Add support for inline IAM policy (#68)

jpalomaki · web-flow · commit c13934353eb7 · 2024-06-29T09:22:10.000+02:00
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -90,6 +90,19 @@ module "lambda" {
     # aws_iam_policy.inside[0].id, # This will result in an error message and is why we use local.policy_name_inside
   ]
 
+  inline_iam_policy = <<-JSON
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Deny",
+          "Action": "ec2:DescribeInstanceTypes",
+          "Resource": "*"
+        }
+      ]
+    }
+  JSON
+
   context = module.this.context
 
   depends_on = [aws_iam_policy.inside]
diff --git a/iam-role.tf b/iam-role.tf
@@ -91,3 +91,10 @@ resource "aws_iam_role_policy_attachment" "custom" {
   role       = aws_iam_role.this[0].name
   policy_arn = each.value
 }
+
+resource "aws_iam_role_policy" "inline" {
+  count = try((local.enabled && var.inline_iam_policy != null), false) ? 1 : 0
+
+  role   = aws_iam_role.this[0].name
+  policy = var.inline_iam_policy
+}
diff --git a/variables.tf b/variables.tf
@@ -233,3 +233,9 @@ variable "iam_policy_description" {
   description = "Description of the IAM policy for the Lambda IAM role"
   default     = "Provides minimum SSM read permissions."
 }
+
+variable "inline_iam_policy" {
+  type        = string
+  description = "Inline policy document (JSON) to attach to the lambda role"
+  default     = null
+}
