diff --git a/terraform-aws-sns/example/example.tf b/terraform-aws-sns/example/example.tf
index 96c8f77..f58b3db 100644
--- a/terraform-aws-sns/example/example.tf
+++ b/terraform-aws-sns/example/example.tf
@@ -11,3 +11,69 @@ module "sns_cloudwatch" {
lambda_function_name = "S3cloudHub_Test_Lambda_Function"
lambda_function_runtime = "python3.8"
}
+
+#IAM Role Module
+
+locals {
+ enabled = true
+}
+
+data "aws_iam_policy_document" "resource_full_access" {
+ count = local.enabled ? 1 : 0
+
+ statement {
+ sid = "FullAccess"
+ effect = "Allow"
+ # resources = ["arn:aws:s3:::iammodule"]
+ resources = ["*"]
+
+ actions = [
+ "s3:*",
+ "s3-object-lambda:*",
+ "sns:*",
+ "autoscaling:Describe*",
+ "cloudwatch:*",
+ "logs:*",
+ "iam:GetPolicy",
+ "iam:GetPolicyVersion",
+ "iam:GetRole"
+ ]
+ }
+}
+
+data "aws_iam_policy_document" "base" {
+ count = local.enabled ? 1 : 0
+
+ statement {
+ sid = "BaseAccess"
+ effect = "Allow"
+
+ actions = [
+ "s3:ListBucket",
+ "s3:ListBucketVersions"
+ ]
+
+ resources = [
+ "arn:aws:s3:::iammodule"
+ ]
+ }
+}
+
+module "role" {
+ source = "../"
+
+# principals = var.principals
+# iam_role_name = "mydemorole"
+
+ policy_documents = [
+ join("", data.aws_iam_policy_document.resource_full_access.*.json),
+ join("", data.aws_iam_policy_document.base.*.json),
+ ]
+
+ policy_document_count = 2
+ policy_description = "Test IAM policy"
+ role_description = "Test IAM role"
+ instance_profile_enabled = true
+
+ # context = module.this.context
+}
diff --git a/terraform-aws-sns/main.tf b/terraform-aws-sns/main.tf
index a94ca7b..b30dfc1 100644
--- a/terraform-aws-sns/main.tf
+++ b/terraform-aws-sns/main.tf
@@ -129,4 +129,81 @@ resource "aws_lambda_function" "terraform_lambda_func" {
handler = "index.lambda_handler"
runtime = var.lambda_function_runtime
depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role]
+}
+
+# IAM Role Module
+
+
+
+data "aws_iam_policy_document" "assume_role" {
+ count = var.enabled ? length(keys(var.principals)) : 0
+
+ statement {
+ effect = "Allow"
+ actions = var.assume_role_actions
+
+ principals {
+ type = element(keys(var.principals), count.index)
+ identifiers = var.principals[element(keys(var.principals), count.index)]
+ # type = "AWS"
+ # identifiers = ["293328213636"]
+ }
+
+ dynamic "condition" {
+ for_each = var.assume_role_conditions
+ content {
+ test = condition.value.test
+ variable = condition.value.variable
+ values = condition.value.values
+ }
+ }
+ }
+}
+
+data "aws_iam_policy_document" "assume_role_aggregated" {
+ count = var.enabled ? 1 : 0
+ override_policy_documents = data.aws_iam_policy_document.assume_role.*.json
+}
+
+resource "aws_iam_role" "default" {
+ count = var.enabled ? 1 : 0
+ name = var.iam_role_name
+ assume_role_policy = join("", data.aws_iam_policy_document.assume_role_aggregated.*.json)
+ description = var.role_description
+ max_session_duration = var.max_session_duration
+ permissions_boundary = var.permissions_boundary
+ path = var.path
+ tags = var.tags_enabled ? var.module_tags : null
+}
+
+data "aws_iam_policy_document" "default" {
+ count = var.enabled && var.policy_document_count > 0 ? 1 : 0
+ override_policy_documents = var.policy_documents
+}
+
+resource "aws_iam_policy" "default" {
+ count = var.enabled && var.policy_document_count > 0 ? 1 : 0
+ name = var.iam_policy_name
+ description = var.policy_description
+ policy = join("", data.aws_iam_policy_document.default.*.json)
+ path = var.path
+ tags = var.tags_enabled ? var.module_tags : null
+}
+
+resource "aws_iam_role_policy_attachment" "default" {
+ count = var.enabled && var.policy_document_count > 0 ? 1 : 0
