feat: added policy attachment to iam role module

EksIp6Nginxpod/pod_identities.tf

@@ -40,14 +40,9 @@ module "CsiPodIdentity" {
       ]
     }
   )
-}
-
   # 2 policies are required for the ebs csi to work
-resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
-  for_each = toset([
+  attach-managed-policies = [
     "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
     "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
-  ])
-  role       = module.CsiPodIdentity.name
-  policy_arn = each.value
+  ]
 }

modules/security_identity_compliance/iam-role-v2/README.md

@@ -1,16 +1,13 @@
 <!-- This readme file is generated with terraform-docs -->
 ## Requirements
 
-| Name | Version |
-|------|---------|
-| terraform | >= 1.3.0 |
-| aws | ~> 5.0 |
+No requirements.
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | ~> 5.0 |
+| aws | n/a |
 
 ## Modules
 
@@ -23,17 +20,19 @@ No modules.
 | [aws_iam_instance_profile.ip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_policy.p](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.r](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.CsiPodIdentity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.pa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| attach-managed-policies | List of managed policy arns to attach to the role | `list(string)` | `[]` | no |
 | create-instance-profile | Determines whether instance profile will be created | `bool` | `false` | no |
 | description | Description of IAM role | `string` | n/a | yes |
 | max-session-duration | Max session duration in seconds | `number` | `3600` | no |
 | path | Path of IAM role. Defaults to /Customer/ | `string` | `"/Customer/"` | no |
-| policies | Map of policies to be created and attached | <pre>map(<br>    object(<br>      {<br>        description = string<br>        policy      = string<br>      }<br>    )<br>  )</pre> | `{}` | no |
+| policies | Map of policies to be created and attached | <pre>map(<br/>    object(<br/>      {<br/>        description = string<br/>        policy      = string<br/>      }<br/>    )<br/>  )</pre> | `{}` | no |
 | role-name | Name of IAM role | `string` | n/a | yes |
 | tags | Tags additional to default tags | `map(string)` | `{}` | no |
 | trusted-entity | AWS service allowed to assume this role or a full assume role policy | `string` | n/a | yes |

modules/security_identity_compliance/iam-role-v2/main.tf

@@ -48,3 +48,9 @@ resource "aws_iam_role_policy_attachment" "pa" {
   role       = aws_iam_role.r.name
   policy_arn = each.value.arn
 }
+
+resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
+  for_each   = toset(var.attach-managed-policies)
+  role       = aws_iam_role.r.name
+  policy_arn = each.value
+}

modules/security_identity_compliance/iam-role-v2/variables.tf

@@ -22,6 +22,12 @@ variable "policies" {
   default = {}
 }
 
+variable "attach-managed-policies" {
+  type        = list(string)
+  description = "List of managed policy arns to attach to the role"
+  default     = []
+}
+
 variable "role-name" {
   description = "Name of IAM role"
   type        = string