From c13934353eb767b624d398cbd496fa2642868acb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jukka=20Palom=C3=A4ki?= <jukka.palomaki@paf.com>
Date: Sat, 29 Jun 2024 10:22:10 +0300
Subject: [PATCH] Add support for inline IAM policy (#68)

---
 examples/complete/main.tf | 13 +++++++++++++
 iam-role.tf               |  7 +++++++
 variables.tf              |  6 ++++++
 3 files changed, 26 insertions(+)

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index d74db94..79188d4 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -90,6 +90,19 @@ module "lambda" {
     # aws_iam_policy.inside[0].id, # This will result in an error message and is why we use local.policy_name_inside
   ]
 
+  inline_iam_policy = <<-JSON
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Deny",
+          "Action": "ec2:DescribeInstanceTypes",
+          "Resource": "*"
+        }
+      ]
+    }
+  JSON
+
   context = module.this.context
 
   depends_on = [aws_iam_policy.inside]
diff --git a/iam-role.tf b/iam-role.tf
index 397ab7d..d851f52 100644
--- a/iam-role.tf
+++ b/iam-role.tf
@@ -91,3 +91,10 @@ resource "aws_iam_role_policy_attachment" "custom" {
   role       = aws_iam_role.this[0].name
   policy_arn = each.value
 }
+
+resource "aws_iam_role_policy" "inline" {
+  count = try((local.enabled && var.inline_iam_policy != null), false) ? 1 : 0
+
+  role   = aws_iam_role.this[0].name
+  policy = var.inline_iam_policy
+}
diff --git a/variables.tf b/variables.tf
index 8303da5..6051326 100644
--- a/variables.tf
+++ b/variables.tf
@@ -233,3 +233,9 @@ variable "iam_policy_description" {
   description = "Description of the IAM policy for the Lambda IAM role"
   default     = "Provides minimum SSM read permissions."
 }
+
+variable "inline_iam_policy" {
+  type        = string
+  description = "Inline policy document (JSON) to attach to the lambda role"
+  default     = null
+}