add several rights to IAM role using Terraform

Question

I am trying to adapt an existing TF file so that an IAM role can now have 2 roles/rights: AmazonSageMakerFullAccess + AmazonEC2FullAccess. I have 2 files terraform.tfvars and iam.tf. The former contains:

iam_policy_arn = [
    "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess", 
    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"
]

and the latter:

data "aws_iam_policy_document" "sm_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["sagemaker.amazonaws.com"]
    }
  } 
}

# so that sagemaker can push docker image(s) to ECR
# https://stackoverflow.com/questions/45486041/how-to-attach-multiple-iam-policies-to-iam-roles-using-terraform
# Define policy ARNs as list
variable "iam_policy_arn" {
  description = "IAM Policy to be attached to role"
  type = list(string)
}

# Then parse through the list using count
resource "aws_iam_role_policy_attachment" "role-policy-attachment" {
  role       = "${var.iam_role_name}"
  count      = "${length(var.iam_policy_arn)}"
  policy_arn = "${var.iam_policy_arn[count.index]}"
}

My github action produces now:

  on iam.tf line 19:
│  19: variable "iam_policy_arn" {
│
│The root module input variable "iam_policy_arn" is not set, and has no
│default value. Use a -var or -var-file command line argument to provide a
│value for this variable.
╵
Enter a value:
Error: Process completed with exit code 1.

Any idea? Thanks!

score 1 · Answer 1 · answered Jun 03 '22 at 15:21

1

Did you specify the tfvars file? If yes check for typos.

If your file name is correct. Apply the following

terraform apply -var-file="terrafrom.tfvars"

answered Jun 03 '22 at 15:21

Tolis Gerodimos

3,782
2
7
14

thanks - I think the issue was more that tfvars was in gitignore and github actions could not pickup default file terraform.tfvars. still checking as I now get: on iam.tf lin resource "aws_iam_role_policy_attachment" "role-policy-attachment": role ="${var.iam_role_name}" – cs0815 Jun 03 '22 at 15:29
1

Terraform should automatically load the `terraform.tfvars` files as long if it is in the current working directory: https://www.terraform.io/language/values/variables#variable-definitions-tfvars-files . No need to specify `-var-file`. – Ervin Szilagyi Jun 03 '22 at 15:30
@cs0815 can you add the full new error? – Tolis Gerodimos Jun 03 '22 at 15:32
still working on it ... – cs0815 Jun 03 '22 at 15:34
@ErvinSzilagyi that's what I am thinking as well hence my gitignore comment – cs0815 Jun 03 '22 at 15:35
I posted my own answer ... – cs0815 Jun 03 '22 at 15:57
1

Yep the answer will be useful, I barely scratched the surface – Tolis Gerodimos Jun 03 '22 at 15:59

score 1 · Answer 2 · edited Nov 23 '22 at 17:38

The issue was that .gitignore prevents .tfvars file pushes and github actions would not get file. Otherwise, I adapted the original code as well (bear with me TF newby!):

data "aws_iam_policy_document" "sm_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["sagemaker.amazonaws.com"]
    }
  } 
}

resource "aws_iam_role" "notebook_iam_role" {
  name               = "blablabla"
  assume_role_policy = data.aws_iam_policy_document.sm_assume_role_policy.json
}

# so that sagemaker can push docker image(s) to ECR as well
# https://stackoverflow.com/questions/45486041/how-to-attach-multiple-iam-policies-to-iam-roles-using-terraform
# Define policy ARNs as list
variable "iam_policy_arn" {
  description = "IAM Policy to be attached to role"
  type = list(string)
}

# Then parse through the list using count
resource "aws_iam_role_policy_attachment" "sm_full_access_attach" {
  role      = "blablabla"
  count      = "${length(var.iam_policy_arn)}"
  policy_arn = "${var.iam_policy_arn[count.index]}"
}

add several rights to IAM role using Terraform

2 Answers2