Skip to content

Commit da272de

Browse files
mattaltbergmattaltberg
committed
fix: use maps for IAM additional policies used in for_each
1 parent 0ec188f commit da272de

File tree

3 files changed

+33
-18
lines changed

3 files changed

+33
-18
lines changed

README.md

+3-3
Original file line numberDiff line numberDiff line change
@@ -207,7 +207,7 @@ No modules.
207207
| <a name="input_create_job_queues"></a> [create\_job\_queues](#input\_create\_job\_queues) | Determines whether to create job queues | `bool` | `true` | no |
208208
| <a name="input_create_service_iam_role"></a> [create\_service\_iam\_role](#input\_create\_service\_iam\_role) | Determines whether a an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
209209
| <a name="input_create_spot_fleet_iam_role"></a> [create\_spot\_fleet\_iam\_role](#input\_create\_spot\_fleet\_iam\_role) | Determines whether a an IAM role is created or to use an existing IAM role | `bool` | `false` | no |
210-
| <a name="input_instance_iam_role_additional_policies"></a> [instance\_iam\_role\_additional\_policies](#input\_instance\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
210+
| <a name="input_instance_iam_role_additional_policies"></a> [instance\_iam\_role\_additional\_policies](#input\_instance\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
211211
| <a name="input_instance_iam_role_description"></a> [instance\_iam\_role\_description](#input\_instance\_iam\_role\_description) | Cluster instance IAM role description | `string` | `null` | no |
212212
| <a name="input_instance_iam_role_name"></a> [instance\_iam\_role\_name](#input\_instance\_iam\_role\_name) | Cluster instance IAM role name | `string` | `null` | no |
213213
| <a name="input_instance_iam_role_path"></a> [instance\_iam\_role\_path](#input\_instance\_iam\_role\_path) | Cluster instance IAM role path | `string` | `null` | no |
@@ -216,14 +216,14 @@ No modules.
216216
| <a name="input_instance_iam_role_use_name_prefix"></a> [instance\_iam\_role\_use\_name\_prefix](#input\_instance\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`instance_iam_role_name`) is used as a prefix | `string` | `true` | no |
217217
| <a name="input_job_definitions"></a> [job\_definitions](#input\_job\_definitions) | Map of job definitions to create | `any` | `{}` | no |
218218
| <a name="input_job_queues"></a> [job\_queues](#input\_job\_queues) | Map of job queue and scheduling policy defintions to create | `any` | `{}` | no |
219-
| <a name="input_service_iam_role_additional_policies"></a> [service\_iam\_role\_additional\_policies](#input\_service\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
219+
| <a name="input_service_iam_role_additional_policies"></a> [service\_iam\_role\_additional\_policies](#input\_service\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
220220
| <a name="input_service_iam_role_description"></a> [service\_iam\_role\_description](#input\_service\_iam\_role\_description) | Batch service IAM role description | `string` | `null` | no |
221221
| <a name="input_service_iam_role_name"></a> [service\_iam\_role\_name](#input\_service\_iam\_role\_name) | Batch service IAM role name | `string` | `null` | no |
222222
| <a name="input_service_iam_role_path"></a> [service\_iam\_role\_path](#input\_service\_iam\_role\_path) | Batch service IAM role path | `string` | `null` | no |
223223
| <a name="input_service_iam_role_permissions_boundary"></a> [service\_iam\_role\_permissions\_boundary](#input\_service\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
224224
| <a name="input_service_iam_role_tags"></a> [service\_iam\_role\_tags](#input\_service\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
225225
| <a name="input_service_iam_role_use_name_prefix"></a> [service\_iam\_role\_use\_name\_prefix](#input\_service\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`service_iam_role_name`) is used as a prefix | `bool` | `true` | no |
226-
| <a name="input_spot_fleet_iam_role_additional_policies"></a> [spot\_fleet\_iam\_role\_additional\_policies](#input\_spot\_fleet\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
226+
| <a name="input_spot_fleet_iam_role_additional_policies"></a> [spot\_fleet\_iam\_role\_additional\_policies](#input\_spot\_fleet\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
227227
| <a name="input_spot_fleet_iam_role_description"></a> [spot\_fleet\_iam\_role\_description](#input\_spot\_fleet\_iam\_role\_description) | Spot fleet IAM role description | `string` | `null` | no |
228228
| <a name="input_spot_fleet_iam_role_name"></a> [spot\_fleet\_iam\_role\_name](#input\_spot\_fleet\_iam\_role\_name) | Spot fleet IAM role name | `string` | `null` | no |
229229
| <a name="input_spot_fleet_iam_role_path"></a> [spot\_fleet\_iam\_role\_path](#input\_spot\_fleet\_iam\_role\_path) | Spot fleet IAM role path | `string` | `null` | no |

