I am working to implement the lambda defined in this article. It creates an IAM role in step 1, figure 2 with the following json document.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::<YOUR-BUCKET-NAME>/*", #Insert desired value
"arn:aws:s3:::<YOUR-BUCKET-NAME>" #Insert desired value
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListAllMyBuckets",
"cloudwatch:PutMetricData",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeTargetHealth",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
I have created a resource in my terraform for this role as follow.
resource "aws_iam_role" "foo_lambda_role" {
assume_role_policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::${local.s3_bucket_name}/*",
"arn:aws:s3:::${local.s3_bucket_name}"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListAllMyBuckets",
"cloudwatch:PutMetricData",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeTargetHealth",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*",
"Effect": "Allow"
}
]
})
}
I am using terraform version 1.2.3, and my aws provider version is set as follows version = ">=3.0"
. When I attempt to run the terraform, I get the following error.
│ Error: creating IAM Role (terraform-20230428175131958400000001): MalformedPolicyDocument: Has prohibited field Resource
│ status code: 400, request id: 3f20a1d8-0ee9-43c2-9b2b-b98939194ad2
│
│ with aws_iam_role.foo_lambda_role,
│ on iam.tf line 1, in resource "aws_iam_role" "foo_lambda_role":
│ 1: resource "aws_iam_role" "foo_lambda_role" {
Based on examples, I think I need to split this up somewhat, but I'm not sure how given that the article presents the role as a single json document.
What is the proper way to create this role in terraform?
You don't need to split up the policy. You are just assigning the policy to the wrong attribute on the role.
You're setting the entire role's permissions policy in the role's assume_role_policy
attribute. The Assume Role Policy is just a policy that specifies who or what can assume the role. For your purposes the Assume Role Policy should be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
The actual policy needs to be added to the role either as an inline policy block, or as a separate role policy resource.