resource/aws_iam_role: Add exclusive list support for a role's inline and managed policies #5904

YakDriver · 2018-09-17T18:37:39Z

Community Note

Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates #4426, #17511, #17512
Closes #17510

Release note for CHANGELOG:

`resource/aws_iam_role`: Add `inline_policy` and `managed_policy_arns` arguments to `aws_iam_role` to configure role policies and fix out-of-band changes.

Inline policy example:

resource "aws_iam_role" "example" {
  name               = "yak_role"
  assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # (not shown)

  inline_policy {
    name = "tf-acc-test"
    policy = data.aws_iam_policy_document.inline_policy.json
  }
}

data "aws_iam_policy_document" "inline_policy" {
  statement {
    actions   = ["ec2:DescribeAccountAttributes"]
    resources = ["*"]
  }
}

Managed policy example:

resource "aws_iam_role" "example" {
  name               = "yak_role"
  assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # not shown

  managed_policy_arns = [aws_iam_policy.policy_one.arn, aws_iam_policy.policy_two.arn]
}

resource "aws_iam_policy" "policy_one" {
  name        = "managed_policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_policy" "policy_two" {
  name        = "managed_policy2"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:HeadBucket"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

Output from acceptance testing (Sep. 17, original acceptance tests - when PR was for a new resource called aws_iam_role_policy_list):

$ make testacc TESTARGS='-run=TestAccAWSRolePolicyList_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -run=TestAccAWSRolePolicyList_ -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccAWSRolePolicyList_basicInline
--- PASS: TestAccAWSRolePolicyList_basicInline (18.93s)
=== RUN   TestAccAWSRolePolicyList_basicManaged
--- PASS: TestAccAWSRolePolicyList_basicManaged (18.97s)
=== RUN   TestAccAWSRolePolicyList_managedReattached
--- PASS: TestAccAWSRolePolicyList_managedReattached (12.57s)
=== RUN   TestAccAWSRolePolicyList_extraManagedAdded
--- PASS: TestAccAWSRolePolicyList_extraManagedAdded (12.57s)
=== RUN   TestAccAWSRolePolicyList_extraInlineAdded
--- PASS: TestAccAWSRolePolicyList_extraInlineAdded (13.43s)
=== RUN   TestAccAWSRolePolicyList_noInlineListExtraInlineAdded
--- PASS: TestAccAWSRolePolicyList_noInlineListExtraInlineAdded (10.22s)
=== RUN   TestAccAWSRolePolicyList_noManagedListExtraManagedAdded
--- PASS: TestAccAWSRolePolicyList_noManagedListExtraManagedAdded (10.55s)
=== RUN   TestAccAWSRolePolicyList_emptyInlineListExtraInlineAdded
--- PASS: TestAccAWSRolePolicyList_emptyInlineListExtraInlineAdded (12.97s)
=== RUN   TestAccAWSRolePolicyList_emptyManagedListExtraManagedAdded
--- PASS: TestAccAWSRolePolicyList_emptyManagedListExtraManagedAdded (11.04s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	121.290s

Output from acceptance testing of resource/aws_iam_policy:

$ make testacc TESTARGS='-run=TestAccAWSIAMPolicy_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -run=TestAccAWSIAMPolicy_ -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccAWSIAMPolicy_basic
--- PASS: TestAccAWSIAMPolicy_basic (10.63s)
=== RUN   TestAccAWSIAMPolicy_description
--- PASS: TestAccAWSIAMPolicy_description (6.24s)
=== RUN   TestAccAWSIAMPolicy_namePrefix
--- PASS: TestAccAWSIAMPolicy_namePrefix (6.32s)
=== RUN   TestAccAWSIAMPolicy_path
--- PASS: TestAccAWSIAMPolicy_path (7.97s)
=== RUN   TestAccAWSIAMPolicy_policy
--- PASS: TestAccAWSIAMPolicy_policy (10.75s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	41.971s

YakDriver · 2018-09-19T22:01:34Z

@bflad This PR is complete and ready for review and adjust.

