Terraform: Attaching an unmanaged IAM role

Question

Terraform version: 12

We have a legacy, unmanaged by Terraform IAM role that I'd like to reference from an aws_iam_policy_attachment block and I attempted the following:

  resource "aws_iam_policy_attachment" "example-attach" {
  name = "example-attach"

  roles = [ 
    aws_iam_role.managed-role.name, 
    "arn:aws:iam::1234567890:role/unmanaged-role"
  ]

  policy_arn = aws_iam_policy.example-policy.arn
}

Dry-run works fine but when applying TF says:

– ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-

Is there a way I can just reference the unmanaged role without defining it in TF? Or is there some non-destructive way of declaring it that doesn't change anything to do with the unmanaged role?

Marcin Marcin · Accepted Answer · 2020-09-15T00:27:30

In your roles, you are providing role ARN, not role name.

Therefore, instead of ARN, you should use its name:

resource "aws_iam_policy_attachment" "example-attach" {

  name = "example-attach"

  roles = [ 
    aws_iam_role.managed-role.name, 
    "unmanaged-role"
  ]

  policy_arn = aws_iam_policy.example-policy.arn
}

You can also use data_source

data "aws_iam_role" "example" {
  name = "unmanaged-role"
}

and the reference it in your resource:

resource "aws_iam_policy_attachment" "example-attach" {

  name = "example-attach"

  roles = [ 
    aws_iam_role.managed-role.name, 
    data.aws_iam_role.example.name
  ]

  policy_arn = aws_iam_policy.example-policy.arn
}

Terraform: Attaching an unmanaged IAM role

1 Answers