add custom policy var (#23)

* add custom policy var

VERSION

@@ -1 +1 @@
-v0.0.19
+v0.0.20

modules/github/actions-secrets/main.tf

@@ -88,3 +88,22 @@ resource "aws_iam_user_policy" "github" {
 
   policy = data.aws_iam_policy_document.github[0].json
 }
+
+resource "aws_iam_user_policy" "custom" {
+  count = var.create_aws_iam_user == true ? 1 : 0
+  name  = "custom-policies"
+  user  = aws_iam_user.github[0].name
+
+  policy = data.aws_iam_policy_document.custom[0].json
+}
+data "aws_iam_policy_document" "custom" {
+  count = var.create_aws_iam_user == true ? 1 : 0
+  dynamic "statement" {
+    for_each = { for statement in var.aws_iam_custom_policies : statement.sid => statement }
+    content {
+      sid       = statement.value.sid
+      actions   = statement.value.actions
+      resources = statement.value.resources
+    }
+  }
+}

modules/github/actions-secrets/outputs.tf

@@ -1,3 +1,7 @@
 output "github_public_key" {
   value = data.github_actions_public_key.public_key
 }
+
+output "aws_iam_user_arn" {
+  value = try(aws_iam_user.github[0].arn, "no iam user")
+}

modules/github/actions-secrets/variables.tf

@@ -32,6 +32,16 @@ variable "aws_iam_user_name" {
   default     = "github-terraform-backend"
 }
 
+variable "aws_iam_custom_policies" {
+  description = "Extra policy statements to add to IAM user."
+  type = list(object({
+    sid       = string
+    actions   = list(string)
+    resources = list(string)
+  }))
+  default = []
+}
+
 variable "terraform_bucket_name" {
   description = "Terraform backend bucket name for IAM policy."
   type        = string