Terraform: Attach Multiple IAM Policies to Roles

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

In AWS, you can streamline the process of granting permissions to IAM roles by attaching multiple IAM policies. This guide demonstrates how to efficiently attach multiple IAM policies to a single IAM role using Terraform's aws_iam_role_policy_attachment resource in conjunction with a for_each loop. This approach simplifies policy management and ensures your IAM roles have the necessary permissions.

To attach multiple IAM policies to a single IAM role in Terraform, you can use the aws_iam_role_policy_attachment resource within a for_each loop.

First, define a variable or a local to hold the ARNs of the policies you want to attach:

variable "policy_arns" {
  type = list(string)
  default = [
    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
    "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
  ]
}

Then, use a for_each loop to iterate over the policy_arns list and create an aws_iam_role_policy_attachment resource for each ARN:

resource "aws_iam_role_policy_attachment" "policy_attachments" {
  for_each = { for policy_arn in var.policy_arns : key = policy_arn }

  role       = aws_iam_role.example.name
  policy_arn = each.key
}

Make sure to replace "aws_iam_role.example.name" with the actual name of your IAM role resource.

This approach ensures that each policy in the policy_arns list is attached to the specified IAM role. Remember that each aws_iam_role_policy_attachment resource requires a unique name, which is achieved here by using the policy_arn as the key within the for_each loop.

The Terraform code defines an IAM role named "example_role" that can be assumed by EC2 instances. It then attaches two AWS managed policies, "AmazonS3FullAccess" and "AmazonEC2FullAccess", to this role, granting it full access to Amazon S3 and Amazon EC2 services respectively.

# Define the IAM role
resource "aws_iam_role" "example" {
  name = "example_role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "sts:AssumeRole",
        Principal = {
          Service = "ec2.amazonaws.com"
        },
        Effect = "Allow",
        Sid    = ""
      }
    ]
  })
}

# Define the list of policy ARNs to attach
variable "policy_arns" {
  type = list(string)
  default = [
    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
    "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
  ]
}

# Attach each policy to the IAM role
resource "aws_iam_role_policy_attachment" "policy_attachments" {
  for_each = { for policy_arn in var.policy_arns : key = policy_arn }

  role       = aws_iam_role.example.name
  policy_arn = each.key
}

Explanation:

1. Define the IAM Role:

   • The code first defines an IAM role named "example_role" using the aws_iam_role resource.
   • The assume_role_policy specifies that EC2 instances can assume this role.

2. Define Policy ARNs:

   • The policy_arns variable holds a list of Amazon Resource Names (ARNs) for the policies you want to attach. In this example, it includes ARNs for "AmazonS3FullAccess" and "AmazonEC2FullAccess".

3. Attach Policies using for_each:

   • The aws_iam_role_policy_attachment resource is used to attach policies to the role.
   • The for_each loop iterates over the policy_arns list.
   • For each policy_arn in the list:
     • It creates an aws_iam_role_policy_attachment resource.
     • The role argument specifies the target IAM role ("example_role").
     • The policy_arn argument is set to the current policy_arn from the loop.
     • The key within the for_each ensures each attachment resource has a unique name.

This code effectively attaches the specified policies ("AmazonS3FullAccess" and "AmazonEC2FullAccess") to the "example_role" IAM role.

Best Practices:

• Modularity: For larger projects, consider defining your IAM policies and role attachments in separate modules for better organization and reusability.
• Managed Policies: Prefer using AWS managed policies whenever possible. They are pre-defined, well-maintained, and reduce the complexity of managing custom policies.
• Principle of Least Privilege: Grant only the necessary permissions to your IAM roles. Avoid attaching overly permissive policies like AmazonS3FullAccess or AmazonEC2FullAccess unless absolutely required. Instead, use more granular policies or create custom policies tailored to your specific needs.
• Policy Simulation: Before deploying, use the IAM policy simulator to test and verify that your IAM roles have the intended permissions and access.

Alternative Approaches:

• Inline Policies: Instead of attaching existing policies, you can define inline policies directly within the aws_iam_role resource. This approach is suitable for simple, role-specific permissions.
• Data Source for Policy ARNs: If you need to fetch policy ARNs dynamically, you can use the aws_iam_policy data source to retrieve them based on policy names or other criteria.