+ role = join("", aws_iam_role.default.*.name)
+ policy_arn = join("", aws_iam_policy.default.*.arn)
+}
+
+resource "aws_iam_role_policy_attachment" "managed" {
+ for_each = var.enabled ? var.managed_policy_arns : []
+ role = join("", aws_iam_role.default.*.name)
+ policy_arn = each.key
+}
+
+resource "aws_iam_instance_profile" "default" {
+ count = var.enabled && var.instance_profile_enabled ? 1 : 0
+ name = var.instance_profile_name
+ role = join("", aws_iam_role.default.*.name)
}
\ No newline at end of file
diff --git a/terraform-aws-sns/variable.tf b/terraform-aws-sns/variable.tf
index 4c70d19..48bdf54 100644
--- a/terraform-aws-sns/variable.tf
+++ b/terraform-aws-sns/variable.tf
@@ -198,4 +198,112 @@ variable "redrive_policy" {
type = string
description = "The SNS redrive policy as JSON. This overrides `var.redrive_policy_max_receiver_count` and the `deadLetterTargetArn` (supplied by `var.fifo_queue = true`) passed in by the module."
default = null
+}
+
+
+#IAM Role Modules Variable
+
+variable "principals" {
+ type = map(list(string))
+ description = "Map of service name as key and a list of ARNs to allow assuming the role as value (e.g. map(`AWS`, list(`arn:aws:iam:::role/admin`)))"
+ default = {}
+}
+
+variable "policy_documents" {
+ type = list(string)
+ description = "List of JSON IAM policy documents"
+ default = []
+}
+
+variable "policy_document_count" {
+ type = number
+ description = "Number of policy documents (length of policy_documents list)"
+ default = 1
+}
+
+variable "managed_policy_arns" {
+ type = set(string)
+ description = "List of managed policies to attach to created role"
+ default = []
+}
+
+variable "max_session_duration" {
+ type = number
+ default = 3600
+ description = "The maximum session duration (in seconds) for the role. Can have a value from 1 hour to 12 hours"
+}
+
+variable "permissions_boundary" {
+ type = string
+ default = ""
+ description = "ARN of the policy that is used to set the permissions boundary for the role"
+}
+
+variable "role_description" {
+ type = string
+ description = "The description of the IAM role that is visible in the IAM role manager"
+}
+
+variable "policy_description" {
+ type = string
+ default = ""
+ description = "The description of the IAM policy that is visible in the IAM policy manager"
+}
+
+variable "assume_role_actions" {
+ type = list(string)
+ default = ["sts:AssumeRole", "sts:TagSession"]
+ description = "The IAM action to be granted by the AssumeRole policy"
+}
+
+variable "assume_role_conditions" {
+ type = list(object({
+ test = string
+ variable = string
+ values = list(string)
+ }))
+ description = "List of conditions for the assume role policy"
+ default = []
+}
+
+variable "instance_profile_enabled" {
+ type = bool
+ default = false
+ description = "Create EC2 Instance Profile for the role"
+}
+
+variable "path" {
+ type = string
+ description = "Path to the role and policy. See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) for more information."
+ default = "/"
+}
+
+variable "tags_enabled" {
+ type = string
+ description = "Enable/disable tags on IAM roles and policies"
+ default = true
+}
+
+variable "iam_role_name" {
+ type = string
+ default = "s3cloudhub_role"
+}
+
+variable "module_tags" {
+ type = map(string)
+ default = {}
+ description = <<-EOT
+ Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
+ Neither the tag keys nor the tag values will be modified by this module.
+ EOT
+}
+
+variable "iam_policy_name" {
+ type = string
+ default = "s3cloudhub_policy"
+}
+
+variable "instance_profile_name" {
+ type = string
+ default = "s3cloudhub_instance_profile"
}
\ No newline at end of file