feat: Allow overriding the whole assume policy

README.md

@@ -176,6 +176,7 @@ For automated tests of the complete example using [bats](https://github.com/bats
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br/>This is for some rare cases where resources want additional configuration of tags<br/>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
 | <a name="input_assume_role_actions"></a> [assume\_role\_actions](#input\_assume\_role\_actions) | The IAM action to be granted by the AssumeRole policy | `list(string)` | <pre>[<br/>  "sts:AssumeRole",<br/>  "sts:TagSession"<br/>]</pre> | no |
 | <a name="input_assume_role_conditions"></a> [assume\_role\_conditions](#input\_assume\_role\_conditions) | List of conditions for the assume role policy | <pre>list(object({<br/>    test     = string<br/>    variable = string<br/>    values   = list(string)<br/>  }))</pre> | `[]` | no |
+| <a name="input_assume_role_policy"></a> [assume\_role\_policy](#input\_assume\_role\_policy) | A JSON assume role policy document. If set, this will be used as the assume role policy and the principals, assume\_role\_conditions, and assume\_role\_actions variables will be ignored. | `string` | `""` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br/>in the order they appear in the list. New attributes are appended to the<br/>end of the list. The elements of the list are joined by the `delimiter`<br/>and treated as a single ID element. | `list(string)` | `[]` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br/>See description of individual variables for details.<br/>Leave string and numeric variables as `null` to use default value.<br/>Individual variable settings (non-null) override settings in context object,<br/>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br/>  "additional_tag_map": {},<br/>  "attributes": [],<br/>  "delimiter": null,<br/>  "descriptor_formats": {},<br/>  "enabled": true,<br/>  "environment": null,<br/>  "id_length_limit": null,<br/>  "label_key_case": null,<br/>  "label_order": [],<br/>  "label_value_case": null,<br/>  "labels_as_tags": [<br/>    "unset"<br/>  ],<br/>  "name": null,<br/>  "namespace": null,<br/>  "regex_replace_chars": null,<br/>  "stage": null,<br/>  "tags": {},<br/>  "tenant": null<br/>}</pre> | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br/>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |

examples/complete/main.tf

@@ -87,5 +87,7 @@ module "role" {
   role_description      = "Test IAM role"
   inline_policy_enabled = var.inline_policy_enabled
 
+  assume_role_policy = var.assume_role_policy
+
   context = module.this.context
 }

examples/complete/variables.tf

@@ -18,3 +18,9 @@ variable "inline_policy_enabled" {
   description = "Whether or not to enable an inline policy instead of a reusable managed policy"
   default     = false
 }
+
+variable "assume_role_policy" {
+  type        = string
+  description = "A JSON assume role policy document. If set, this will be used as the assume role policy and the principals, assume_role_conditions, and assume_role_actions variables will be ignored."
+  default     = null
+}

main.tf

@@ -1,5 +1,6 @@
 data "aws_iam_policy_document" "assume_role" {
-  count = module.this.enabled ? length(keys(var.principals)) : 0
+  # if the module is enabled and we don't use a `assume_role_policy` then enable the aws_iam_policy_document datasource
+  count = module.this.enabled && var.assume_role_policy == null ? length(keys(var.principals)) : 0
 
   statement {
     effect  = "Allow"
@@ -23,7 +24,7 @@ data "aws_iam_policy_document" "assume_role" {
 
 data "aws_iam_policy_document" "assume_role_aggregated" {
   count                     = module.this.enabled ? 1 : 0
-  override_policy_documents = data.aws_iam_policy_document.assume_role[*].json
+  override_policy_documents = var.assume_role_policy != null ? [var.assume_role_policy] : data.aws_iam_policy_document.assume_role[*].json
 }
 
 module "role_name" {

test/src/examples_complete_test.go

@@ -12,8 +12,6 @@ import (
 
 // Test the Terraform module in examples/complete using Terratest.
 func TestExamplesComplete(t *testing.T) {
-	t.Parallel()
-
 	rand.Seed(time.Now().UnixNano())
 
 	randId := strconv.Itoa(rand.Intn(100000))
@@ -64,3 +62,40 @@ func TestExamplesComplete(t *testing.T) {
 func TestExamplesCompleteDisabled(t *testing.T) {
 	testNoChanges(t, "../../examples/complete")
 }
+
+// Test the module with a custom assume_role_policy
+func TestExamplesAssumeRolePolicyDocument(t *testing.T) {
+
+	rand.Seed(time.Now().UnixNano())
+	randId := strconv.Itoa(rand.Intn(100000))
+	attributes := []string{randId}
+
+	// Minimal valid trust policy
+	trustPolicy := `{
+	  "Version": "2012-10-17",
+	  "Statement": [
+	    {
+	      "Effect": "Allow",
+	      "Principal": {"Service": "ec2.amazonaws.com"},
+	      "Action": "sts:AssumeRole"
+	    }
+	  ]
+	}`
+
+	terraformOptions := &terraform.Options{
+		TerraformDir: "../../examples/complete",
+		Upgrade:      true,
+		VarFiles:     []string{"fixtures.us-east-2.tfvars"},
+		Vars: map[string]interface{}{
+			"attributes":         attributes,
+			"assume_role_policy": trustPolicy,
+		},
+	}
+
+	defer terraform.Destroy(t, terraformOptions)
+	terraform.InitAndApply(t, terraformOptions)
+
+	roleName := terraform.Output(t, terraformOptions, "role_name")
+	expectedRoleName := "eg-test-iam-role-test-" + randId
+	assert.Equal(t, expectedRoleName, roleName)
+}

variables.tf

@@ -94,3 +94,9 @@ variable "inline_policy_enabled" {
   description = "Whether or not to enable an inline policy instead of a reusable managed policy"
   default     = false
 }
+
+variable "assume_role_policy" {
+  type        = string
+  description = "A JSON assume role policy document. If set, this will be used as the assume role policy and the principals, assume_role_conditions, and assume_role_actions variables will be ignored."
+  default     = null
+}