2

Part of our Terraform deployment is supposed to create a policy and a role, and then attach the one to the other.

Our current tf is:

resource "aws_iam_role" "module_role" {
  name = var.lambda_role
  assume_role_policy = var.lambda_trust
  tags = var.tags
}

resource "aws_iam_policy" "sample_policy" {
  name = var.lambda_role
  description = var.lambda_policy_description
  policy = var.lambda_policy
}

resource "aws_iam_role_policy_attachment" "lambda_attach" {
  role       = aws_iam_role.module_role.name
  policy_arn = aws_iam_policy.sample_policy.arn
}

Obviously the vars are being passed in from another file. And the whole module is called from a parent.

When our pipeline runs, it creates the policy and the role, and completes without errors. However when I inspect the policy via the aws console, I discover that the role and policy are not attached. Can anyone see why?

I did note from the docs that this resource (aws_iam_role_policy_attachment) is meant for attaching "a Managed IAM Policy to an IAM role". Our policy is not a managed one. But I cannot find another resource in the terraform registry for aws resources that is meant for customer-managed policies.

Thanks much

208_man
  • 1,440
  • 3
  • 28
  • 59
  • 1
    Your policy is managed one, so this is not a problem. However, your code depends on lots of variables and content which is simply not shown. So its difficult to speculate on what's wrong with it. – Marcin Sep 11 '21 at 02:20
  • The code looks correct, are you absolutely sure you are looking at the correct role? – Mark B Sep 11 '21 at 14:38

1 Answers1

0

from what I understand, iam_policies take a string or json value in the policy field. maybe you could try something like this:

resource "aws_iam_policy" "sample_policy" {
  name = "${var.lambda_role}_policy"
  description = var.lambda_policy_description
  policy = var.lambda_policy.json
}
lealvcon
  • 178
  • 8