Merge pull request #181 from cloud-neutral-toolkit/codex/fix-unauthorized-operation-errors-in-vpc-setup-1gi8pl

Attach admin policy to terraform deploy role

iac-template/terraform-hcl-standard/aws-cloud/README.md

@@ -88,6 +88,11 @@ terraform init
 terraform apply \
   -var="account_name=dev" \
   -var="role_name=TerraformDeployRole-Dev"
+
+By default the deploy role attaches the AWS managed **AdministratorAccess** policy so
+subsequent Terraform runs can create infrastructure resources (e.g., VPCs, EIPs). You
+can override this by passing `-var='managed_policy_arns=["arn:aws:iam::aws:policy/PowerUserAccess"]'`
+or another list of managed policy ARNs when tighter permissions are required.
 ```
 
 ## 5. Use in Terraform Backend

iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/main.tf

@@ -52,6 +52,13 @@ resource "aws_iam_role_policy" "terraform_deploy_role_policy" {
   policy = data.aws_iam_policy_document.terraform_deploy_inline.json
 }
 
+resource "aws_iam_role_policy_attachment" "terraform_deploy_role_managed" {
+  count = var.create_role ? length(var.managed_policy_arns) : 0
+
+  role       = aws_iam_role.terraform_deploy_role[0].name
+  policy_arn = var.managed_policy_arns[count.index]
+}
+
 #
 # IAM User for Terraform (AK/SK)
 # ----------------------------------------

iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/variables.tf

@@ -79,3 +79,9 @@ variable "bootstrap_config_path" {
   type        = string
   default     = "../../config/accounts/bootstrap.yaml"
 }
+
+variable "managed_policy_arns" {
+  description = "List of managed policy ARNs to attach to the Terraform deploy role"
+  type        = list(string)
+  default     = ["arn:aws:iam::aws:policy/AdministratorAccess"]
+}