feat: Add a flag to enable/disable role creation

The module previously created a role automatically, and allowed managed policies and inline policies to be attached to the role, this works well for simple setups but makes it difficult to do multiple account/multiple role OIDC configurations.
unfunco · Jan 11, 2025 · ac9062f · ac9062f
1 parent 7cbbdbd
commit ac9062f
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 11 deletions.
diff --git a/main.tf b/main.tf
@@ -23,7 +23,7 @@ locals {
 }
 
 resource "aws_iam_role" "github" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.create_iam_role ? 1 : 0
 
   assume_role_policy    = data.aws_iam_policy_document.assume_role[0].json
   description           = "Role assumed by the GitHub OIDC provider."
@@ -33,7 +33,6 @@ resource "aws_iam_role" "github" {
   path                  = var.iam_role_path
   permissions_boundary  = var.iam_role_permissions_boundary
   tags                  = var.tags
-
 }
 
 resource "aws_iam_role_policy" "inline_policies" {
@@ -44,21 +43,27 @@ resource "aws_iam_role_policy" "inline_policies" {
 }
 
 resource "aws_iam_role_policy_attachment" "admin" {
-  count = var.enabled && var.attach_admin_policy ? 1 : 0
+  count = var.enabled && var.create_iam_role && var.attach_admin_policy ? 1 : 0
 
-  policy_arn = "arn:${local.partition}:iam::aws:policy/AdministratorAccess"
-  role       = aws_iam_role.github[0].id
+  policy_arn = format(
+    "arn:%v:iam::aws:policy/AdministratorAccess",
+    local.partition,
+  )
+  role = aws_iam_role.github[0].id
 }
 
 resource "aws_iam_role_policy_attachment" "read_only" {
-  count = var.enabled && var.attach_read_only_policy ? 1 : 0
+  count = var.enabled && var.create_iam_role && var.attach_read_only_policy ? 1 : 0
 
-  policy_arn = "arn:${local.partition}:iam::aws:policy/ReadOnlyAccess"
-  role       = aws_iam_role.github[0].id
+  policy_arn = format(
+    "arn:${local.partition}:iam::aws:policy/ReadOnlyAccess",
+    local.partition,
+  )
+  role = aws_iam_role.github[0].id
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
-  count = var.enabled ? length(var.iam_role_policy_arns) : 0
+  count = var.enabled && var.create_iam_role ? length(var.iam_role_policy_arns) : 0
 
   policy_arn = var.iam_role_policy_arns[count.index]
   role       = aws_iam_role.github[0].id

diff --git a/outputs.tf b/outputs.tf
@@ -15,13 +15,13 @@
 output "iam_role_arn" {
   depends_on  = [aws_iam_role.github]
   description = "ARN of the IAM role."
-  value       = var.enabled ? aws_iam_role.github[0].arn : ""
+  value       = var.enabled && var.create_iam_role ? aws_iam_role.github[0].arn : ""
 }
 
 output "iam_role_name" {
   depends_on  = [aws_iam_role.github]
   description = "Name of the IAM role."
-  value       = var.enabled ? aws_iam_role.github[0].name : ""
+  value       = var.enabled && var.create_iam_role ? aws_iam_role.github[0].name : ""
 }
 
 output "oidc_provider_arn" {

diff --git a/variables.tf b/variables.tf
@@ -47,6 +47,12 @@ variable "create_oidc_provider" {
   type        = bool
 }
 
+variable "create_iam_role" {
+  default     = true
+  description = ""
+  type        = bool
+}
+
 variable "enabled" {
   default     = true
   description = "Flag to enable/disable the creation of resources."