How do I attach a managed IAM policy and an inline/custom IAM policy to IAM roles?

0
votes

I want to attach a managed IAM Policy ARN (like AmazomS3FullAccess) and an inline/custom IAM policy (written in JSON in terraform file) to a single IAM Role.

by using aws_iam_role_policy_attachment I am able to attach only one policy, what's the way to attach both?

variables.tf
------------

variable "iam_policy_arn" {
  description = "IAM Policy to be attached to role"
  type        = list(string)
  default     = ["arn:aws:iam::aws:policy/AWSLambdaFullAccess", "arn:aws:iam::aws:policy/AmazonSSMFullAccess", "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"]
}




main.tf
-------


resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = <<-EOF
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"ec2.amazonaws.com"
      },
      "Action":"sts:AssumeRole"
    },
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"sagemaker.amazonaws.com",
        "AWS":"*"
      },
      "Action":"sts:AssumeRole"
    }
  ]
}    
  EOF
}
resource "aws_iam_role_policy_attachment" "role_policy_attachment" {
  role       = "${aws_iam_role.test_role.name}"
  count      = "${length(var.iam_policy_arn)}"
  policy_arn = "${element(var.iam_policy_arn,count.index)}"

}

resource "aws_iam_instance_profile" "test_profile" {
  name = "test_profile"
  role = "${aws_iam_role.test_role.name}"
}

now I want to attach a custom policy like below to the role

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
    ]
  }
  EOF
}

How do I attach a managed IAM policy and a custom IAM policy to IAM roles?

4
terraformterraform-provider-aws
Could you share the code you have so far and any errors you get why trying to add extra policies? - Marcin
Please check the updated code @Marcin - mellifluous
You can have multiple actions defined in your action block for your policy. Is that what you are after? - sogyals429
I want to attach test_policy to test_role by using aws_iam_role_policy_attachment - mellifluous
You could have a seperate template file for your policy and then add both the actions from there into the file. Have a look at this medium.com/@mitesh_shamra/… - sogyals429

4 Answers

1
votes

Just pass them as variable or declare them as a local value, and then iterate over such variable.

For example:

resource "aws_iam_role_policy_attachment" "attach" {
  count      = length(var.policies)
  role       = aws_iam_role.my_role.name
  policy_arn = ${var.policies[count.index]}
}

where var.policies is a list of policies ["arn:aws:iam::aws:policy/AmazonS3FullAccess", "arn:aws:iam::<your_account>:policy/your_policy"]

1
votes

I was able to attach a managed IAM policy and an inline/custom IAM policy to IAM role using the below code.

# variables.tf
variable "cloudwatch_lambda_iam_policy_arn" {
  type        = list(string)
  description = "IAM Policy to be attached to AWS CloudWatch Lambda role"
  default     = ["arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/AWSLambdaExecute", "arn:aws:iam::aws:policy/AmazonCloudDirectoryFullAccess", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
}

#------------------------------------------------------------

# lambda.tf
resource "aws_iam_role" "awsmetrics_exec_role" {
  name = "awsmetrics-exec-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

# custom/inline policy
resource "aws_iam_role_policy" "sts_assumerole_lambda" {
  name = "sts-assumerole-lambda"
  role = aws_iam_role.awsmetrics_exec_role.id

  policy = <<-EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole",
        "sts:DecodeAuthorizationMessage",
        "sts:AssumeRoleWithSAML",
        "sts:AssumeRoleWithWebIdentity"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

# AWS managed policies
resource "aws_iam_role_policy_attachment" "awsmetrics_role_policy_attachment" {
  role       = aws_iam_role.awsmetrics_exec_role.name
  count      = length(var.cloudwatch_lambda_iam_policy_arn)
  policy_arn = element(var.cloudwatch_lambda_iam_policy_arn, count.index)
}
0
votes

You might need to modify the policy to your needs but that's what it would look like. You can do the following:

data "template_file" "test_role_template" {
 template = "${file("pathToRoleJson")}"
}

data "template_file" "test_policy_template" {
    template = "${file("pathToPolicyJson")}"
    vars = {
      customParam    = "${var.ValueOfParam}"
    }
}

resource "aws_iam_role" "test_role" {
    name     = "roleName"
    assume_role_policy = "${data.template_file.test_role.rendered}"
}

#-----------------------------------------
resource "aws_iam_policy" "test_role_policy" {
  name   = "policyName"
  policy = "${data.template_file.test_policy_template.rendered}"
}

# Attach policy to role nat_ec2_role
#-----------------------------------------
resource "aws_iam_role_policy_attachment" "nat_ec2_role_policy-attachment" {
  role       = "${aws_iam_role.test_role.name}"
  policy_arn = "${aws_iam_policy.test_role_policy.arn}"
}



# Policy Template File
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"ec2.amazonaws.com"
      },
      "Action":"sts:AssumeRole"
    },
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"sagemaker.amazonaws.com",
        "AWS":"*"
      },
       {
        "Action": [
          "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
      "Action":"sts:AssumeRole"
    }
  ]
}    


resource "aws_iam_instance_profile" "test_profile" {
  name = "test_profile"
  role = "${aws_iam_role.test_role.name}"
}

Hope it helps.

0
votes

You can add the inline policy with embedded JSON as follows:

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
    ]
  }
  EOF
}

Or you can use a aws_iam_policy_document to get better error-checking in IDEs like IntelliJ IDEA:

resource "aws_iam_role_policy" "policy" {
  name        = "test-policy"
  description = "A test policy"

  policy = data.aws_iam_policy_document.allow_ec2_describe
}

data "aws_iam_policy_document" "allow_ec2_describe" {
  version = "2012-10-17"

  statement {
    actions = [
      "ec2:Describe*",
    ]
    effect = "Allow"
    resources = [
      "*",
    ]
  }
}

Side note: you can more cleanly attach the Amazon Managed Policies using an aws_iam_role_policy_attachment resource with for_each like this:

resource "aws_iam_role_policy_attachment" "managed_policy_attachments" {
  for_each   = {for arn in var.iam_policy_arns : arn => arn}
  role       = aws_iam_role.test_role.name
  policy_arn = data.aws_iam_policy.managed_policies[each.key]
}

Side note: you can also use aws_iam_role_policy_attachment for cleaner assume_role_policy setup:

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = data.aws_iam_policy_document.allow_ec2_and_sagemaker
}

data "aws_iam_policy_document" "allow_ec2_and_sagemaker" {
  version = "2012-10-17"

  statement {
    sid    = "AllowEC2AndSageMaker"
    effect = "Allow"

    actions = [
      "sts:AssumeRole",
    ]

    principals {
      type = "Service"
      identifiers = [
        "ec2.amazonaws.com",
        "sagemaker.amazonaws.com",
      ]
    }
  }
}