Merge pull request #8 from SPHTech-Platform/fix/custom-assumable-role

disable the iam-assuable-role and used resource to create it

Author: uchinda-sph

Diff for: README.md

@@ -16,7 +16,6 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_aqua_cspm_role"></a> [aqua\_cspm\_role](#module\_aqua\_cspm\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.9.0 |
 | <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 1.5.0 |
 | <a name="module_lambda"></a> [lambda](#module\_lambda) | terraform-aws-modules/lambda/aws | ~> 4.10.1 |
 | <a name="module_lambda_role"></a> [lambda\_role](#module\_lambda\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.9.0 |
@@ -27,6 +26,8 @@
 |------|------|
 | [aws_iam_policy.aqua_cspm_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.aqua_cspm_supplemental](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.aqua_cspm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.aqua_cspm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_lambda_invocation.external_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource |
 | [aws_lambda_invocation.onboarding](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource |
 | [aws_secretsmanager_secret.aqua_cspm_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |

Diff for: iam.tf

@@ -32,23 +32,23 @@ resource "aws_iam_policy" "aqua_cspm_supplemental" {
   policy      = data.aws_iam_policy_document.aqua_cspm_supplemental.json
 }
 
-module "aqua_cspm_role" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
-  version = "~> 5.9.0"
-
-  create_role = true
-
-  role_name        = "${local.name_prefix}-role"
-  role_description = "Assumable Role of Aqua SaaS"
+resource "aws_iam_role" "aqua_cspm" {
+  name        = "${local.name_prefix}-role"
+  description = "Assumable Role of Aqua SaaS"
 
-  custom_role_trust_policy = data.aws_iam_policy_document.aqua_cspm_custom_trust.json
+  path                 = "/"
+  max_session_duration = "3600"
 
-  custom_role_policy_arns = [
-    "arn:aws:iam::aws:policy/SecurityAudit",
-    aws_iam_policy.aqua_cspm_supplemental.arn,
-  ]
+  assume_role_policy = data.aws_iam_policy_document.aqua_cspm_custom_trust.json
 
   depends_on = [
     aws_lambda_invocation.external_id,
   ]
 }
+
+resource "aws_iam_role_policy_attachment" "aqua_cspm" {
+  count = length(local.aqua_cspm_role_policy_arns)
+
+  policy_arn = element(local.aqua_cspm_role_policy_arns, count.index)
+  role       = aws_iam_role.aqua_cspm.name
+}

Diff for: lambda.tf

@@ -36,7 +36,7 @@ resource "aws_lambda_invocation" "onboarding" {
       Secret  = aws_secretsmanager_secret.aqua_cspm_secret.id,
       ExtId   = local.external_id,
       Group   = var.aqua_group_name,
-      RoleArn = module.aqua_cspm_role.iam_role_arn,
+      RoleArn = aws_iam_role.aqua_cspm.arn,
       AccId   = data.aws_caller_identity.current.account_id
     },
     LogicalResourceId = "OnboardingInvoke"

Diff for: locals.tf

@@ -5,4 +5,9 @@ locals {
 
   external_id = jsondecode(aws_lambda_invocation.external_id.result)["data"]
   public_ip   = "3.231.74.65/32"
+
+  aqua_cspm_role_policy_arns = [
+    "arn:aws:iam::aws:policy/SecurityAudit",
+    aws_iam_policy.aqua_cspm_supplemental.arn,
+  ]
 }