How can i provision IAM Role in aws with terraform?

0
votes

as i'm new with terraform, i'd like to ask your help once i got stuck for almost a day.

When trying to apply a IAC to deploy a Nginx service into a ECS(EC2 launch type) on aws i'm facing the following problem:

Error: Error creating IAM Role nginx-iam_role: MalformedPolicyDocument: Has prohibited field Resource status code: 400, request id: 0f1696f4-d86b-4ad1-ba3b-9453f3beff2b

I have already checked the documentation and the syntax is fine. What else could be wrong?

Following the snippet code creating the IAM infra:

provider "aws" {
    region = "us-east-2"
}


data "aws_iam_policy_document" "nginx-doc-policy" {
  statement {
    sid = "1"

    actions = [
      "ec2:*"
    ]
    resources = ["*"]
  }
}

resource "aws_iam_role" "nginx-iam_role" {
  name               = "nginx-iam_role"
  path               = "/"
  assume_role_policy = "${data.aws_iam_policy_document.nginx-doc-policy.json}"
}

resource "aws_iam_group_policy" "nginx-group-policy" {
  name  = "my_developer_policy"
  group = "${aws_iam_group.nginx-iam-group.name}"
  policy = "${data.aws_iam_policy_document.nginx-doc-policy.json}"
}

resource "aws_iam_group" "nginx-iam-group" {
  name = "nginx-iam-group"
  path = "/"
}


resource "aws_iam_user" "nginx-user" {
  name = "nginx-user"
  path = "/"
}

resource "aws_iam_user_group_membership" "nginx-membership" {
  user = "${aws_iam_user.nginx-user.name}"

  groups = ["${aws_iam_group.nginx-iam-group.name}"]
}

If you guys need the remaining code: https://github.com/atilasantos/iac-terraform-nginx.git

1
amazon-web-servicesamazon-ec2terraformamazon-ecs
Does stackoverflow.com/a/44581645/2291321 answer your question?ydaetskcoR

1 Answers

1
votes

You are trying to use the aws_iam_policy_document.nginx-doc-policy policy as an assume_role_policy which does not work as an assume role policy needs to define a principal that you trust and want to grant access to assume the role you are creating.

An assume role policy could look like this is you want to grant access to the role to EC2 instances via instance profiles. At the end you can attach your initial role via a new resource as an inline policy to the role:

data "aws_iam_policy_document" "instance-assume-role-policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "nginx-iam_role" {
  name               = "nginx-iam_role"
  path               = "/"
  assume_role_policy = data.aws_iam_policy_document.instance-assume-role-policy.json
}

resource "aws_iam_role_policy" "role_policy" {
  name   = "role policy"
  role   = aws_iam_role.nginx-iam_role.id
  policy = data.aws_iam_policy_document.nginx-doc-policy.json
}

Instead of attaching the policy as an inline policies you can also create an IAM Policy and attach it to the various iam resources. (e.g.: aws_iam_policy and aws_iam_role_policy_attachment for roles.)

We created a bunch of open-source IAM modules (and others) to make IAM handling easier: Find them here on github. But there are more modules out there that you can try.