terraform iam_module.tf

iam_module_main.tf

resource aws_iam_role_policy this {
  name   = var.name
  role   = aws_iam_role.this.name
  policy = var.policy
}

resource aws_iam_role this {
  name               = var.name
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "${var.principal}"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  EOF
}

iam_module_variables.tf

variable name {}
variable policy {}
variable principal {}

main.tf

module cluster_autoscaler {
  source    = "iam_module"
  name      = "k8s-cluster-autoscaler"
  principal = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${module.eks.worker_iam_role_name}"
  policy    = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeTags",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "ec2:DescribeLaunchTemplateVersions"
            ],
            "Resource": "*"
        }
    ]
}
EOF
}