🧑‍🔬 Add support for additional IAM polices (#34)

Signed-off-by: GitHub <noreply@github.com>
ministryofjustice · May 21, 2024 · fbbe5c8 · fbbe5c8
1 parent 4018569
commit fbbe5c8
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 2 deletions.
diff --git a/.devcontainer/post-create.sh b/.devcontainer/post-create.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 # Upgrade Pip
-pip install --upgrade pip
+pip install --break-system-packages --upgrade pip
 
 # Install dependencies
-pip install --requirement requirements-dev.txt
+pip install --break-system-package --requirement requirements-dev.txt
diff --git a/main.tf b/main.tf
@@ -21,9 +21,23 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_readonly_access" {
   policy_arn = "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess"
 }
 
+resource "aws_iam_role_policy_attachment" "amazon_prometheus_query_access" {
+  count = var.enable_prometheus ? 1 : 0
+
+  role       = aws_iam_role.this.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonPrometheusQueryAccess"
+}
+
 resource "aws_iam_role_policy_attachment" "xray_readonly_access" {
   count = var.enable_xray ? 1 : 0
 
   role       = aws_iam_role.this.name
   policy_arn = "arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess"
 }
+
+resource "aws_iam_role_policy_attachment" "additional_policies" {
+  for_each = { for k, v in var.additional_policies : k => v }
+
+  role       = aws_iam_role.this.name
+  policy_arn = each.value
+}
diff --git a/tests/main.tftest.hcl b/tests/main.tftest.hcl
@@ -41,3 +41,13 @@ run "invalid_role_name" {
 
   expect_failures = [var.role_name]
 }
+
+run "additional_polcies" {
+  command = plan
+
+  variables {
+    additional_polcies = {
+      AmazonDevOpsGuruReadOnlyAccess = "arn:aws:iam::aws:policy/AmazonDevOpsGuruReadOnlyAccess"
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -17,12 +17,24 @@ variable "observability_platform_account_id" {
   }
 }
 
+variable "enable_prometheus" {
+  type        = bool
+  description = "Enable AWS Managed Prometheus' query access managed policy"
+  default     = false
+}
+
 variable "enable_xray" {
   type        = bool
   description = "Enable AWS X-Ray's read only managed policy"
   default     = false
 }
 
+variable "additional_policies" {
+  type        = map(string)
+  description = "ARNs of any policies to attach to the IAM role"
+  default     = {}
+}
+
 variable "tags" {
   type        = map(string)
   description = "Tags to apply to resources"