Merge pull request #5 from appvia/custom-roles

Support for custom managed policies

Author: gambol99

README.md

@@ -77,6 +77,7 @@ No modules.
 | <a name="input_external_id"></a> [external\_id](#input\_external\_id) | External ID should be a string of cryptographically safe random characters | `string` | n/a | yes |
 | <a name="input_appvia_role_arn"></a> [appvia\_role\_arn](#input\_appvia\_role\_arn) | Allows specifying a non-standard IAM role. Only set this if asked to do so by Appvia | `string` | `"arn:aws:iam::730335310409:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_WAFSupport_19c9bc61106389c3"` | no |
 | <a name="input_expiry_days"></a> [expiry\_days](#input\_expiry\_days) | The number of days the role is available before access will be denied | `number` | `14` | no |
+| <a name="input_managed_policy_arns"></a> [managed\_policy\_arns](#input\_managed\_policy\_arns) | List of managed AWS policy ARNs to apply to the role | `list(string)` | <pre>[<br>  "arn:aws:iam::aws:policy/SecurityAudit",<br>  "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]</pre> | no |
 
 ## Outputs
 

cloud_formation/role.yaml

@@ -5,6 +5,10 @@ Parameters:
     Type: String
     Description: Fully-qualified ARN of the remote role
     Default: arn:aws:iam::730335310409:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_WAFSupport_19c9bc61106389c3
+  ManagedPolicyArns:
+    Type: CommaDelimitedList
+    Description: List of AWS managed policy ARNs to apply to the role
+    Default: 'arn:aws:iam::aws:policy/SecurityAudit, arn:aws:iam::aws:policy/ReadOnlyAccess'
   ExternalID:
     Type: String
     Description: External ID shared between consumer and Appvia
@@ -29,9 +33,7 @@ Resources:
             Condition:
               StringEquals:
                 "sts:ExternalId": !Ref ExternalID
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/SecurityAudit
-        - arn:aws:iam::aws:policy/ReadOnlyAccess
+      ManagedPolicyArns: !Ref ManagedPolicyArns
       Policies:
         - PolicyName: PermissionDeadline
           PolicyDocument:

main.tf

@@ -16,9 +16,10 @@ resource "aws_cloudformation_stack" "management" {
   ]
 
   parameters = {
-    AppviaRoleARN = var.appvia_role_arn
-    ExternalID    = var.external_id
-    ExpiryDate    = time_offset.expiry.rfc3339
+    AppviaRoleARN     = var.appvia_role_arn
+    ExternalID        = var.external_id
+    ExpiryDate        = time_offset.expiry.rfc3339
+    ManagedPolicyArns = join(",", var.managed_policy_arns)
   }
 
   lifecycle {
@@ -41,9 +42,10 @@ resource "aws_cloudformation_stack_set" "member_accounts" {
   ]
 
   parameters = {
-    AppviaRoleARN = var.appvia_role_arn
-    ExternalID    = var.external_id
-    ExpiryDate    = time_offset.expiry.rfc3339
+    AppviaRoleARN     = var.appvia_role_arn
+    ExternalID        = var.external_id
+    ExpiryDate        = time_offset.expiry.rfc3339
+    ManagedPolicyArns = join(",", var.managed_policy_arns)
   }
 
   auto_deployment {

variables.tf

@@ -19,3 +19,13 @@ variable "expiry_days" {
   default     = 14
   description = "The number of days the role is available before access will be denied"
 }
+
+variable "managed_policy_arns" {
+  type        = list(string)
+  description = "List of managed AWS policy ARNs to apply to the role"
+
+  default = [
+    "arn:aws:iam::aws:policy/SecurityAudit",
+    "arn:aws:iam::aws:policy/ReadOnlyAccess",
+  ]
+}