feat: adds support for amplify service role

README.md

@@ -78,12 +78,15 @@ module "amplify" {
 | [aws_amplify_domain_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/amplify_domain_association) | resource |
 | [aws_amplify_webhook.develop](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/amplify_webhook) | resource |
 | [aws_amplify_webhook.master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/amplify_webhook) | resource |
+| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
+| <a name="input_amplify_service_role_enabled"></a> [amplify\_service\_role\_enabled](#input\_amplify\_service\_role\_enabled) | Whether to enable the IAM Service Role for Amplify or not. See https://docs.aws.amazon.com/amplify/latest/userguide/how-to-service-role-amplify-console.html for full details. | `bool` | `false` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
 | <a name="input_basic_auth_password"></a> [basic\_auth\_password](#input\_basic\_auth\_password) | The password to use for the basic auth configuration. | `string` | n/a | yes |
 | <a name="input_basic_auth_username"></a> [basic\_auth\_username](#input\_basic\_auth\_username) | The username to use for the basic auth configuration. | `string` | n/a | yes |

main.tf

@@ -20,6 +20,29 @@ module "develop_branch_label" {
   context = module.this.context
 }
 
+data "aws_iam_policy_document" "assume_role" {
+  count = module.this.enabled && var.amplify_service_role_enabled ? 1 : 0
+
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["amplify.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "default" {
+  count = module.this.enabled && var.amplify_service_role_enabled ? 1 : 0
+
+  name                = module.this.id
+  assume_role_policy  = join("", data.aws_iam_policy_document.assume_role.*.json)
+  managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
+  tags                = module.this.tags
+}
+
 resource "aws_amplify_app" "this" {
   name                     = module.this.id
   description              = var.description != null ? var.description : "Amplify App for the github.com/${var.organization}/${var.repo} project."
@@ -28,6 +51,7 @@ resource "aws_amplify_app" "this" {
   enable_branch_auto_build = true
   build_spec               = var.build_spec_content != "" ? var.build_spec_content : null
   environment_variables    = var.global_environment_variables
+  iam_service_role_arn     = var.amplify_service_role_enabled ? aws_iam_role.default[0].arn : null
   tags                     = module.this.tags
 
   enable_basic_auth      = var.enable_basic_auth_globally

variables.tf

@@ -8,6 +8,12 @@ variable "repo" {
   description = "The name of the repo that the Amplify App will be created around."
 }
 
+variable "amplify_service_role_enabled" {
+  default     = false
+  type        = bool
+  description = "Whether to enable the IAM Service Role for Amplify or not. See https://docs.aws.amazon.com/amplify/latest/userguide/how-to-service-role-amplify-console.html for full details."
+}
+
 variable "global_environment_variables" {
   default     = {}
   type        = map(string)