Add support for inline IAM policy (#68)

cloudposse · Jun 29, 2024 · c139343 · c139343
1 parent d97dbac
commit c139343
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -90,6 +90,19 @@ module "lambda" {
     # aws_iam_policy.inside[0].id, # This will result in an error message and is why we use local.policy_name_inside
   ]
 
+  inline_iam_policy = <<-JSON
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Deny",
+          "Action": "ec2:DescribeInstanceTypes",
+          "Resource": "*"
+        }
+      ]
+    }
+  JSON
+
   context = module.this.context
 
   depends_on = [aws_iam_policy.inside]

diff --git a/iam-role.tf b/iam-role.tf
@@ -91,3 +91,10 @@ resource "aws_iam_role_policy_attachment" "custom" {
   role       = aws_iam_role.this[0].name
   policy_arn = each.value
 }
+
+resource "aws_iam_role_policy" "inline" {
+  count = try((local.enabled && var.inline_iam_policy != null), false) ? 1 : 0
+
+  role   = aws_iam_role.this[0].name
+  policy = var.inline_iam_policy
+}
diff --git a/variables.tf b/variables.tf
@@ -233,3 +233,9 @@ variable "iam_policy_description" {
   description = "Description of the IAM policy for the Lambda IAM role"
   default     = "Provides minimum SSM read permissions."
 }
+
+variable "inline_iam_policy" {
+  type        = string
+  description = "Inline policy document (JSON) to attach to the lambda role"
+  default     = null
+}