Terraform: Attaching AWS Managed Policies to Roles

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

This guide explains how to attach an AWS managed policy to an existing IAM role using Terraform. We'll cover finding the correct policy ARN, using the aws_iam_role_policy_attachment resource, and provide a complete example to get you started. We'll also highlight important considerations to keep in mind when managing IAM policies with Terraform.

To attach an AWS managed policy to an IAM role using Terraform, you'll use the aws_iam_role_policy_attachment resource.

1. Define the IAM role. If you don't already have one, you'll need to define the IAM role to which you want to attach the managed policy. You can do this using the aws_iam_role resource.

2. Find the ARN of the managed policy. The ARN for an AWS managed policy follows a specific structure: arn:aws:iam::aws:policy/ followed by the policy name. For example, the ARN for the AmazonS3FullAccess policy is arn:aws:iam::aws:policy/AmazonS3FullAccess.

3. Use the aws_iam_role_policy_attachment resource. Provide the ARN of the managed policy and the name of the IAM role to which you want to attach it.

Example:

resource "aws_iam_role" "example" {
  name = "example-role"
  assume_role_policy = json_encode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "sts:AssumeRole",
        Principal = {
          Service = "ec2.amazonaws.com"
        },
        Effect = "Allow",
        Sid    = ""
      },
    ],
  })
}

resource "aws_iam_role_policy_attachment" "example" {
  role       = aws_iam_role.example.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}

Important Notes:

• Conflicts: Avoid using aws_iam_role_policy_attachment and aws_iam_policy_attachment for the same role, as this will lead to conflicts.
• Dependencies: Terraform manages dependencies automatically. Ensure your IAM role is created before attaching policies.
• Permanent Differences: If you manually attach policies outside of Terraform, it will show a permanent difference. It's best practice to manage all infrastructure with Terraform for consistency.

This Terraform code defines an AWS IAM role and attaches an AWS managed policy to it. The role is configured to allow EC2 instances to assume it. The code then attaches the specified managed policy, granting the role the permissions defined in that policy. To use this code, replace the example values with your desired role name and policy ARN, then run Terraform to create the resources.

The provided code example is already a valid and functional Terraform configuration for attaching an AWS managed policy to an IAM role.

Here's a breakdown of the code:

1. Defining the IAM Role:

resource "aws_iam_role" "example" {
  name = "example-role"
  assume_role_policy = json_encode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "sts:AssumeRole",
        Principal = {
          Service = "ec2.amazonaws.com"
        },
        Effect = "Allow",
        Sid    = ""
      },
    ],
  })
}

• This code block defines an IAM role named "example-role".
• The assume_role_policy defines which entities (services, users) are allowed to assume this role. In this case, it allows EC2 instances to assume the role.

2. Attaching the Managed Policy:

resource "aws_iam_role_policy_attachment" "example" {
  role       = aws_iam_role.example.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}

• This code block uses the aws_iam_role_policy_attachment resource to attach the "AmazonS3FullAccess" managed policy to the "example-role".
• role specifies the name of the IAM role.
• policy_arn specifies the ARN of the managed policy to attach.

How to Use This Code:

1. Save the code: Save the code as a .tf file (e.g., iam-role-policy.tf).
2. Initialize Terraform: Run terraform init in the directory where you saved the file.
3. Apply the configuration: Run terraform apply. Terraform will create the IAM role and attach the specified managed policy.

Remember:

• Replace "example-role" and "arn:aws:iam::aws:policy/AmazonS3FullAccess" with your desired role name and managed policy ARN, respectively.
• Ensure you have the necessary AWS credentials configured for Terraform to interact with your AWS account.

Best Practices and Considerations:

• Principle of Least Privilege: When attaching managed policies, always adhere to the principle of least privilege. Only grant the permissions absolutely necessary for the role to function.
• Policy Boundaries: For more granular control, consider using AWS managed policies as a starting point and further refining permissions with inline policies defined within your Terraform code.
• Policy Updates: Be aware that AWS can update managed policies. While this is generally beneficial for security and feature updates, it's crucial to test your infrastructure after such changes to ensure your applications remain functional.
• Versioning and Rollbacks: Terraform's state management helps track changes to your infrastructure, including IAM policies. Leverage this for versioning and potential rollbacks if needed.
• Documentation: Clearly document the purpose of each IAM role and the policies attached to it. This makes your infrastructure easier to understand and maintain.

