feat: Add a way to define IAM policy name prefix (#354)

Co-authored-by: Anton Babenko <[email protected]>
terraform-aws-modules · Oct 31, 2022 · 7df6bbf · 7df6bbf
1 parent b36268c
commit 7df6bbf
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -752,6 +752,7 @@ No modules.
 | <a name="input_policy"></a> [policy](#input\_policy) | An additional policy document ARN to attach to the Lambda Function role | `string` | `null` | no |
 | <a name="input_policy_json"></a> [policy\_json](#input\_policy\_json) | An additional policy document as JSON to attach to the Lambda Function role | `string` | `null` | no |
 | <a name="input_policy_jsons"></a> [policy\_jsons](#input\_policy\_jsons) | List of additional policy documents as JSON to attach to Lambda Function role | `list(string)` | `[]` | no |
+| <a name="input_policy_name"></a> [policy\_name](#input\_policy\_name) | IAM policy name. It override the default value, which is the same as role\_name | `string` | `null` | no |
 | <a name="input_policy_path"></a> [policy\_path](#input\_policy\_path) | Path of policies to that should be added to IAM role for Lambda Function | `string` | `null` | no |
 | <a name="input_policy_statements"></a> [policy\_statements](#input\_policy\_statements) | Map of dynamic policy statements to attach to Lambda Function role | `any` | `{}` | no |
 | <a name="input_provisioned_concurrent_executions"></a> [provisioned\_concurrent\_executions](#input\_provisioned\_concurrent\_executions) | Amount of capacity to allocate. Set to 1 or greater to enable, or set to 0 to disable provisioned concurrency. | `number` | `-1` | no |

diff --git a/iam.tf b/iam.tf
@@ -11,7 +11,8 @@ locals {
   #   attempting to plan if the role_name and function_name are not set.  This is a workaround
   #   for #83 that will allow one to import resources without receiving an error from coalesce.
   # @see https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/83
-  role_name = local.create_role ? coalesce(var.role_name, var.function_name, "*") : null
+  role_name   = local.create_role ? coalesce(var.role_name, var.function_name, "*") : null
+  policy_name = coalesce(var.policy_name, local.role_name)
 
   # IAM Role trusted entities is a list of any (allow strings (services) and maps (type+identifiers))
   trusted_entities_services = distinct(compact(concat(
@@ -132,7 +133,7 @@ data "aws_iam_policy_document" "logs" {
 resource "aws_iam_policy" "logs" {
   count = local.create_role && var.attach_cloudwatch_logs_policy ? 1 : 0
 
-  name   = "${local.role_name}-logs"
+  name   = "${local.policy_name}-logs"
   path   = var.policy_path
   policy = data.aws_iam_policy_document.logs[0].json
   tags   = var.tags
@@ -169,7 +170,7 @@ data "aws_iam_policy_document" "dead_letter" {
 resource "aws_iam_policy" "dead_letter" {
   count = local.create_role && var.attach_dead_letter_policy ? 1 : 0
 
-  name   = "${local.role_name}-dl"
+  name   = "${local.policy_name}-dl"
   path   = var.policy_path
   policy = data.aws_iam_policy_document.dead_letter[0].json
   tags   = var.tags
@@ -196,7 +197,7 @@ data "aws_iam_policy" "vpc" {
 resource "aws_iam_policy" "vpc" {
   count = local.create_role && var.attach_network_policy ? 1 : 0
 
-  name   = "${local.role_name}-vpc"
+  name   = "${local.policy_name}-vpc"
   path   = var.policy_path
   policy = data.aws_iam_policy.vpc[0].policy
   tags   = var.tags
@@ -223,7 +224,7 @@ data "aws_iam_policy" "tracing" {
 resource "aws_iam_policy" "tracing" {
   count = local.create_role && var.attach_tracing_policy ? 1 : 0
 
-  name   = "${local.role_name}-tracing"
+  name   = "${local.policy_name}-tracing"
   path   = var.policy_path
   policy = data.aws_iam_policy.tracing[0].policy
   tags   = var.tags
@@ -260,7 +261,7 @@ data "aws_iam_policy_document" "async" {
 resource "aws_iam_policy" "async" {
   count = local.create_role && var.attach_async_event_policy ? 1 : 0
 
-  name   = "${local.role_name}-async"
+  name   = "${local.policy_name}-async"
   path   = var.policy_path
   policy = data.aws_iam_policy_document.async[0].json
   tags   = var.tags
@@ -280,7 +281,7 @@ resource "aws_iam_role_policy_attachment" "async" {
 resource "aws_iam_policy" "additional_json" {
   count = local.create_role && var.attach_policy_json ? 1 : 0
 
-  name   = local.role_name
+  name   = local.policy_name
   path   = var.policy_path
   policy = var.policy_json
   tags   = var.tags
@@ -300,7 +301,7 @@ resource "aws_iam_role_policy_attachment" "additional_json" {
 resource "aws_iam_policy" "additional_jsons" {
   count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0
 
-  name   = "${local.role_name}-${count.index}"
+  name   = "${local.policy_name}-${count.index}"
   path   = var.policy_path
   policy = var.policy_jsons[count.index]
   tags   = var.tags
@@ -384,7 +385,7 @@ data "aws_iam_policy_document" "additional_inline" {
 resource "aws_iam_policy" "additional_inline" {
   count = local.create_role && var.attach_policy_statements ? 1 : 0
 
-  name   = "${local.role_name}-inline"
+  name   = "${local.policy_name}-inline"
   path   = var.policy_path
   policy = data.aws_iam_policy_document.additional_inline[0].json
   tags   = var.tags

diff --git a/variables.tf b/variables.tf
@@ -433,6 +433,12 @@ variable "role_tags" {
 # Policies
 ###########
 
+variable "policy_name" {
+  description = "IAM policy name. It override the default value, which is the same as role_name"
+  type        = string
+  default     = null
+}
+
 variable "attach_cloudwatch_logs_policy" {
   description = "Controls whether CloudWatch Logs policy should be added to IAM role for Lambda Function"
   type        = bool