From 36036bb6f5cecf8d00d08b1bd614d580168312c938baa26e0838f0f2765f1b50 Mon Sep 17 00:00:00 2001
From: xpk <xpk@headdesk.me>
Date: Tue, 31 Mar 2026 08:13:10 +0800
Subject: [PATCH] feat: added policy attachment to iam role module

---
 EksIp6Nginxpod/pod_identities.tf                      | 11 +++--------
 .../iam-role-v2/README.md                             | 11 +++++------
 .../security_identity_compliance/iam-role-v2/main.tf  |  6 ++++++
 .../iam-role-v2/variables.tf                          |  6 ++++++
 4 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/EksIp6Nginxpod/pod_identities.tf b/EksIp6Nginxpod/pod_identities.tf
index 001a9b3..41757b1 100644
--- a/EksIp6Nginxpod/pod_identities.tf
+++ b/EksIp6Nginxpod/pod_identities.tf
@@ -40,14 +40,9 @@ module "CsiPodIdentity" {
       ]
     }
   )
-}
-
-# 2 policies are required for the ebs csi to work
-resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
-  for_each = toset([
+  # 2 policies are required for the ebs csi to work
+  attach-managed-policies = [
     "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
     "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
-  ])
-  role       = module.CsiPodIdentity.name
-  policy_arn = each.value
+  ]
 }
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-role-v2/README.md b/modules/security_identity_compliance/iam-role-v2/README.md
index 9ea156a..78e62c2 100644
--- a/modules/security_identity_compliance/iam-role-v2/README.md
+++ b/modules/security_identity_compliance/iam-role-v2/README.md
@@ -1,16 +1,13 @@
 <!-- This readme file is generated with terraform-docs -->
 ## Requirements
 
-| Name | Version |
-|------|---------|
-| terraform | >= 1.3.0 |
-| aws | ~> 5.0 |
+No requirements.
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | ~> 5.0 |
+| aws | n/a |
 
 ## Modules
 
@@ -23,17 +20,19 @@ No modules.
 | [aws_iam_instance_profile.ip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_policy.p](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.r](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.CsiPodIdentity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.pa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| attach-managed-policies | List of managed policy arns to attach to the role | `list(string)` | `[]` | no |
 | create-instance-profile | Determines whether instance profile will be created | `bool` | `false` | no |
 | description | Description of IAM role | `string` | n/a | yes |
 | max-session-duration | Max session duration in seconds | `number` | `3600` | no |
 | path | Path of IAM role. Defaults to /Customer/ | `string` | `"/Customer/"` | no |
-| policies | Map of policies to be created and attached | <pre>map(<br>    object(<br>      {<br>        description = string<br>        policy      = string<br>      }<br>    )<br>  )</pre> | `{}` | no |
+| policies | Map of policies to be created and attached | <pre>map(<br/>    object(<br/>      {<br/>        description = string<br/>        policy      = string<br/>      }<br/>    )<br/>  )</pre> | `{}` | no |
 | role-name | Name of IAM role | `string` | n/a | yes |
 | tags | Tags additional to default tags | `map(string)` | `{}` | no |
 | trusted-entity | AWS service allowed to assume this role or a full assume role policy | `string` | n/a | yes |
diff --git a/modules/security_identity_compliance/iam-role-v2/main.tf b/modules/security_identity_compliance/iam-role-v2/main.tf
index bd51f89..3a3fac2 100644
--- a/modules/security_identity_compliance/iam-role-v2/main.tf
+++ b/modules/security_identity_compliance/iam-role-v2/main.tf
@@ -47,4 +47,10 @@ resource "aws_iam_role_policy_attachment" "pa" {
   for_each   = aws_iam_policy.p
   role       = aws_iam_role.r.name
   policy_arn = each.value.arn
+}
+
+resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
+  for_each   = toset(var.attach-managed-policies)
+  role       = aws_iam_role.r.name
+  policy_arn = each.value
 }
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-role-v2/variables.tf b/modules/security_identity_compliance/iam-role-v2/variables.tf
index 1d65fe0..74df900 100644
--- a/modules/security_identity_compliance/iam-role-v2/variables.tf
+++ b/modules/security_identity_compliance/iam-role-v2/variables.tf
@@ -22,6 +22,12 @@ variable "policies" {
   default = {}
 }
 
+variable "attach-managed-policies" {
+  type        = list(string)
+  description = "List of managed policy arns to attach to the role"
+  default     = []
+}
+
 variable "role-name" {
   description = "Name of IAM role"
   type        = string