40 lines
1.0 KiB
Terraform
40 lines
1.0 KiB
Terraform
# Assume role policy can be provided as-is, or built using the trusted-entity variable
|
|
locals {
|
|
assume-role-policy = var.assume-role-policy != null ? var.assume-role-policy : jsonencode(
|
|
{
|
|
"Version" : "2012-10-17",
|
|
"Statement" : [
|
|
{
|
|
"Effect" : "Allow",
|
|
"Principal" : {
|
|
"Service" : [
|
|
var.trusted-entity
|
|
]
|
|
},
|
|
"Action" : "sts:AssumeRole"
|
|
}
|
|
]
|
|
}
|
|
)
|
|
}
|
|
|
|
resource "aws_iam_instance_profile" "this" {
|
|
count = var.create-instance-profile ? 1 : 0
|
|
name = "${var.role-name}-profile"
|
|
role = aws_iam_role.this.name
|
|
path = var.path
|
|
}
|
|
|
|
resource "aws_iam_role" "this" {
|
|
name = var.role-name
|
|
description = var.description
|
|
assume_role_policy = local.assume-role-policy
|
|
managed_policy_arns = var.managed-policy-arns
|
|
force_detach_policies = true
|
|
path = var.path
|
|
# disable use of inline policy
|
|
# inline_policy {
|
|
# name = var.inline-policy-name
|
|
# policy = var.inline-policy
|
|
# }
|
|
} |