feat: Add optional policy_path variable used for policy definitions (#60)

rgrund-inform · antonbabenko · web-flow · commit cddcf9386e33 · 2023-12-04T21:04:57.000+01:00
Co-authored-by: Anton Babenko &lt;anton@antonbabenko.com&gt;
diff --git a/README.md b/README.md
@@ -200,6 +200,7 @@ No modules.
 | <a name="input_policy"></a> [policy](#input\_policy) | An additional policy document ARN to attach to IAM role | `string` | `null` | no |
 | <a name="input_policy_json"></a> [policy\_json](#input\_policy\_json) | An additional policy document as JSON to attach to IAM role | `string` | `null` | no |
 | <a name="input_policy_jsons"></a> [policy\_jsons](#input\_policy\_jsons) | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no |
+| <a name="input_policy_path"></a> [policy\_path](#input\_policy\_path) | Path of IAM policies to use for Step Function | `string` | `null` | no |
 | <a name="input_policy_statements"></a> [policy\_statements](#input\_policy\_statements) | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no |
 | <a name="input_publish"></a> [publish](#input\_publish) | Determines whether to set a version of the state machine when it is created. | `bool` | `false` | no |
 | <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no |
diff --git a/main.tf b/main.tf
@@ -116,6 +116,7 @@ resource "aws_iam_policy" "service" {
   for_each = { for k, v in var.service_integrations : k => v if local.create_role && var.attach_policies_for_integrations }
 
   name   = "${local.role_name}-${each.key}"
+  path   = var.policy_path
   policy = data.aws_iam_policy_document.service[each.key].json
   tags   = var.tags
 }
@@ -137,6 +138,7 @@ resource "aws_iam_policy" "additional_json" {
   count = local.create_role && var.attach_policy_json ? 1 : 0
 
   name   = local.role_name
+  path   = var.policy_path
   policy = var.policy_json
   tags   = var.tags
 }
@@ -157,6 +159,7 @@ resource "aws_iam_policy" "additional_jsons" {
   count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0
 
   name   = "${local.role_name}-${count.index}"
+  path   = var.policy_path
   policy = var.policy_jsons[count.index]
   tags   = var.tags
 }
@@ -241,6 +244,7 @@ resource "aws_iam_policy" "additional_inline" {
   count = local.create_role && var.attach_policy_statements ? 1 : 0
 
   name   = "${local.role_name}-inline"
+  path   = var.policy_path
   policy = data.aws_iam_policy_document.additional_inline[0].json
   tags   = var.tags
 }
@@ -283,6 +287,7 @@ resource "aws_iam_policy" "logs" {
   count = local.create_role && local.enable_logging && var.attach_cloudwatch_logs_policy ? 1 : 0
 
   name   = "${local.role_name}-logs"
+  path   = var.policy_path
   policy = data.aws_iam_policy_document.logs[0].json
   tags   = var.tags
 }
diff --git a/variables.tf b/variables.tf
@@ -246,6 +246,12 @@ variable "policy" {
   default     = null
 }
 
+variable "policy_path" {
+  description = "Path of IAM policies to use for Step Function"
+  type        = string
+  default     = null
+}
+
 variable "policies" {
   description = "List of policy statements ARN to attach to IAM role"
   type        = list(string)
