How to add a managed policy to a created role?

[joaocc]

• ✋ I have searched the open/closed issues and my issue is not listed.

I'm trying to use this module to extend https://github.com/aws-ia/terraform-aws-eks-blueprints-addons to install xFS for OpenZFS CSI (as per aws-ia/terraform-aws-eks-blueprints-addons#352).

Looking at the documentation, I would initially try to install as per documentation, where they recommend the use of a managed permission (arn:aws:iam::aws:policy/AmazonFSxFullAccess) as per https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver/blob/main/docs/install.md

However, looking at this module, I wasn't able to find how to implement this scenario without copying the managed permission JSON into a custom permission. This approach, while possibly working, would be harder to maintain over time.

Is there any way to have this module associate the created role to a managed policy?
In https://github.com/aws-ia/terraform-aws-eks-blueprints-addons, the way karpenter was implemented seems to point that the answer is no, but I would like to confirm that before spending time reinventing the wheel.

If the answer is indeed no, maybe it would be useful to provide a mechanism to mention managed permissions, which as I understand are one of the recommended ways to manage permissions (no pun intended).

Thanks

[askulkarni2]

You can specify managed policies. See this for an example..

role_policies = lookup(var.aws_cloudwatch_metrics, "role_policies",
    { CloudWatchAgentServerPolicy = "arn:${local.partition}:iam::aws:policy/CloudWatchAgentServerPolicy" }
  )

ref: https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/main/main.tf#L369-L371