amazon-web-servicesamazon-iamterraform

Correct way to attach AWS managed policies to a role?


I want to attach one of the pre-existing AWS managed roles to a policy, here's my current code:

resource "aws_iam_role_policy_attachment" "sto-readonly-role-policy-attach" {
  role       = "${aws_iam_role.sto-test-role.name}"
  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

Is there a better way to model the managed policy and then reference it instead of hardcoding the ARN? It just seems like whenever I hardcode ARNs / paths or other stuff like this, I usually find out later there was a better way.

Is there something already existing in Terraform that models managed policies? Or is hardcoding the ARN the "right" way to do it?


Solution

  • The IAM Policy data source is great for this. A data resource is used to describe data or resources that are not actively managed by Terraform, but are referenced by Terraform.

    For your example, you would create a data resource for the managed policy as follows:

    data "aws_iam_policy" "ReadOnlyAccess" {
      arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
    }
    

    The name of the data source, ReadOnlyAccess in this case, is entirely up to you. For managed policies I use the same name as the policy name for the sake of consistency, but you could just as easily name it readonly if that suits you.

    You would then attach the IAM policy to your role as follows:

    resource "aws_iam_role_policy_attachment" "sto-readonly-role-policy-attach" {
      role       = "${aws_iam_role.sto-test-role.name}"
      policy_arn = "${data.aws_iam_policy.ReadOnlyAccess.arn}"
    }