I have a aws_iam_role which I want to add a policy to. Typically, I would create a policy with aws_iam_role and attach it to the role with aws_iam_role_policy_attachment.
However, I've seen some documentation which uses aws_iam_role_policy which, to my eyes, appears to do the same thing.
Am I correct or is there a subtle difference which I'm missing?
The difference is Managed policies and inline policies
When you create an aws_iam_policy, that is a managed policy and can be re-used.
When you create a aws_iam_role_policy that's an inline policy
For a given role, aws_iam_role_policy resource is incompatible with using the
aws_iam_roleresourceinline_policyargument. When using that argument and this resource, both will attempt to manage the role's inline policies and Terraform will show a permanent difference.
Code to reproduce the above state
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
resource "aws_iam_role" "role" {
name = "test-role1"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.role.name
policy_arn = aws_iam_policy.policy.arn
}
