Ontotext-AD · simonzhekoff · Apr 1, 2025 · Apr 1, 2025
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -98,6 +98,7 @@ Before you begin using this Terraform module, ensure you meet the following prer
 | assume\_role\_session\_name | (Optional) name of the session to be assumed to run session | `string` | `null` | no |
 | assume\_role\_external\_id | The external ID can be any identifier that is known only by you and the third party. For example, you can use an invoice ID between you and the third party | `string` | `null` | no |
 | assume\_role\_principal\_arn | (Optional) Principal for the IAM role assume policies | `string` | `null` | no |
+| graphdb\_additional\_policy\_arns | List of additional IAM policy ARNs to attach to the instance IAM role | `list(string)` | `[]` | no |
 | deploy\_backup | Deploy backup module | `bool` | `true` | no |
 | backup\_schedule | Cron expression for the backup job. | `string` | `"0 0 * * *"` | no |
 | backup\_retention\_count | Number of backups to keep. | `number` | `7` | no |

diff --git a/main.tf b/main.tf
@@ -245,6 +245,7 @@ module "graphdb" {
   aws_region                 = data.aws_region.current.name
   aws_subscription_id        = data.aws_caller_identity.current.account_id
   assume_role_principal_arn  = var.assume_role_principal_arn
+  additional_policy_arns     = var.graphdb_additional_policy_arns
 
   # Networking
 

diff --git a/modules/graphdb/iam.tf b/modules/graphdb/iam.tf
@@ -520,3 +520,9 @@ resource "aws_iam_role_policy" "param_store_key_admin_role_permissions" {
   role   = aws_iam_role.param_store_key_admin_role.name
   policy = data.aws_iam_policy_document.param_store_key_admin_role_permissions.json
 }
+
+resource "aws_iam_role_policy_attachment" "additional_policies" {
+  for_each   = toset(var.additional_policy_arns)
+  role       = aws_iam_role.graphdb_iam_role.id
+  policy_arn = each.value
+}
diff --git a/modules/graphdb/variables.tf b/modules/graphdb/variables.tf
@@ -442,3 +442,9 @@ variable "user_supplied_templates" {
   }))
   default = []
 }
+
+variable "additional_policy_arns" {
+  description = "List of additional IAM policy ARNs to attach to the instance IAM role"
+  type        = list(string)
+  default     = []
+}
diff --git a/variables.tf b/variables.tf
@@ -1,6 +1,5 @@
 # Common configurations
 
-
 variable "deployment_restriction_tag" {
   description = "Deployment tag used to restrict access via IAM policies"
   type        = string
@@ -57,7 +56,14 @@ variable "assume_role_principal_arn" {
   default     = null
 }
 
+variable "graphdb_additional_policy_arns" {
+  description = "List of additional IAM policy ARNs to attach to the instance IAM role"
+  type        = list(string)
+  default     = []
+}
+
 # Backup configurations
+
 variable "deploy_backup" {
   description = "Deploy backup module"
   type        = bool
@@ -765,6 +771,7 @@ variable "create_ebs_kms_key" {
   type        = bool
   default     = false
 }
+
 # SNS Encryption
 
 variable "create_sns_kms_key" {