Fixed issues

YakDriver · 2021-02-22T17:21:05Z

After latest changes.

GovCloud:

--- PASS: TestAccAWSIAMRole_badJSON (6.07s)
--- PASS: TestAccAWSIAMRole_disappears (23.19s)
--- PASS: TestAccAWSIAMRole_basic (28.25s)
--- PASS: TestAccAWSIAMRole_policyBasicInlineEmpty (22.97s)
--- PASS: TestAccAWSIAMRole_namePrefix (32.62s)
--- PASS: TestAccAWSIAMRole_force_detach_policies (33.18s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_managedNonExistent (45.95s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedEmpty (47.99s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_inlineNonEmpty (49.83s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineEmpty (50.01s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineNonEmpty (51.37s)
--- PASS: TestAccAWSIAMRole_tags (53.34s)
--- PASS: TestAccAWSIAMRole_MaxSessionDuration (54.11s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedNonEmpty (55.00s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_managedNonEmpty (55.53s)
--- PASS: TestAccAWSIAMRole_testNameChange (58.05s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_inlineNonExistent (66.74s)
--- PASS: TestAccAWSIAMRole_basicWithDescription (69.48s)
--- PASS: TestAccAWSIAMRole_policyBasicInline (74.86s)
--- PASS: TestAccAWSIAMRole_policyBasicManaged (79.61s)
--- PASS: TestAccAWSIAMRole_PermissionsBoundary (98.49s)

us-west-2:

--- PASS: TestAccAWSIAMRole_badJSON (8.03s)
--- PASS: TestAccAWSIAMRole_disappears (28.85s)
--- PASS: TestAccAWSIAMRole_policyBasicInlineEmpty (30.89s)
--- PASS: TestAccAWSIAMRole_basic (34.11s)
--- PASS: TestAccAWSIAMRole_force_detach_policies (34.76s)
--- PASS: TestAccAWSIAMRole_namePrefix (35.49s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_managedNonExistent (46.03s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineEmpty (46.24s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedEmpty (46.38s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineNonEmpty (46.65s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_inlineNonEmpty (46.68s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedNonEmpty (47.32s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_managedNonEmpty (47.36s)
--- PASS: TestAccAWSIAMRole_tags (47.85s)
--- PASS: TestAccAWSIAMRole_testNameChange (50.89s)
--- PASS: TestAccAWSIAMRole_MaxSessionDuration (51.08s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_inlineNonExistent (55.51s)
--- PASS: TestAccAWSIAMRole_basicWithDescription (49.64s)
--- PASS: TestAccAWSIAMRole_policyBasicInline (57.87s)
--- PASS: TestAccAWSIAMRole_policyBasicManaged (58.69s)
--- PASS: TestAccAWSIAMRole_PermissionsBoundary (70.73s)

bflad · 2021-02-22T17:26:02Z

Awesome! I will hopefully get 👀 on this later today between other meetings.

bflad

A few minor documentation nits, otherwise, I think this is good to go. 🚀

Output from acceptance testing in AWS Commercial:

--- PASS: TestAccAWSIAMRole_badJSON (9.67s)
--- PASS: TestAccAWSIAMRole_basic (54.29s)
--- PASS: TestAccAWSIAMRole_basicWithDescription (87.86s)
--- PASS: TestAccAWSIAMRole_disappears (43.86s)
--- PASS: TestAccAWSIAMRole_force_detach_policies (57.56s)
--- PASS: TestAccAWSIAMRole_MaxSessionDuration (90.66s)
--- PASS: TestAccAWSIAMRole_namePrefix (56.02s)
--- PASS: TestAccAWSIAMRole_PermissionsBoundary (111.15s)
--- PASS: TestAccAWSIAMRole_policyBasicInline (99.49s)
--- PASS: TestAccAWSIAMRole_policyBasicInlineEmpty (45.87s)
--- PASS: TestAccAWSIAMRole_policyBasicManaged (100.01s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_inlineNonExistent (94.01s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_managedNonExistent (77.75s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineEmpty (76.56s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineNonEmpty (82.36s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedEmpty (79.22s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedNonEmpty (84.76s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_inlineNonEmpty (77.85s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_managedNonEmpty (84.45s)
--- PASS: TestAccAWSIAMRole_tags (80.21s)
--- PASS: TestAccAWSIAMRole_testNameChange (90.14s)

