diff --git a/main.tf b/main.tf
index 2f29130..7e7a7ce 100644
--- a/main.tf
+++ b/main.tf
@@ -567,7 +567,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
}
resource "aws_iam_role" "this" {
- count = var.create && var.create_iam_instance_profile ? 1 : 0
+ count = var.create && var.create_iam_instance_profile && !var.use_existing_iam_role ? 1 : 0
name = var.iam_role_use_name_prefix ? null : local.iam_role_name
name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
@@ -582,7 +582,7 @@ resource "aws_iam_role" "this" {
}
resource "aws_iam_role_policy_attachment" "this" {
- for_each = { for k, v in var.iam_role_policies : k => v if var.create && var.create_iam_instance_profile }
+ for_each = { for k, v in var.iam_role_policies : k => v if var.create && var.create_iam_instance_profile && !var.use_existing_iam_role }
policy_arn = each.value
role = aws_iam_role.this[0].name
@@ -591,7 +591,7 @@ resource "aws_iam_role_policy_attachment" "this" {
resource "aws_iam_instance_profile" "this" {
count = var.create && var.create_iam_instance_profile ? 1 : 0
- role = aws_iam_role.this[0].name
+ role = var.use_existing_iam_role ? var.existing_iam_role_name : aws_iam_role.this[0].name
name = var.iam_role_use_name_prefix ? null : local.iam_role_name
name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
diff --git a/variables.tf b/variables.tf
index d5b8bc0..14ac34e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -367,6 +367,18 @@ variable "create_iam_instance_profile" {
default = false
}
+variable "use_existing_iam_role" {
+ description = "Whether to use an existing IAM role instead of creating a new one."
+ type = bool
+ default = false
+}
+
+variable "existing_iam_role_name" {
+ description = "Name of the existing IAM role to use for the instance profile."
+ type = string
+ default = null
+}
+
variable "iam_role_name" {
description = "Name to use on IAM role created"
type = string