main.tf

+24-9
Original file line numberDiff line numberDiff line change
@@ -101,10 +101,29 @@ resource "aws_iam_role" "instance" {
101101
tags = merge(var.tags, var.instance_iam_role_tags)
102102
}
103103

104+
locals {
105+
instance_role_policy_map = merge(
106+
{
107+
AmazonEC2ContainerServiceforEC2Role = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
108+
},
109+
var.instance_iam_role_additional_policies
110+
)
111+
service_role_policy_map = merge(
112+
{
113+
AWSBatchServiceRole = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSBatchServiceRole"
114+
},
115+
var.service_iam_role_additional_policies
116+
)
117+
spot_fleet_policy_map = merge(
118+
{
119+
AmazonEC2SpotFleetTaggingRole = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole"
120+
},
121+
var.spot_fleet_iam_role_additional_policies
122+
)
123+
}
124+
104125
resource "aws_iam_role_policy_attachment" "instance" {
105-
for_each = var.create && var.create_instance_iam_role ? toset(compact(distinct(concat([
106-
"arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
107-
], var.instance_iam_role_additional_policies)))) : toset([])
126+
for_each = var.create && var.create_instance_iam_role ? local.instance_role_policy_map : {}
108127

109128
policy_arn = each.value
110129
role = aws_iam_role.instance[0].name
@@ -163,9 +182,7 @@ resource "aws_iam_role" "service" {
163182
}
164183

165184
resource "aws_iam_role_policy_attachment" "service" {
166-
for_each = var.create && var.create_service_iam_role ? toset(compact(distinct(concat([
167-
"arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSBatchServiceRole"
168-
], var.service_iam_role_additional_policies)))) : toset([])
185+
for_each = var.create && var.create_service_iam_role ? local.service_role_policy_map : {}
169186

170187
policy_arn = each.value
171188
role = aws_iam_role.service[0].name
@@ -209,9 +226,7 @@ resource "aws_iam_role" "spot_fleet" {
209226
}
210227

211228
resource "aws_iam_role_policy_attachment" "spot_fleet" {
212-
for_each = var.create && var.create_spot_fleet_iam_role ? toset(compact(distinct(concat([
213-
"arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole"
214-
], var.spot_fleet_iam_role_additional_policies)))) : toset([])
229+
for_each = var.create && var.create_spot_fleet_iam_role ? local.spot_fleet_policy_map : {}
215230

216231
policy_arn = each.value
217232
role = aws_iam_role.spot_fleet[0].name

variables.tf

+6-6
Original file line numberDiff line numberDiff line change
@@ -62,8 +62,8 @@ variable "instance_iam_role_permissions_boundary" {
6262

6363
variable "instance_iam_role_additional_policies" {
6464
description = "Additional policies to be added to the IAM role"
65-
type = list(string)
66-
default = []
65+
type = map(string)
66+
default = {}
6767
}
6868

6969
variable "instance_iam_role_tags" {
@@ -114,8 +114,8 @@ variable "service_iam_role_permissions_boundary" {
114114

115115
variable "service_iam_role_additional_policies" {
116116
description = "Additional policies to be added to the IAM role"
117-
type = list(string)
118-
default = []
117+
type = map(string)
118+
default = {}
119119
}
120120

121121
variable "service_iam_role_tags" {
@@ -166,8 +166,8 @@ variable "spot_fleet_iam_role_permissions_boundary" {
166166

167167
variable "spot_fleet_iam_role_additional_policies" {
168168
description = "Additional policies to be added to the IAM role"
169-
type = list(string)
170-
default = []
169+
type = map(string)
170+
default = {}
171171
}
172172

173173
variable "spot_fleet_iam_role_tags" {

0 commit comments

Comments
 (0)