diff --git a/README.md b/README.md
index 2e6defa..d8f4e95 100644
--- a/README.md
+++ b/README.md
@@ -207,7 +207,7 @@ No modules.
| [create\_job\_queues](#input\_create\_job\_queues) | Determines whether to create job queues | `bool` | `true` | no |
| [create\_service\_iam\_role](#input\_create\_service\_iam\_role) | Determines whether a an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
| [create\_spot\_fleet\_iam\_role](#input\_create\_spot\_fleet\_iam\_role) | Determines whether a an IAM role is created or to use an existing IAM role | `bool` | `false` | no |
-| [instance\_iam\_role\_additional\_policies](#input\_instance\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
+| [instance\_iam\_role\_additional\_policies](#input\_instance\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
| [instance\_iam\_role\_description](#input\_instance\_iam\_role\_description) | Cluster instance IAM role description | `string` | `null` | no |
| [instance\_iam\_role\_name](#input\_instance\_iam\_role\_name) | Cluster instance IAM role name | `string` | `null` | no |
| [instance\_iam\_role\_path](#input\_instance\_iam\_role\_path) | Cluster instance IAM role path | `string` | `null` | no |
@@ -216,14 +216,14 @@ No modules.
| [instance\_iam\_role\_use\_name\_prefix](#input\_instance\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`instance_iam_role_name`) is used as a prefix | `string` | `true` | no |
| [job\_definitions](#input\_job\_definitions) | Map of job definitions to create | `any` | `{}` | no |
| [job\_queues](#input\_job\_queues) | Map of job queue and scheduling policy defintions to create | `any` | `{}` | no |
-| [service\_iam\_role\_additional\_policies](#input\_service\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
+| [service\_iam\_role\_additional\_policies](#input\_service\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
| [service\_iam\_role\_description](#input\_service\_iam\_role\_description) | Batch service IAM role description | `string` | `null` | no |
| [service\_iam\_role\_name](#input\_service\_iam\_role\_name) | Batch service IAM role name | `string` | `null` | no |
| [service\_iam\_role\_path](#input\_service\_iam\_role\_path) | Batch service IAM role path | `string` | `null` | no |
| [service\_iam\_role\_permissions\_boundary](#input\_service\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
| [service\_iam\_role\_tags](#input\_service\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
| [service\_iam\_role\_use\_name\_prefix](#input\_service\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`service_iam_role_name`) is used as a prefix | `bool` | `true` | no |
-| [spot\_fleet\_iam\_role\_additional\_policies](#input\_spot\_fleet\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
+| [spot\_fleet\_iam\_role\_additional\_policies](#input\_spot\_fleet\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
| [spot\_fleet\_iam\_role\_description](#input\_spot\_fleet\_iam\_role\_description) | Spot fleet IAM role description | `string` | `null` | no |
| [spot\_fleet\_iam\_role\_name](#input\_spot\_fleet\_iam\_role\_name) | Spot fleet IAM role name | `string` | `null` | no |
| [spot\_fleet\_iam\_role\_path](#input\_spot\_fleet\_iam\_role\_path) | Spot fleet IAM role path | `string` | `null` | no |
diff --git a/examples/ec2/main.tf b/examples/ec2/main.tf
index fc328d7..e824d2b 100644
--- a/examples/ec2/main.tf
+++ b/examples/ec2/main.tf
@@ -31,9 +31,9 @@ module "batch" {
instance_iam_role_name = "${local.name}-ecs-instance"
instance_iam_role_path = "/batch/"
instance_iam_role_description = "IAM instance role/profile for AWS Batch ECS instance(s)"
- instance_iam_role_additional_policies = [
- "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
- ]
+ instance_iam_role_additional_policies = {
+ AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+ }
instance_iam_role_tags = {
ModuleCreatedRole = "Yes"
}
diff --git a/main.tf b/main.tf
index 4902d5f..d44a6f4 100644
--- a/main.tf
+++ b/main.tf
@@ -101,10 +101,29 @@ resource "aws_iam_role" "instance" {
tags = merge(var.tags, var.instance_iam_role_tags)
}
+locals {
+ instance_role_policy_map = merge(
+ {
+ AmazonEC2ContainerServiceforEC2Role = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
+ },
+ var.instance_iam_role_additional_policies
+ )
+ service_role_policy_map = merge(
+ {
+ AWSBatchServiceRole = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSBatchServiceRole"
+ },
+ var.service_iam_role_additional_policies
+ )
+ spot_fleet_policy_map = merge(
+ {
+ AmazonEC2SpotFleetTaggingRole = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole"
+ },
+ var.spot_fleet_iam_role_additional_policies
+ )
+}
+
resource "aws_iam_role_policy_attachment" "instance" {
- for_each = var.create && var.create_instance_iam_role ? toset(compact(distinct(concat([
- "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
- ], var.instance_iam_role_additional_policies)))) : toset([])
+ for_each = var.create && var.create_instance_iam_role ? local.instance_role_policy_map : {}
policy_arn = each.value
role = aws_iam_role.instance[0].name
@@ -163,9 +182,7 @@ resource "aws_iam_role" "service" {
}
resource "aws_iam_role_policy_attachment" "service" {
- for_each = var.create && var.create_service_iam_role ? toset(compact(distinct(concat([
- "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSBatchServiceRole"
- ], var.service_iam_role_additional_policies)))) : toset([])
+ for_each = var.create && var.create_service_iam_role ? local.service_role_policy_map : {}
policy_arn = each.value
role = aws_iam_role.service[0].name
@@ -209,9 +226,7 @@ resource "aws_iam_role" "spot_fleet" {
}
resource "aws_iam_role_policy_attachment" "spot_fleet" {
- for_each = var.create && var.create_spot_fleet_iam_role ? toset(compact(distinct(concat([
- "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole"
- ], var.spot_fleet_iam_role_additional_policies)))) : toset([])
+ for_each = var.create && var.create_spot_fleet_iam_role ? local.spot_fleet_policy_map : {}
policy_arn = each.value
role = aws_iam_role.spot_fleet[0].name
diff --git a/variables.tf b/variables.tf
index 04c30a2..867a359 100644
--- a/variables.tf
+++ b/variables.tf
@@ -62,8 +62,8 @@ variable "instance_iam_role_permissions_boundary" {
variable "instance_iam_role_additional_policies" {
description = "Additional policies to be added to the IAM role"
- type = list(string)
- default = []
+ type = map(string)
+ default = {}
}
variable "instance_iam_role_tags" {
@@ -114,8 +114,8 @@ variable "service_iam_role_permissions_boundary" {
variable "service_iam_role_additional_policies" {
description = "Additional policies to be added to the IAM role"
- type = list(string)
- default = []
+ type = map(string)
+ default = {}
}
variable "service_iam_role_tags" {
@@ -166,8 +166,8 @@ variable "spot_fleet_iam_role_permissions_boundary" {
variable "spot_fleet_iam_role_additional_policies" {
description = "Additional policies to be added to the IAM role"
- type = list(string)
- default = []
+ type = map(string)
+ default = {}
}
variable "spot_fleet_iam_role_tags" {