feat: Add a flag to enable/disable role creation

The module previously created a role automatically, and allowed managed
policies and inline policies to be attached to the role, this works well
for simple setups but makes it difficult to do multiple account/multiple
role OIDC configurations.

Author: unfunco

main.tf

@@ -12,7 +12,7 @@ locals {
 }
 
 resource "aws_iam_role" "github" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.create_iam_role ? 1 : 0
 
   assume_role_policy    = data.aws_iam_policy_document.assume_role[0].json
   description           = "Role assumed by the GitHub OIDC provider."
@@ -22,7 +22,6 @@ resource "aws_iam_role" "github" {
   path                  = var.iam_role_path
   permissions_boundary  = var.iam_role_permissions_boundary
   tags                  = var.tags
-
 }
 
 resource "aws_iam_role_policy" "inline_policies" {
@@ -33,21 +32,27 @@ resource "aws_iam_role_policy" "inline_policies" {
 }
 
 resource "aws_iam_role_policy_attachment" "admin" {
-  count = var.enabled && var.dangerously_attach_admin_policy ? 1 : 0
+  count = var.enabled && var.create_iam_role && var.dangerously_attach_admin_policy ? 1 : 0
 
-  policy_arn = "arn:${local.partition}:iam::aws:policy/AdministratorAccess"
-  role       = aws_iam_role.github[0].id
+  policy_arn = format(
+    "arn:%v:iam::aws:policy/AdministratorAccess",
+    local.partition,
+  )
+  role = aws_iam_role.github[0].id
 }
 
 resource "aws_iam_role_policy_attachment" "read_only" {
-  count = var.enabled && var.attach_read_only_policy ? 1 : 0
+  count = var.enabled && var.create_iam_role && var.attach_read_only_policy ? 1 : 0
 
-  policy_arn = "arn:${local.partition}:iam::aws:policy/ReadOnlyAccess"
-  role       = aws_iam_role.github[0].id
+  policy_arn = format(
+    "arn:${local.partition}:iam::aws:policy/ReadOnlyAccess",
+    local.partition,
+  )
+  role = aws_iam_role.github[0].id
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
-  count = var.enabled ? length(var.iam_role_policy_arns) : 0
+  count = var.enabled && var.create_iam_role ? length(var.iam_role_policy_arns) : 0
 
   policy_arn = var.iam_role_policy_arns[count.index]
   role       = aws_iam_role.github[0].id

outputs.tf

@@ -4,13 +4,13 @@
 output "iam_role_arn" {
   depends_on  = [aws_iam_role.github]
   description = "ARN of the IAM role."
-  value       = var.enabled ? aws_iam_role.github[0].arn : ""
+  value       = var.enabled && var.create_iam_role ? aws_iam_role.github[0].arn : ""
 }
 
 output "iam_role_name" {
   depends_on  = [aws_iam_role.github]
   description = "Name of the IAM role."
-  value       = var.enabled ? aws_iam_role.github[0].name : ""
+  value       = var.enabled && var.create_iam_role ? aws_iam_role.github[0].name : ""
 }
 
 output "oidc_provider_arn" {

variables.tf

@@ -30,6 +30,12 @@ variable "create_oidc_provider" {
   type        = bool
 }
 
+variable "create_iam_role" {
+  default     = true
+  description = ""
+  type        = bool
+}
+
 variable "dangerously_attach_admin_policy" {
   default     = false
   description = "Flag to enable/disable the attachment of the AdministratorAccess policy."