Custom IAM roles (#125)

Stretch96 · web-flow · commit c0df3d60f69e · 2024-10-11T15:25:44.000+01:00
* Allows creating custom IAM roles within the account
diff --git a/README.md b/README.md
@@ -45,15 +45,18 @@ for dxw's Dalmatian hosting platform.
 | [aws_glue_catalog_table.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_catalog_table) | resource |
 | [aws_iam_policy.cloudtrail_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cloudwatch_slack_alerts_logs_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.delete_default_resources_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.delete_default_resources_vpc_delete_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_dhmc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.cloudtrail_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cloudwatch_slack_alerts_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.delete_default_resources_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.ssm_dhmc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.cloudtrail_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cloudwatch_slack_alerts_logs_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.delete_default_resources_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.delete_default_resources_vpc_delete_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ssm_dhmc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -126,6 +129,7 @@ for dxw's Dalmatian hosting platform.
 | <a name="input_cloudwatch_slack_alerts_kms_encryption"></a> [cloudwatch\_slack\_alerts\_kms\_encryption](#input\_cloudwatch\_slack\_alerts\_kms\_encryption) | Use KMS encryption with the Slack Alerts SNS topic and logs | `bool` | n/a | yes |
 | <a name="input_cloudwatch_slack_alerts_log_retention"></a> [cloudwatch\_slack\_alerts\_log\_retention](#input\_cloudwatch\_slack\_alerts\_log\_retention) | Cloudwatch Slack Alerts log retention. Set to 0 to keep all logs | `number` | n/a | yes |
 | <a name="input_codestar_connections"></a> [codestar\_connections](#input\_codestar\_connections) | CodeStar connections to create | <pre>map(<br/>    object({<br/>      provider_type = string,<br/>    })<br/>  )</pre> | n/a | yes |
+| <a name="input_custom_iam_roles"></a> [custom\_iam\_roles](#input\_custom\_iam\_roles) | Configure custom IAM roles/policies | <pre>map(object({<br/>    description = string<br/>    policies = map(object({<br/>      description = string<br/>      Version     = string<br/>      Statement = list(object({<br/>        Action   = list(string)<br/>        Effect   = string<br/>        Resource = string<br/>      }))<br/>    }))<br/>    assume_role_policy = object({<br/>      Version = string<br/>      Statement = list(object({<br/>        Action    = list(string)<br/>        Effect    = string<br/>        Principal = map(string)<br/>      }))<br/>    })<br/>  }))</pre> | n/a | yes |
 | <a name="input_delete_default_resources_lambda_kms_encryption"></a> [delete\_default\_resources\_lambda\_kms\_encryption](#input\_delete\_default\_resources\_lambda\_kms\_encryption) | Conditionally encrypt the Delete Default Resources Lambda logs with KMS | `bool` | n/a | yes |
 | <a name="input_delete_default_resources_log_retention"></a> [delete\_default\_resources\_log\_retention](#input\_delete\_default\_resources\_log\_retention) | Log retention for the Delete Default Resources Lambda | `number` | n/a | yes |
 | <a name="input_enable_cloudtrail"></a> [enable\_cloudtrail](#input\_enable\_cloudtrail) | Enable Cloudtrail | `bool` | n/a | yes |
diff --git a/iam-custom-roles.tf b/iam-custom-roles.tf
@@ -0,0 +1,34 @@
+resource "aws_iam_role" "custom" {
+  for_each = local.custom_iam_roles
+
+  name               = each.key
+  description        = each.value["description"]
+  assume_role_policy = jsonencode(each.value["assume_role_policy"])
+}
+
+resource "aws_iam_policy" "custom" {
+  for_each = merge(flatten([
+    for role_name, role in local.custom_iam_roles : {
+      for policy_name, policy in role.policies :
+      "${role_name}_${policy_name}" => {
+        role_name   = role_name
+        policy_name = policy_name
+        policy      = policy
+      }
+    }
+  ])...)
+
+  name        = each.value["policy_name"]
+  description = each.value["policy"]["description"]
+  policy = jsonencode({
+    Version   = each.value["policy"]["Version"],
+    Statement = each.value["policy"]["Statement"]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "custom" {
+  for_each = aws_iam_policy.custom
+
+  role       = aws_iam_role.custom[split("_", each.key)[0]].name
+  policy_arn = each.value.arn
+}
diff --git a/locals.tf b/locals.tf
@@ -66,6 +66,8 @@ locals {
 
   enable_ssm_dhmc = var.enable_ssm_dhmc
 
+  custom_iam_roles = var.custom_iam_roles
+
   enable_logs_bucket       = local.cloudtrail_s3_access_logs || local.cloudtrail_athena_glue_tables
   logging_bucket_retention = var.logging_bucket_retention
   logs_bucket_source_arns = concat(
diff --git a/variables.tf b/variables.tf
@@ -166,3 +166,27 @@ variable "logging_bucket_retention" {
   description = "Logging bucket retention in days. Set to 0 to keep all logs."
   type        = number
 }
+
+variable "custom_iam_roles" {
+  type = map(object({
+    description = string
+    policies = map(object({
+      description = string
+      Version     = string
+      Statement = list(object({
+        Action   = list(string)
+        Effect   = string
+        Resource = string
+      }))
+    }))
+    assume_role_policy = object({
+      Version = string
+      Statement = list(object({
+        Action    = list(string)
+        Effect    = string
+        Principal = map(string)
+      }))
+    })
+  }))
+  description = "Configure custom IAM roles/policies"
+}
