Fix ccustom IAM roles (#133)

Stretch96 · web-flow · commit cbf304c22178 · 2024-11-14T15:55:15.000Z
* We're now using strings rather than objects for the policies - This changes the
  resources to reflect that
diff --git a/README.md b/README.md
@@ -139,7 +139,7 @@ for dxw's Dalmatian hosting platform.
 | <a name="input_cloudwatch_slack_alerts_kms_encryption"></a> [cloudwatch\_slack\_alerts\_kms\_encryption](#input\_cloudwatch\_slack\_alerts\_kms\_encryption) | Use KMS encryption with the Slack Alerts SNS topic and logs | `bool` | n/a | yes |
 | <a name="input_cloudwatch_slack_alerts_log_retention"></a> [cloudwatch\_slack\_alerts\_log\_retention](#input\_cloudwatch\_slack\_alerts\_log\_retention) | Cloudwatch Slack Alerts log retention. Set to 0 to keep all logs | `number` | n/a | yes |
 | <a name="input_codestar_connections"></a> [codestar\_connections](#input\_codestar\_connections) | CodeStar connections to create | <pre>map(<br/>    object({<br/>      provider_type = string,<br/>    })<br/>  )</pre> | n/a | yes |
-| <a name="input_custom_iam_roles"></a> [custom\_iam\_roles](#input\_custom\_iam\_roles) | Configure custom IAM roles/policies | <pre>map(object({<br/>    description        = string<br/>    policies           = map(string)<br/>    assume_role_policy = string<br/>  }))</pre> | n/a | yes |
+| <a name="input_custom_iam_roles"></a> [custom\_iam\_roles](#input\_custom\_iam\_roles) | Configure custom IAM roles/policies | <pre>map(object({<br/>    description = string<br/>    policies = map(object({<br/>      description = string<br/>      policy      = string<br/>    }))<br/>    assume_role_policy = string<br/>  }))</pre> | n/a | yes |
 | <a name="input_datadog_api_key"></a> [datadog\_api\_key](#input\_datadog\_api\_key) | Datadog API key | `string` | n/a | yes |
 | <a name="input_datadog_app_key"></a> [datadog\_app\_key](#input\_datadog\_app\_key) | Datadog App key | `string` | n/a | yes |
 | <a name="input_datadog_region"></a> [datadog\_region](#input\_datadog\_region) | Datadog region | `string` | n/a | yes |
diff --git a/iam-custom-roles.tf b/iam-custom-roles.tf
@@ -3,7 +3,7 @@ resource "aws_iam_role" "custom" {
 
   name               = each.key
   description        = each.value["description"]
-  assume_role_policy = jsonencode(each.value["assume_role_policy"])
+  assume_role_policy = each.value["assume_role_policy"]
 }
 
 resource "aws_iam_policy" "custom" {
@@ -20,10 +20,7 @@ resource "aws_iam_policy" "custom" {
 
   name        = each.value["policy_name"]
   description = each.value["policy"]["description"]
-  policy = jsonencode({
-    Version   = each.value["policy"]["Version"],
-    Statement = each.value["policy"]["Statement"]
-  })
+  policy      = each.value["policy"]["policy"]
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
diff --git a/variables.tf b/variables.tf
@@ -191,8 +191,11 @@ variable "enable_datadog_aws_integration" {
 
 variable "custom_iam_roles" {
   type = map(object({
-    description        = string
-    policies           = map(string)
+    description = string
+    policies = map(object({
+      description = string
+      policy      = string
+    }))
     assume_role_policy = string
   }))
   description = "Configure custom IAM roles/policies"
