feat: allow attachment of managed amplify admin policy

README.md

@@ -235,6 +235,7 @@ Available targets:
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_token"></a> [access\_token](#input\_access\_token) | The personal access token for a third-party source control system for the Amplify app.<br>The personal access token is used to create a webhook and a read-only deploy key. The token is not stored.<br>Make sure that the account where the token is created has access to the repository. | `string` | `null` | no |
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
+| <a name="input_attach_amplify_admin_managed_policy"></a> [attach\_amplify\_admin\_managed\_policy](#input\_attach\_amplify\_admin\_managed\_policy) | Flag to attach the AWS managed policy `AdministratorAccess-Amplify` to the IAM service role for the Amplify app | `bool` | `false` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
 | <a name="input_auto_branch_creation_config"></a> [auto\_branch\_creation\_config](#input\_auto\_branch\_creation\_config) | The automated branch creation configuration for the Amplify app | <pre>object({<br>    basic_auth_credentials        = optional(string)<br>    build_spec                    = optional(string)<br>    enable_auto_build             = optional(bool)<br>    enable_basic_auth             = optional(bool)<br>    enable_performance_mode       = optional(bool)<br>    enable_pull_request_preview   = optional(bool)<br>    environment_variables         = optional(map(string))<br>    framework                     = optional(string)<br>    pull_request_environment_name = optional(string)<br>    stage                         = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_auto_branch_creation_patterns"></a> [auto\_branch\_creation\_patterns](#input\_auto\_branch\_creation\_patterns) | The automated branch creation glob patterns for the Amplify app | `list(string)` | `[]` | no |

docs/terraform.md

@@ -36,6 +36,7 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_token"></a> [access\_token](#input\_access\_token) | The personal access token for a third-party source control system for the Amplify app.<br>The personal access token is used to create a webhook and a read-only deploy key. The token is not stored.<br>Make sure that the account where the token is created has access to the repository. | `string` | `null` | no |
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
+| <a name="input_attach_amplify_admin_managed_policy"></a> [attach\_amplify\_admin\_managed\_policy](#input\_attach\_amplify\_admin\_managed\_policy) | Flag to attach the AWS managed policy `AdministratorAccess-Amplify` to the IAM service role for the Amplify app | `bool` | `false` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
 | <a name="input_auto_branch_creation_config"></a> [auto\_branch\_creation\_config](#input\_auto\_branch\_creation\_config) | The automated branch creation configuration for the Amplify app | <pre>object({<br>    basic_auth_credentials        = optional(string)<br>    build_spec                    = optional(string)<br>    enable_auto_build             = optional(bool)<br>    enable_basic_auth             = optional(bool)<br>    enable_performance_mode       = optional(bool)<br>    enable_pull_request_preview   = optional(bool)<br>    environment_variables         = optional(map(string))<br>    framework                     = optional(string)<br>    pull_request_environment_name = optional(string)<br>    stage                         = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_auto_branch_creation_patterns"></a> [auto\_branch\_creation\_patterns](#input\_auto\_branch\_creation\_patterns) | The automated branch creation glob patterns for the Amplify app | `list(string)` | `[]` | no |

examples/complete/fixtures.us-east-2.tfvars

@@ -28,6 +28,8 @@ iam_service_role_actions = [
   "logs:PutLogEvents"
 ]
 
+attach_amplify_admin_managed_policy = true
+
 enable_auto_branch_creation = false
 
 enable_branch_auto_build = true

examples/complete/main.tf

@@ -11,26 +11,27 @@ locals {
 module "amplify_app" {
   source = "../../"
 
-  access_token                  = data.aws_ssm_parameter.github_pat.value
-  description                   = var.description
-  repository                    = var.repository
-  platform                      = var.platform
-  oauth_token                   = var.oauth_token
-  auto_branch_creation_config   = var.auto_branch_creation_config
-  auto_branch_creation_patterns = var.auto_branch_creation_patterns
-  basic_auth_credentials        = var.basic_auth_credentials
-  build_spec                    = var.build_spec
-  enable_auto_branch_creation   = var.enable_auto_branch_creation
-  enable_basic_auth             = var.enable_basic_auth
-  enable_branch_auto_build      = var.enable_branch_auto_build
-  enable_branch_auto_deletion   = var.enable_branch_auto_deletion
-  environment_variables         = var.environment_variables
-  custom_rules                  = var.custom_rules
-  iam_service_role_enabled      = var.iam_service_role_enabled
-  iam_service_role_arn          = var.iam_service_role_arn
-  iam_service_role_actions      = var.iam_service_role_actions
-  environments                  = var.environments
-  domains                       = local.domains
+  access_token                        = data.aws_ssm_parameter.github_pat.value
+  description                         = var.description
+  repository                          = var.repository
+  platform                            = var.platform
+  oauth_token                         = var.oauth_token
+  auto_branch_creation_config         = var.auto_branch_creation_config
+  auto_branch_creation_patterns       = var.auto_branch_creation_patterns
+  basic_auth_credentials              = var.basic_auth_credentials
+  build_spec                          = var.build_spec
+  enable_auto_branch_creation         = var.enable_auto_branch_creation
+  enable_basic_auth                   = var.enable_basic_auth
+  enable_branch_auto_build            = var.enable_branch_auto_build
+  enable_branch_auto_deletion         = var.enable_branch_auto_deletion
+  environment_variables               = var.environment_variables
+  custom_rules                        = var.custom_rules
+  iam_service_role_enabled            = var.iam_service_role_enabled
+  iam_service_role_arn                = var.iam_service_role_arn
+  iam_service_role_actions            = var.iam_service_role_actions
+  environments                        = var.environments
+  domains                             = local.domains
+  attach_amplify_admin_managed_policy = var.attach_amplify_admin_managed_policy
 
   context = module.this.context
 }

examples/complete/variables.tf

@@ -187,3 +187,10 @@ variable "domains" {
   description = "Amplify custom domain configurations"
   default     = null
 }
+
+variable "attach_amplify_admin_managed_policy" {
+  type        = bool
+  description = "Flag to attach the AWS managed policy `AdministratorAccess-Amplify` to the IAM service role for the Amplify app"
+  default     = false
+  nullable    = false
+}

iam.tf

@@ -112,5 +112,7 @@ module "role" {
     one(data.aws_iam_policy_document.default[*].json)
   ]
 
+  managed_policy_arns = var.attach_amplify_admin_managed_policy ? ["arn:aws:iam::aws:policy/AdministratorAccess-Amplify"] : []
+
   context = module.this.context
 }

variables.tf

@@ -187,3 +187,10 @@ variable "domains" {
   description = "Amplify custom domain configurations"
   default     = {}
 }
+
+variable "attach_amplify_admin_managed_policy" {
+  type        = bool
+  description = "Flag to attach the AWS managed policy `AdministratorAccess-Amplify` to the IAM service role for the Amplify app"
+  default     = false
+  nullable    = false
+}