feat: Add path option to IAM roles created under this module (#311)

Co-authored-by: [Sean Walsh] <[sf.walsh@gmail.com]>
Co-authored-by: Sean Walsh <sf.walsh@gmail.com>
Co-authored-by: Anton Babenko <anton@antonbabenko.com>

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.62.3
+    rev: v1.76.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
@@ -23,6 +23,6 @@ repos:
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.1.0
+    rev: v4.3.0
     hooks:
       - id: check-merge-conflict

README.md

@@ -377,6 +377,7 @@ allow_github_webhooks        = true
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration (in seconds) for ecs task execution role. Default is 3600. | `number` | `null` | no |
 | <a name="input_mount_points"></a> [mount\_points](#input\_mount\_points) | Container mount points. This is a list of maps, where each map should contain a `containerPath` and `sourceVolume`. The `readOnly` key is optional. | `list(any)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to use on all resources created (VPC, ALB, etc) | `string` | `"atlantis"` | no |
+| <a name="input_path"></a> [path](#input\_path) | If provided, all IAM roles will be created with this path. | `string` | `"/"` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | `null` | no |
 | <a name="input_policies_arn"></a> [policies\_arn](#input\_policies\_arn) | A list of the ARN of the policies you want to apply | `list(string)` | `null` | no |
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | A list of IDs of existing private subnets inside the VPC | `list(string)` | `[]` | no |

examples/github-complete/main.tf

@@ -78,6 +78,10 @@ module "atlantis" {
   # Trusted roles
   trusted_principals = ["ssm.amazonaws.com"]
 
+  # IAM role options
+  permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/cloud/developer-boundary-policy"
+  path                 = "/delegatedadmin/developer/"
+
   # Atlantis
   atlantis_github_user       = var.github_user
   atlantis_github_user_token = var.github_token

main.tf

@@ -454,7 +454,7 @@ resource "aws_efs_file_system" "this" {
 resource "aws_efs_mount_target" "this" {
   # we coalescelist in order to specify the resource keys when we create the subnets using the VPC or they're specified for us.  This works around the for_each value depends on attributes which can't be determined until apply error
   for_each = {
-    for k, v in zipmap(coalescelist(var.private_subnets, var.private_subnet_ids), local.private_subnet_ids) : k => v
+    for k, v in zipmap(coalescelist(var.private_subnets, var.private_subnet_ids, [""]), local.private_subnet_ids) : k => v
     if var.enable_ephemeral_storage == false
   }
 
@@ -534,6 +534,7 @@ resource "aws_iam_role" "ecs_task_execution" {
   assume_role_policy   = data.aws_iam_policy_document.ecs_tasks.json
   max_session_duration = var.max_session_duration
   permissions_boundary = var.permissions_boundary
+  path                 = var.path
 
   tags = local.tags
 }

variables.tf

@@ -305,6 +305,12 @@ variable "permissions_boundary" {
   default     = null
 }
 
+variable "path" {
+  description = "If provided, all IAM roles will be created with this path."
+  type        = string
+  default     = "/"
+}
+
 variable "policies_arn" {
   description = "A list of the ARN of the policies you want to apply"
   type        = list(string)