feat: add module for iam

Author: rohit-ng

README.md

@@ -14,8 +14,10 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_ecs_exec_role"></a> [ecs\_exec\_role](#module\_ecs\_exec\_role) | ./modules/iam | n/a |
 | <a name="module_ecs_kong"></a> [ecs\_kong](#module\_ecs\_kong) | github.com/infraspecdev/terraform-aws-ecs-deployment | v1.1.1 |
 | <a name="module_ecs_node_security_group"></a> [ecs\_node\_security\_group](#module\_ecs\_node\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
+| <a name="module_ecs_task_role"></a> [ecs\_task\_role](#module\_ecs\_task\_role) | ./modules/iam | n/a |
 | <a name="module_ecs_task_security_group"></a> [ecs\_task\_security\_group](#module\_ecs\_task\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
 | <a name="module_internal_alb_kong"></a> [internal\_alb\_kong](#module\_internal\_alb\_kong) | github.com/infraspecdev/terraform-aws-ecs-deployment//modules/alb | v1.1.1 |
 | <a name="module_internal_alb_security_group"></a> [internal\_alb\_security\_group](#module\_internal\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
@@ -29,12 +31,6 @@
 
 | Name | Type |
 |------|------|
-| [aws_iam_role.ecs_exec_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role.ecs_node_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role.ecs_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.ecs_exec_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_policy_document.ecs_node_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.ecs_task_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_ssm_parameter.ecs_node_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 

iam.tf

@@ -1,44 +1,15 @@
-
-data "aws_iam_policy_document" "ecs_node_doc" {
-  statement {
-    actions = ["sts:AssumeRole"]
-    effect  = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["ec2.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "ecs_node_role" {
-  name_prefix        = "ecs-node-role"
-  assume_role_policy = data.aws_iam_policy_document.ecs_node_doc.json
-}
-
-data "aws_iam_policy_document" "ecs_task_doc" {
-  statement {
-    actions = ["sts:AssumeRole"]
-    effect  = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["ecs-tasks.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "ecs_task_role" {
-  name_prefix        = "ecs-task-role"
-  assume_role_policy = data.aws_iam_policy_document.ecs_task_doc.json
-}
-
-resource "aws_iam_role" "ecs_exec_role" {
-  name_prefix        = "demo-ecs-exec-role"
-  assume_role_policy = data.aws_iam_policy_document.ecs_task_doc.json
-}
-
-resource "aws_iam_role_policy_attachment" "ecs_exec_role" {
-  role       = aws_iam_role.ecs_exec_role.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+module "ecs_task_role" {
+  source                = "./modules/iam"
+  name_prefix           = "ecs-task-role"
+  principal_type        = "Service"
+  principal_identifiers = ["ecs-tasks.amazonaws.com"]
+  policy_arns           = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]
+}
+
+module "ecs_exec_role" {
+  source                = "./modules/iam"
+  name_prefix           = "ecs-exec-role"
+  principal_type        = "Service"
+  principal_identifiers = ["ecs-tasks.amazonaws.com"]
+  policy_arns           = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]
 }

main.tf

@@ -185,8 +185,8 @@ module "ecs_kong" {
     network_mode       = local.kong.network_mode
     cpu                = var.cpu_for_kong_task
     memory             = var.memory_for_kong_task
-    task_role_arn      = aws_iam_role.ecs_task_role.arn
-    execution_role_arn = aws_iam_role.ecs_exec_role.arn
+    task_role_arn      = module.ecs_task_role.role_arn
+    execution_role_arn = module.ecs_exec_role.role_arn
 
     container_definitions = [
       {

modules/iam/.header.md

@@ -0,0 +1,37 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Prefix for IAM role name | `string` | n/a | yes |
+| <a name="input_policy_arns"></a> [policy\_arns](#input\_policy\_arns) | List of IAM policy ARNs to attach to the role | `list(string)` | `[]` | no |
+| <a name="input_principal_identifiers"></a> [principal\_identifiers](#input\_principal\_identifiers) | List of principal identifiers (e.g., ec2.amazonaws.com, ecs-tasks.amazonaws.com) | `list(string)` | n/a | yes |
+| <a name="input_principal_type"></a> [principal\_type](#input\_principal\_type) | Type of the principal (e.g., Service, User, etc.) | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the IAM role |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the IAM role |

modules/iam/README.md

@@ -0,0 +1,11 @@
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      type        = var.principal_type
+      identifiers = var.principal_identifiers
+    }
+  }
+}

modules/iam/data.tf

@@ -0,0 +1,10 @@
+resource "aws_iam_role" "this" {
+  name_prefix        = var.name_prefix
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  count      = length(var.policy_arns)
+  role       = aws_iam_role.this.name
+  policy_arn = element(var.policy_arns, count.index)
+}

modules/iam/main.tf

@@ -0,0 +1,9 @@
+output "role_name" {
+  description = "The name of the IAM role"
+  value       = aws_iam_role.this.name
+}
+
+output "role_arn" {
+  description = "The ARN of the IAM role"
+  value       = aws_iam_role.this.arn
+}

modules/iam/outputs.tf

@@ -0,0 +1,20 @@
+variable "name_prefix" {
+  description = "Prefix for IAM role name"
+  type        = string
+}
+
+variable "principal_type" {
+  description = "Type of the principal (e.g., Service, User, etc.)"
+  type        = string
+}
+
+variable "principal_identifiers" {
+  description = "List of principal identifiers (e.g., ec2.amazonaws.com, ecs-tasks.amazonaws.com)"
+  type        = list(string)
+}
+
+variable "policy_arns" {
+  description = "List of IAM policy ARNs to attach to the role"
+  type        = list(string)
+  default     = []
+}

modules/iam/variables.tf

@@ -1 +0,0 @@
-# Main