diff --git a/README.md b/README.md
index 8921191..a486a36 100644
--- a/README.md
+++ b/README.md
@@ -78,12 +78,15 @@ module "amplify" {
| [aws_amplify_domain_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/amplify_domain_association) | resource |
| [aws_amplify_webhook.develop](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/amplify_webhook) | resource |
| [aws_amplify_webhook.master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/amplify_webhook) | resource |
+| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
+| [amplify\_service\_role\_enabled](#input\_amplify\_service\_role\_enabled) | Whether to enable the IAM Service Role for Amplify or not. See https://docs.aws.amazon.com/amplify/latest/userguide/how-to-service-role-amplify-console.html for full details. | `bool` | `false` | no |
| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
| [basic\_auth\_password](#input\_basic\_auth\_password) | The password to use for the basic auth configuration. | `string` | n/a | yes |
| [basic\_auth\_username](#input\_basic\_auth\_username) | The username to use for the basic auth configuration. | `string` | n/a | yes |
diff --git a/main.tf b/main.tf
index c84ec51..57463cd 100644
--- a/main.tf
+++ b/main.tf
@@ -20,6 +20,29 @@ module "develop_branch_label" {
context = module.this.context
}
+data "aws_iam_policy_document" "assume_role" {
+ count = module.this.enabled && var.amplify_service_role_enabled ? 1 : 0
+
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = ["amplify.amazonaws.com"]
+ }
+ }
+}
+
+resource "aws_iam_role" "default" {
+ count = module.this.enabled && var.amplify_service_role_enabled ? 1 : 0
+
+ name = module.this.id
+ assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json)
+ managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
+ tags = module.this.tags
+}
+
resource "aws_amplify_app" "this" {
name = module.this.id
description = var.description != null ? var.description : "Amplify App for the github.com/${var.organization}/${var.repo} project."
@@ -28,6 +51,7 @@ resource "aws_amplify_app" "this" {
enable_branch_auto_build = true
build_spec = var.build_spec_content != "" ? var.build_spec_content : null
environment_variables = var.global_environment_variables
+ iam_service_role_arn = var.amplify_service_role_enabled ? aws_iam_role.default[0].arn : null
tags = module.this.tags
enable_basic_auth = var.enable_basic_auth_globally
diff --git a/variables.tf b/variables.tf
index 813e7c2..58651dc 100644
--- a/variables.tf
+++ b/variables.tf
@@ -8,6 +8,12 @@ variable "repo" {
description = "The name of the repo that the Amplify App will be created around."
}
+variable "amplify_service_role_enabled" {
+ default = false
+ type = bool
+ description = "Whether to enable the IAM Service Role for Amplify or not. See https://docs.aws.amazon.com/amplify/latest/userguide/how-to-service-role-amplify-console.html for full details."
+}
+
variable "global_environment_variables" {
default = {}
type = map(string)