diff --git a/README.md b/README.md
index df1afac..c60b807 100644
--- a/README.md
+++ b/README.md
@@ -104,61 +104,61 @@ and gives permission to the entities specified in `principals_arns` to assume th
```hcl
- data "aws_iam_policy_document" "resource_full_access" {
- statement {
- sid = "FullAccess"
- effect = "Allow"
- resources = ["arn:aws:s3:::bucketname/path/*"]
-
- actions = [
- "s3:PutObject",
- "s3:PutObjectAcl",
- "s3:GetObject",
- "s3:DeleteObject",
- "s3:ListBucket",
- "s3:ListBucketMultipartUploads",
- "s3:GetBucketLocation",
- "s3:AbortMultipartUpload"
- ]
- }
+data "aws_iam_policy_document" "resource_full_access" {
+ statement {
+ sid = "FullAccess"
+ effect = "Allow"
+ resources = ["arn:aws:s3:::bucketname/path/*"]
+
+ actions = [
+ "s3:PutObject",
+ "s3:PutObjectAcl",
+ "s3:GetObject",
+ "s3:DeleteObject",
+ "s3:ListBucket",
+ "s3:ListBucketMultipartUploads",
+ "s3:GetBucketLocation",
+ "s3:AbortMultipartUpload"
+ ]
}
+}
- data "aws_iam_policy_document" "base" {
- statement {
- sid = "BaseAccess"
+data "aws_iam_policy_document" "base" {
+ statement {
+ sid = "BaseAccess"
- actions = [
- "s3:ListBucket",
- "s3:ListBucketVersions"
- ]
+ actions = [
+ "s3:ListBucket",
+ "s3:ListBucketVersions"
+ ]
- resources = ["arn:aws:s3:::bucketname"]
- effect = "Allow"
- }
+ resources = ["arn:aws:s3:::bucketname"]
+ effect = "Allow"
}
+}
- module "role" {
- source = "cloudposse/iam-role/aws"
- # Cloud Posse recommends pinning every module to a specific version
- # version = "x.x.x"
-
- enabled = true
- namespace = "eg"
- stage = "prod"
- name = "app"
+module "role" {
+ source = "cloudposse/iam-role/aws"
+ # Cloud Posse recommends pinning every module to a specific version
+ # version = "x.x.x"
- policy_description = "Allow S3 FullAccess"
- role_description = "IAM role with permissions to perform actions on S3 resources"
+ enabled = true
+ namespace = "eg"
+ stage = "prod"
+ name = "app"
- principals = {
- AWS = ["arn:aws:iam::123456789012:role/workers"]
- }
+ policy_description = "Allow S3 FullAccess"
+ role_description = "IAM role with permissions to perform actions on S3 resources"
- policy_documents = [
- data.aws_iam_policy_document.resource_full_access.json,
- data.aws_iam_policy_document.base.json
- ]
+ principals = {
+ AWS = ["arn:aws:iam::123456789012:role/workers"]
}
+
+ policy_documents = [
+ data.aws_iam_policy_document.resource_full_access.json,
+ data.aws_iam_policy_document.base.json
+ ]
+}
```
@@ -339,7 +339,7 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
## Copyright
-Copyright © 2017-2021 [Cloud Posse, LLC](https://cpco.io/copyright)
+Copyright © 2017-2022 [Cloud Posse, LLC](https://cpco.io/copyright)
@@ -397,8 +397,8 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
### Contributors
-| [![Igor Rodionov][goruha_avatar]][goruha_homepage]
[Igor Rodionov][goruha_homepage] | [![Oscar Sullivan][osulli_avatar]][osulli_homepage]
[Oscar Sullivan][osulli_homepage] | [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] |
-|---|---|---|---|
+| [![Igor Rodionov][goruha_avatar]][goruha_homepage]
[Igor Rodionov][goruha_homepage] | [![Oscar Sullivan][osulli_avatar]][osulli_homepage]
[Oscar Sullivan][osulli_homepage] | [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] | [![RB][nitrocode_avatar]][nitrocode_homepage]
[RB][nitrocode_homepage] |
+|---|---|---|---|---|
[goruha_homepage]: https://github.com/goruha
@@ -409,6 +409,8 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
[osterman_avatar]: https://img.cloudposse.com/150x150/https://github.com/osterman.png
[aknysh_homepage]: https://github.com/aknysh
[aknysh_avatar]: https://img.cloudposse.com/150x150/https://github.com/aknysh.png
+ [nitrocode_homepage]: https://github.com/nitrocode
