DEVHIDE
Login Or Sign up

Separate the AWS IAM policy and reference and attach it in a different folder via Terraform

827 Views Asked by At

I have sample code below which creates an IAM role, a policy document, attachment of policy document and then the attachment of that policy to role.

resource "aws_iam_role" "aws_snsANDsqsTeam" {
  name               = "aws_snsANDsqsTeam"
  assume_role_policy = data.aws_iam_policy_document.production-okta-trust-relationship.json
}

data "aws_iam_policy_document" "sns-and-sqs-policy" {
  statement {
    sid    = "AllowToPublishToSns"
    effect = "Allow"
    actions = [
      "sns:Publish",
    ]
    resources = [
      data.resource.arn,
    ]
  }
  statement {
    sid    = "AllowToSubscribeFromSqs"
    effect = "Allow"
    actions = [
      "sqs:changeMessageVisibility*",
      "sqs:SendMessage",
      "sqs:ReceiveMessage",
      "sqs:GetQueue*",
      "sqs:DeleteMessage",
    ]
    resources = [
      data.resource.arn,
    ]
  }
}

resource "aws_iam_policy" "sns-and-sqs" {
  name   = "sns-and-sqs-policy"
  policy = data.aws_iam_policy_document.sns-and-sqs-policy.json
}

resource "aws_iam_role_policy_attachment" "sns-and-sqs-role" {
  role       = "aws_snsANDsqsTeam"
  policy_arn = aws_iam_policy.sns-and-sqs.arn
}

Now below is the directory tree that I am trying to get enter image description here

Now I want the policy document and policy code to be moved to the developer.tf file under shared/iam folder so it will look like this

data "aws_iam_policy_document" "sns-and-sqs-policy" {
  statement {
    sid    = "AllowToPublishToSns"
    effect = "Allow"
    actions = [
      "sns:Publish",
    ]
    resources = [
      data.resource.arn,
    ]
  }
  statement {
    sid    = "AllowToSubscribeFromSqs"
    effect = "Allow"
    actions = [
      "sqs:changeMessageVisibility*",
      "sqs:SendMessage",
      "sqs:ReceiveMessage",
      "sqs:GetQueue*",
      "sqs:DeleteMessage",
    ]
    resources = [
      data.resource.arn,
    ]
  }
}

resource "aws_iam_policy" "sns-and-sqs" {
  name   = "sns-and-sqs-policy"
  policy = data.aws_iam_policy_document.sns-and-sqs-policy.json
}

and have the role creation and policy attachment code in main.tf file under iam-platform-security folder, so the code will look like this:

resource "aws_iam_role" "aws_snsANDsqsTeam" {
  name               = "aws_snsANDsqsTeam"
  assume_role_policy = data.aws_iam_policy_document.production-okta-trust-relationship.json
}

resource "aws_iam_role_policy_attachment" "sns-and-sqs-role" {
  role       = "aws_snsANDsqsTeam"
  policy_arn = aws_iam_policy.sns-and-sqs.arn
}

My Question is how can I reference a policy which is under shared/iam folder to attach it to a role I created in main.tf file under the folder iam-platform-security. The goal is to create policies separately in the shared/iam folder and roles under team/sub-team folders ( like iam-platform-security, iam-platform-architecture,iam-platform-debug etc etc) and then create attachments so policies remains separately as standalone. Can somebody help me on this.

How can I reference the policy document in main.tf file in different directory.

terraform amazon-iam terraform-provider-aws was terraform-aws-modules
Original Q&A
1

There are 1 best solutions below

5
Marcin On

You have to use modules so that you can separate your parent TF code from other code, such as your IAM related code in a different folder.

Related Questions in TERRAFORM

Related Questions in AMAZON-IAM

Related Questions in TERRAFORM-PROVIDER-AWS

Related Questions in WAS

Related Questions in TERRAFORM-AWS-MODULES

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.