Merge pull request #55 from transcend-io/dmattia/add_policy_for_assum…

…e_role Default roles_to_assume to be the empty list
transcend-io · Oct 13, 2022 · 33f2aab · 33f2aab
2 parents 2101e0a + 9fa7487
commit 33f2aab
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/main.tf b/main.tf
@@ -158,9 +158,9 @@ module "service" {
     module.container_definition.secrets_policy_arns,
     [aws_iam_policy.kms_policy.arn],
     var.extra_task_policy_arns,
-    [aws_iam_policy.aws_policy.arn],
+    length(var.roles_to_assume) > 0 ? [aws_iam_policy.aws_policy[0].arn] : [],
   )
-  additional_task_policy_arns_count = 3 + length(var.extra_task_policy_arns)
+  additional_task_policy_arns_count = 2 + length(var.extra_task_policy_arns) + (length(var.roles_to_assume) > 0 ? 1 : 0)
 
   load_balancers = [
     # Internal target group manager
@@ -238,14 +238,15 @@ resource "aws_iam_policy" "kms_policy" {
 
 data "aws_iam_policy_document" "aws_policy_doc" {
   statement {
-    sid    = "AllowAwsIntegrationAccess"
-    effect = "Allow"
+    sid       = "AllowAwsIntegrationAccess"
+    effect    = "Allow"
     actions   = ["sts:AssumeRole"]
     resources = var.roles_to_assume
   }
 }
 
 resource "aws_iam_policy" "aws_policy" {
+  count       = length(var.roles_to_assume) > 0 ? 1 : 0
   name        = "${var.deploy_env}-${var.project_id}-sombra-aws-policy"
   description = "Allows Sombra instances to assume AWS IAM Roles"
   policy      = data.aws_iam_policy_document.aws_policy_doc.json

diff --git a/variables.tf b/variables.tf
@@ -452,6 +452,6 @@ variable "health_check_protocol" {
 variable "roles_to_assume" {
   type        = list(string)
   description = "AWS IAM Roles that sombra can assume, used in AWS integrations"
-  default     = ["*"]
+  default     = []
 }