DEVHIDE
Login Or Sign up

Difference between aws_iam_policy and aws_iam_role_policy

11.5k Views Asked by At

I have a aws_iam_role which I want to add a policy to. Typically, I would create a policy with aws_iam_role and attach it to the role with aws_iam_role_policy_attachment.

However, I've seen some documentation which uses aws_iam_role_policy which, to my eyes, appears to do the same thing.

Am I correct or is there a subtle difference which I'm missing?

amazon-web-services amazon-iam terraform-provider-aws terraform0.14.7
Original Q&A
1

There are 1 best solutions below

0
On BEST ANSWER

The difference is Managed policies and inline policies

When you create an aws_iam_policy, that is a managed policy and can be re-used.

enter image description here

When you create a aws_iam_role_policy that's an inline policy

enter image description here

For a given role, aws_iam_role_policy resource is incompatible with using the aws_iam_role resource inline_policy argument. When using that argument and this resource, both will attempt to manage the role's inline policies and Terraform will show a permanent difference.

Code to reproduce the above state

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:Describe*",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })
}
resource "aws_iam_role" "role" {
  name = "test-role1"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_policy" "policy" {
  name        = "test-policy"
  description = "A test policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
  role       = aws_iam_role.role.name
  policy_arn = aws_iam_policy.policy.arn
}

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-IAM

Related Questions in TERRAFORM-PROVIDER-AWS

Related Questions in TERRAFORM0.14.7

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.