+ [nitrocode_avatar]: https://img.cloudposse.com/150x150/https://github.com/nitrocode.png
[![README Footer][readme_footer_img]][readme_footer_link]
[![Beacon][beacon]][website]
diff --git a/README.yaml b/README.yaml
index 7d77e06..1bf3d6b 100644
--- a/README.yaml
+++ b/README.yaml
@@ -50,61 +50,61 @@ usage: |-
```hcl
- data "aws_iam_policy_document" "resource_full_access" {
- statement {
- sid = "FullAccess"
- effect = "Allow"
- resources = ["arn:aws:s3:::bucketname/path/*"]
-
- actions = [
- "s3:PutObject",
- "s3:PutObjectAcl",
- "s3:GetObject",
- "s3:DeleteObject",
- "s3:ListBucket",
- "s3:ListBucketMultipartUploads",
- "s3:GetBucketLocation",
- "s3:AbortMultipartUpload"
- ]
- }
+ data "aws_iam_policy_document" "resource_full_access" {
+ statement {
+ sid = "FullAccess"
+ effect = "Allow"
+ resources = ["arn:aws:s3:::bucketname/path/*"]
+
+ actions = [
+ "s3:PutObject",
+ "s3:PutObjectAcl",
+ "s3:GetObject",
+ "s3:DeleteObject",
+ "s3:ListBucket",
+ "s3:ListBucketMultipartUploads",
+ "s3:GetBucketLocation",
+ "s3:AbortMultipartUpload"
+ ]
}
+ }
- data "aws_iam_policy_document" "base" {
- statement {
- sid = "BaseAccess"
+ data "aws_iam_policy_document" "base" {
+ statement {
+ sid = "BaseAccess"
- actions = [
- "s3:ListBucket",
- "s3:ListBucketVersions"
- ]
+ actions = [
+ "s3:ListBucket",
+ "s3:ListBucketVersions"
+ ]
- resources = ["arn:aws:s3:::bucketname"]
- effect = "Allow"
- }
+ resources = ["arn:aws:s3:::bucketname"]
+ effect = "Allow"
}
+ }
- module "role" {
- source = "cloudposse/iam-role/aws"
- # Cloud Posse recommends pinning every module to a specific version
- # version = "x.x.x"
-
- enabled = true
- namespace = "eg"
- stage = "prod"
- name = "app"
+ module "role" {
+ source = "cloudposse/iam-role/aws"
+ # Cloud Posse recommends pinning every module to a specific version
+ # version = "x.x.x"
- policy_description = "Allow S3 FullAccess"
- role_description = "IAM role with permissions to perform actions on S3 resources"
+ enabled = true
+ namespace = "eg"
+ stage = "prod"
+ name = "app"
- principals = {
- AWS = ["arn:aws:iam::123456789012:role/workers"]
- }
+ policy_description = "Allow S3 FullAccess"
+ role_description = "IAM role with permissions to perform actions on S3 resources"
- policy_documents = [
- data.aws_iam_policy_document.resource_full_access.json,
- data.aws_iam_policy_document.base.json
- ]
+ principals = {
+ AWS = ["arn:aws:iam::123456789012:role/workers"]
}
+
+ policy_documents = [
+ data.aws_iam_policy_document.resource_full_access.json,
+ data.aws_iam_policy_document.base.json
+ ]
+ }
```
examples: |-
@@ -125,3 +125,5 @@ contributors:
github: "osterman"
- name: "Andriy Knysh"
github: "aknysh"
+ - name: "RB"
+ github: "nitrocode"
diff --git a/main.tf b/main.tf
index 01af759..ff8f679 100644
--- a/main.tf
+++ b/main.tf
@@ -26,7 +26,6 @@ data "aws_iam_policy_document" "assume_role_aggregated" {
override_policy_documents = data.aws_iam_policy_document.assume_role.*.json
}
-
resource "aws_iam_role" "default" {
count = module.this.enabled ? 1 : 0
name = var.use_fullname ? module.this.id : module.this.name
@@ -42,12 +41,12 @@ data "aws_iam_policy_document" "default" {
override_policy_documents = var.policy_documents
}
-
resource "aws_iam_policy" "default" {
count = module.this.enabled && var.policy_document_count > 0 ? 1 : 0
name = module.this.id
description = var.policy_description
policy = join("", data.aws_iam_policy_document.default.*.json)
+ tags = module.this.tags
}
resource "aws_iam_role_policy_attachment" "default" {
@@ -62,7 +61,6 @@ resource "aws_iam_role_policy_attachment" "managed" {
policy_arn = each.key
}
-
resource "aws_iam_instance_profile" "default" {
count = module.this.enabled && var.instance_profile_enabled ? 1 : 0
name = module.this.id