Terraform: Map existing iam_roles with corresponding iam_policies created dynamically

Question

AWS MSK supports IAM based authentication, but not through resource based policy like S3. So we are trying to come up with Policy creation dynamically and attach it to an existing IAM roles of corresponding applications. Say there are two applications, Application1 with IAM_Role1 is producer and Application2 with IAM_Role2 is consumer. Now, the producer policy looks like

        {
        "Version": "2012-10-17",
        "Statement": [
            {   
                "sid": "mskproducer_policy",
                "Effect": "Allow",
                "Action": [
                    "kafka-cluster:Connect",
                    "kafka-cluster:DescribeTopic",
                    "kafka-cluster:WriteData"
                ],
                "Resource": "arn:aws:kafka:${var.region}:${data.aws_caller_identity.current.account_id}:topic/${var.cluster_name}/*/${topic-name}"
            }
        ]
    }

Similarly consumer policy looks like

        {
        "Version": "2012-10-17",
        "Statement": [
            {   
                "sid": "mskproducer_policy",
                "Effect": "Allow",
                "Action": [
                    "kafka-cluster:Connect",
                    "kafka-cluster:DescribeTopic",
                    "kafka-cluster:ReadData"
                ],
                "Resource": "arn:aws:kafka:${var.region}:${data.aws_caller_identity.current.account_id}:topic/${var.cluster_name}/*/${topic-name}"
            }
        ]
    }

Now planning for a map as input variable which looks like

variable "topic_permissions" {
  type = list(any)

  default = [{
    "app_iamrole" = "iam-role-1"
    "producer" = ["topic3"]
    "consumer" = ["topic4"]
    },
    {
    "app_iamrole" = "iam-role-2"
    "producer" = ["topic5"]
    "consumer" = ["topic6"]
    }]
}

Option1: By Using Terraform

data "aws_iam_policy_document"

and dynamic "statement" block, I can construct these policies into corresponding producer or consumer policy.json and create these resource policies and output their arn. So in this case I would get two policy arns.

Since these two policies now belong to different IAM roles, how to attach them back into the corresponding IAM role? Meaning how to map which IAM role gets what policy arn dynamically?

"Resource: aws_iam_role_policy_attachment"

expects policy_arn and corresponding role arn

Option 2: As suggested in comments below, another option is to use inline policy.

resource "aws_iam_role_policy".

But again the same problem arises where I'm not sure how to attach the policies formed dynamically; back into the corresponding IAM roles as inline policies.

Option 3: Write a bash or python scripts to form the dynamic policies and return the output as JSON which can then be looped through in

resource "aws_iam_role_policy".

I'm using Terraform

data "external"

After TF apply, the output JSON results in following error; though when running the Python module individually and verifying the contents through jsonlint, says its perfect JSON.

Error: command "python" produced invalid JSON: json: cannot unmarshal object into Go value of type string

Terraform version being used is 0.13