Alternatives and Advanced Usage:

• aws_iam_policy and aws_iam_policy_attachment: For custom policies, define them using aws_iam_policy and attach them to roles using aws_iam_policy_attachment.
• Modules: For reusable IAM configurations, consider creating Terraform modules to define roles and policy attachments.
• Data Sources: Use data sources like aws_iam_policy to fetch information about existing policies, including ARNs.

Troubleshooting:

• Policy Conflicts: If you encounter conflicts, review the permissions granted by each policy attached to the role. Ensure there are no contradictory statements.
• Terraform Errors: Carefully examine Terraform error messages for clues about misconfigurations or missing dependencies.
• AWS Documentation: Refer to the official AWS documentation for detailed information about IAM roles, policies, and the Terraform resources used to manage them.

This article explains how to attach an AWS managed policy to an existing IAM role using Terraform.

Key Points:

• Resource: Use the aws_iam_role_policy_attachment resource.
• Prerequisites:
  • An existing IAM role (defined with aws_iam_role).
  • The ARN of the desired managed policy (format: arn:aws:iam::aws:policy/PolicyName).
• Configuration: Provide the role (name of your IAM role) and policy_arn to the aws_iam_role_policy_attachment resource.
• Best Practices:
  • Avoid mixing aws_iam_role_policy_attachment and aws_iam_policy_attachment for the same role.
  • Manage all infrastructure with Terraform to prevent inconsistencies and "permanent differences."

Example: The provided code snippet demonstrates creating an IAM role and attaching the "AmazonS3FullAccess" managed policy to it.

By following these steps and considering the best practices outlined, you can effectively manage the attachment of AWS managed policies to IAM roles using Terraform. This approach ensures that your infrastructure is clearly defined, version-controlled, and adheres to security best practices, ultimately contributing to a more robust and maintainable AWS environment. Remember to consult the AWS documentation and Terraform resources for the most up-to-date information and options available.

• Attach Amazon managed policy to our existing policy : r/Terraform | Posted by u/Oxffff0000 - 7 votes and 17 comments
• Attaching AWS Managed Policy to a Custom Role via Terraform ... | Jan 25, 2021 ... The ARN for an AWS managed policy is going to be arn:aws:iam::aws:policy/ followed by the policy name. There's really no need to look it up ...
• aws_iam_policy_attachment | Resources | hashicorp/aws | Terraform | ... role's managed policy attachments and Terraform will show a permanent difference. NOTE: To ensure Terraform correctly manages dependencies during updates ...
• Terraform gets confused by multiple policy attachments for same ... | We're trying to modularize some code setting policies for a number of roles across multiple environments. In some environments the policies are the same for multiple roles. Terraform will quite hap...
• aws_iam_role_policy_attachment | hashicorp/aws | Terraform | Attaches a Managed IAM Policy to an IAM role. NOTE: The usage of this resource conflicts with the aws_iam_policy_attachment resource and will permanently show ...
• aws_iam_policy_attachment error when attaching amazon ... | For the following config: resource "aws_iam_role" "emr" { name = "matching-spark-emr-${var.env}" assume_role_policy = "${file("${path.module}/iam-policy-emr-trust-relationship.tpl")}" } # the gener...
• Terraform attaching existing managed policy to a new role · GitHub | Terraform attaching existing managed policy to a new role - terraform_attach_manged_role.tf
• How to Create AWS IAM Role with Terraform [Step-by-Step] | In this step-by-step tutorial, you'll learn how to create an AWS IAM Role using Terraform with AWS Terraform provider. See an example.
• Defining Lambda function permissions with an execution role - AWS ... | In order for Lambda to properly assume your execution role, the role's trust policy ... Select the AWS managed policies that you want to attach to your role. For ...