forked from threatstack/threatstack-terraform
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws_iam_role.tf
36 lines (28 loc) · 1.21 KB
/
aws_iam_role.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
// AWS Iam role for cross account access
data "template_file" "aws_iam_assume_role_policy" {
template = file("${path.module}/aws_iam_assume_role_policy.tpl")
vars = {
threatstack_account_id = var.threatstack.account_id
threatstack_external_id = var.threatstack.external_id
}
}
data "template_file" "aws_iam_role_policy" {
template = file("${path.module}/aws_iam_role_policy.tpl")
vars = {
sqs_queue_arn = aws_sqs_queue.sqs.arn
# This checks to see if a new bucket exists (null check)
# If it is null, just give a null so coalesce skips it
# If not null, return the arn of the bucket, which is what we really need
s3_resource = coalesce((length(aws_s3_bucket.bucket) > 0 ? aws_s3_bucket.bucket[0].arn : ""), (var.existing_cloudtrail != null ? var.existing_cloudtrail.s3_bucket_arn : ""))
}
}
resource "aws_iam_role" "role" {
name = var.aws_optional_conf.iam_role_name
tags = var.aws_optional_conf.tags
assume_role_policy = data.template_file.aws_iam_assume_role_policy.rendered
}
resource "aws_iam_role_policy" "role" {
name = var.aws_optional_conf.iam_role_name
role = aws_iam_role.role.id
policy = data.template_file.aws_iam_role_policy.rendered
}