Troubleshooting:

• Unique Names: Ensure that each aws_iam_role_policy_attachment resource has a unique name, especially when using for_each loops. Duplicate names will cause Terraform errors.
• Policy Conflicts: Be aware of potential policy conflicts when attaching multiple policies. If multiple policies grant different permissions for the same resource or action, the most restrictive policy will generally apply.

Security Considerations:

• Policy Reviews: Regularly review the attached policies to ensure they are still necessary and aligned with your security requirements.
• Rotation: Implement a process for rotating IAM credentials and access keys associated with your IAM roles to enhance security.

By following these notes and best practices, you can effectively manage IAM policies and ensure the security of your AWS resources.

This article explains how to attach multiple IAM policies to a single IAM role using Terraform.

Key Points:

• aws_iam_role_policy_attachment resource: This resource is used to attach policies to roles.
• for_each loop: This loop iterates through a list of policy ARNs and creates a separate aws_iam_role_policy_attachment resource for each one.
• Variable/Local for Policy ARNs: A variable or local is used to store the list of policy ARNs to be attached.
• Unique Resource Names: The policy_arn is used as the key within the for_each loop to ensure each aws_iam_role_policy_attachment resource has a unique name.

Example:

The article provides a code snippet demonstrating how to define a variable for policy ARNs and use a for_each loop to attach them to an IAM role.

Benefits:

This approach simplifies the process of attaching multiple policies to a role, making your Terraform code more concise and maintainable.

This guide detailed how to attach multiple IAM policies to an IAM role using Terraform, simplifying permissions management for your AWS resources. By leveraging the aws_iam_role_policy_attachment resource within a for_each loop, you can efficiently attach a list of predefined IAM policies to a role. Remember to adhere to best practices such as modularizing your code, using managed policies when possible, adhering to the principle of least privilege, and simulating policies before deployment. By following these recommendations, you can ensure a secure and streamlined approach to managing IAM policies in your Terraform projects.

• Attaching multiple IAM policies to a role. I know I'm doing it wrong. : r ... | Posted by u/devodato - 1 vote and 6 comments
• Terraform gets confused by multiple policy attachments for same ... | We're trying to modularize some code setting policies for a number of roles across multiple environments. In some environments the policies are the same for multiple roles. Terraform will quite hap...
• Is there any way to attach multiple policies to a role with Pulumi ... | Is there any way to attach multiple policies to a role with AWS IAM Role Policy Attachment It seems that adding multiple role policy attachments to a single role is overwriting the previous attachment
• How to attach multiple policies to a role - Terraform - HashiCorp ... | Hello, the seemingly simple situation that I can’t overcome. Given : a. number of policies managed by terra in this same module b. a few AWS-managed policies. Objective: add all these policies to a role. Outcome: Error: Invalid for_each argument │ │ on role.tf line 26, in resource "aws_iam_role_policy_attachment" "this": │ 26: for_each = toset( [ aws_iam_policy.ESource_S3_Trove_LADWP.arn, │ 27: aws_iam_policy.esource_s3_int_esource_client_apc.arn, │ 28: ...
• how to attach multiple IAM policies to an IAM role | Jun 8, 2017 ... to Terraform. It might not be the most elegant thing to do, but have you tried using the aws_iam_policy_attachment resource multiple times ...
• Using for_each with resources that haven't been created yet ... | Hi, We are using for_each to create multiple IAM policies/roles. We want to attach these policies to the roles. As the policies haven’t been created yet we don’t know the ARN. How can we attach multiple policies to the roles in the terraform that doesn’t involve us creating the policies first, updating the terraform then running it again? Is it possible to use the output of iam_policy in aws_iam_role_policy_attachment? I realise: policy_arn = each.aws_iam_policy.iam_policy.arn will not work...
• terraform-google-modules/iam/google | Terraform Registry | Permissions. In order to execute a submodule you must have a Service Account with an appropriate role to manage IAM for the applicable resource. The appropriate ...
• AWS JSON policy elements: Principal - AWS Identity and Access ... | Several services support resource-based policies, including IAM. The IAM resource-based policy type is a role trust policy. In IAM roles, use the Principal ...
• Managing IAM Users, Groups, Roles, and Policies with Terraform ... | Secure your cloud with Terraform IAM! Learn to manage Users, Groups, Roles, and Policies effortlessly. 💻🔒 #Terraform #IAM #CloudSecurity