Merge pull request #167 from tablexi/role_attachments

Allow roles to be attached to SES policy
tablexi · Aug 26, 2020 · 46d2a1f · 46d2a1f
2 parents 15ec8a6 + 80fe6e3
commit 46d2a1f
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 28 deletions.
diff --git a/aws/iam/ses_send/main.tf b/aws/iam/ses_send/main.tf
@@ -1,31 +1,24 @@
-resource "aws_iam_group" "mod" {
-  name = "ses_senders"
+data "aws_iam_policy_document" "mod" {
+  version = "2012-10-17"
+  statement {
+    effect = "Allow"
+    actions = [
+      "ses:SendRawEmail",
+      "ses:SendEmail",
+    ]
+    resources = ["*"]
+  }
 }
 
-resource "aws_iam_group_policy" "mod" {
+resource "aws_iam_policy" "mod" {
   name  = "AmazonSesSendingAccess"
-  group = aws_iam_group.mod.id
 
-  policy = jsonencode(
-    {
-      Statement = [
-        {
-          Action = [
-            "ses:SendRawEmail",
-            "ses:SendEmail",
-          ]
-          Effect   = "Allow"
-          Resource = "*"
-        },
-      ]
-      Version = "2012-10-17"
-    }
-  )
+  policy = data.aws_iam_policy_document.mod.json
 }
 
-resource "aws_iam_group_membership" "mod" {
-  name  = "app-server-group-membership"
-  users = var.users
-  group = aws_iam_group.mod.name
+resource "aws_iam_policy_attachment" "mod" {
+  name       = "ses-sending-policy-attachment"
+  users      = var.users
+  roles      = var.roles
+  policy_arn = aws_iam_policy.mod.arn
 }
-
diff --git a/aws/iam/ses_send/outputs.tf b/aws/iam/ses_send/outputs.tf
diff --git a/aws/iam/ses_send/variables.tf b/aws/iam/ses_send/variables.tf
@@ -1,4 +1,9 @@
 variable "users" {
   type = list(string)
+  default = []
 }
 
+variable "roles" {
+  type = list(string)
+  default = []
+}