conversion of the set of policy_arns to a map (#49)

* conversion of the set of policy_arns to a map * Continuous Integration - terraform fmt and terraform-docs * updated policy example * corrected mapping * resolved for_each issue by transforming to a map * updated comment to transforms * Continuous Integration - terraform fmt and terraform-docs * corrected each.value.policy_arn --------- Co-authored-by: zachreborn <zachreborn@users.noreply.github.com>
zachreborn · Mar 20, 2024 · 6cd9566 · 6cd9566
1 parent fa836dd
commit 6cd9566
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 5 deletions.
diff --git a/modules/aws/iam/policy/README.md b/modules/aws/iam/policy/README.md
@@ -68,7 +68,7 @@ module "backup_policy" {
     source = "github.com/zachreborn/terraform-modules//modules/aws/iam/policy"
     
     description = "Backup to s3 permissions"
-    name        = "backup_policy"
+    name_prefix = "backup_policy"
     policy      = file("global/iam/iam_policies/backup_policy/backup-policy.json")
 }
 ```

diff --git a/modules/aws/iam/role/README.md b/modules/aws/iam/role/README.md
@@ -119,7 +119,7 @@ No modules.
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | (Required) The prefix used to generate a unique role name. | `string` | n/a | yes |
 | <a name="input_path"></a> [path](#input\_path) | (Optional) The path to the role. | `string` | `"/"` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | (Optional) The ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no |
-| <a name="input_policy_arns"></a> [policy\_arns](#input\_policy\_arns) | (Required) - A list of ARNs of the policies which you want attached to the role. | `set(string)` | n/a | yes |
+| <a name="input_policy_arns"></a> [policy\_arns](#input\_policy\_arns) | (Required) - A list of ARNs of the policies which you want attached to the role. | `list(string)` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to assign to the IAM role. | `map(string)` | <pre>{<br>  "terraform": "true"<br>}</pre> | no |
 
 ## Outputs

diff --git a/modules/aws/iam/role/main.tf b/modules/aws/iam/role/main.tf
@@ -12,6 +12,30 @@ terraform {
   }
 }
 
+##############################
+# Locals
+##############################
+
+locals {
+  # This transforms the policy_arns list into a map of objects that can be used by the aws_iam_role_policy_attachment resource. This is needed
+  # in order to utilize `for_each` when using policies which have not yet been created within modules.
+  # Example Output:
+  # {
+  #   "policy-0" = {
+  #     name       = "policy-0"
+  #     policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+  #   },
+  #   "policy-1" = {
+  #     name       = "policy-1"
+  #     policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
+  #   }
+  # }
+  policy_map = { for idx, policy_arn in var.policy_arns : "policy-${idx}" => {
+    name       = "policy-${idx}"
+    policy_arn = policy_arn
+  } }
+}
+
 ##############################
 # Role Configuration
 ##############################
@@ -32,7 +56,7 @@ resource "aws_iam_role" "this" {
 ##############################
 
 resource "aws_iam_role_policy_attachment" "this" {
-  for_each   = var.policy_arns
-  policy_arn = each.key
+  for_each   = local.policy_map
+  policy_arn = each.value.policy_arn
   role       = aws_iam_role.this.name
 }
diff --git a/modules/aws/iam/role/variables.tf b/modules/aws/iam/role/variables.tf
@@ -59,6 +59,6 @@ variable "tags" {
 ##############################
 
 variable "policy_arns" {
-  type        = set(string)
+  type        = list(string)
   description = "(Required) - A list of ARNs of the policies which you want attached to the role."
 }