0 +1,50 @@
+# Assume role policy can be provided as-is, or built using the trusted-entity variable
+locals {
+  assume-role-policy = endswith(var.trusted-entity, ".com") ? jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : [
+              var.trusted-entity
+            ]
+          },
+          "Action" : "sts:AssumeRole"
+        }
+      ]
+    }
+  ) : var.trusted-entity
+}
+
+resource "aws_iam_instance_profile" "ip" {
+  count = var.create-instance-profile ? 1 : 0
+  name  = "${var.role-name}-profile"
+  role  = aws_iam_role.r.name
+  path  = var.path
+}
+
+resource "aws_iam_role" "r" {
+  name                  = var.role-name
+  description           = var.description
+  assume_role_policy    = local.assume-role-policy
+  force_detach_policies = true
+  path                  = var.path
+  max_session_duration  = var.max-session-duration
+  tags                  = var.tags
+}
+
+resource "aws_iam_policy" "p" {
+  for_each    = var.policies
+  description = each.value.description
+  name        = each.key
+  policy      = each.value.policy
+  tags        = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "pa" {
+  for_each   = aws_iam_policy.p
+  role       = aws_iam_role.r.name
+  policy_arn = each.value.arn
+}