search

terraform-aws-modules / terraform-aws-iam

Terraform module to create AWS IAM resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/iam/aws
Apache License 2.0
779 stars 985 forks source link

Customizable policy name for the role assumption #466

Closed olivers-xaxis closed 4 months ago

olivers-xaxis commented 6 months ago

Is your request related to a problem? Please describe.

Currently the policy that shows which roles a group can assume via submodule iam-group-with-assumable-roles-policy is hardcoded to match the group name. Eg given the following: 

module "iam_group" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-assumable-roles-policy"
  version = "5.30.0"

  name            = "group_name"
  assumable_roles = ["ARN_1", "ARN_2"]
}

a group named group_name will be created, and it will have a policy called group_name which will have only one statement: 

        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::952256534162:role/ROLE_NAME_1",
                "arn:aws:iam::952256534162:role/ROLE_NAME_2",
            ]
        }

That policy should have a customizable name. Eg I would want to call it "group_name_assume_roles", and someone else might want a different name. Plus it is confusing in the Policy console, you see a policy called "group_name" you think it is the main policy for that group, it is only the one for assuming roles; additional policies may end up attached to that group.

Describe the solution you'd like.

An extra optional var for the policy name, defaults to current so fully backwards compatible

module "iam_group" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-assumable-roles-policy"
  version = "5.30.0"

  name            = "group_name"
  assumable_roles = ["ARN_1", "ARN_2"]

  assume_roles_policy_name = "my_own_choice_of_policy_name"
}

Describe alternatives you've considered.

Cloning your code into our own git repo

Additional context

A PR should be straightforward but I wanted to raise this before working on it.

github-actions[bot] commented 5 months ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] commented 4 months ago

This issue was automatically closed because of stale in 10 days

github-actions[bot] commented 3 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.