Output from acceptance testing in AWS GovCloud (US):

--- PASS: TestAccAWSIAMRole_badJSON (5.57s)
--- PASS: TestAccAWSIAMRole_basic (57.30s)
--- PASS: TestAccAWSIAMRole_basicWithDescription (102.41s)
--- PASS: TestAccAWSIAMRole_disappears (50.09s)
--- PASS: TestAccAWSIAMRole_force_detach_policies (67.29s)
--- PASS: TestAccAWSIAMRole_MaxSessionDuration (93.17s)
--- PASS: TestAccAWSIAMRole_namePrefix (60.44s)
--- PASS: TestAccAWSIAMRole_PermissionsBoundary (130.63s)
--- PASS: TestAccAWSIAMRole_policyBasicInline (108.80s)
--- PASS: TestAccAWSIAMRole_policyBasicInlineEmpty (52.58s)
--- PASS: TestAccAWSIAMRole_policyBasicManaged (108.62s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_inlineNonExistent (99.44s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_managedNonExistent (83.08s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineEmpty (32.71s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineNonEmpty (87.56s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedEmpty (82.95s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedNonEmpty (89.16s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_inlineNonEmpty (87.59s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_managedNonEmpty (89.06s)
--- PASS: TestAccAWSIAMRole_tags (86.97s)
--- PASS: TestAccAWSIAMRole_testNameChange (91.27s)

website/docs/r/iam_policy_attachment.html.markdown

website/docs/r/iam_role_policy.html.markdown

website/docs/r/iam_role_policy_attachment.markdown

bflad · 2021-02-22T21:50:38Z

website/docs/r/iam_role.html.markdown

+  inline_policy {
+    name = "my_inline_policy"
+
+    policy = <<EOF


Nit: Let's use jsonencode() or aws_iam_policy_document data source here. 👍 Reference: #17714

bflad · 2021-02-22T21:51:11Z

website/docs/r/iam_role.html.markdown

+resource "aws_iam_policy" "policy_one" {
+  name = "policy-618033"
+
+  policy = <<EOF


Nit: Similarly here and below with jsonencode()/aws_iam_policy_document

Co-authored-by: Brian Flad <[email protected]>

gowthamakanthan · 2021-02-24T15:13:05Z

Am getting An argument named "managed_policy_arns" is not expected here. error. Any idea?

  on iam.tf line 131, in resource "aws_iam_role" "qualys_iam_role":
 131:   managed_policy_arns  = []

An argument named "managed_policy_arns" is not expected here.

Releasing state lock. This may take a few moments...
➜  aws_global git:(mgm/vpc) ✗ terraform --version
Terraform v0.12.29
+ provider.aws v3.1.0
+ provider.local v2.1.0
+ provider.template v2.1.2

lorengordon · 2021-02-24T15:25:05Z

@gowthamakanthan this was released in v3.29.1 of the aws provider. your output shows v3.1.0. you'll need to upgrade your provider version to use this feature...

ghost · 2021-03-25T17:10:43Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

ghost added size/L Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. labels Sep 17, 2018

YakDriver force-pushed the support-exclusive-policies branch from 6e5d3c2 to 069e2f4 Compare September 17, 2018 21:04

ghost added size/L Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. labels Sep 17, 2018

YakDriver force-pushed the support-exclusive-policies branch from 069e2f4 to b22f79e Compare September 17, 2018 21:06

ghost added size/L Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. labels Sep 17, 2018

YakDriver force-pushed the support-exclusive-policies branch from b22f79e to d073ca7 Compare September 18, 2018 15:42

ghost added size/L Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. labels Sep 18, 2018

YakDriver force-pushed the support-exclusive-policies branch from d073ca7 to 7c89c82 Compare September 19, 2018 21:31

YakDriver force-pushed the support-exclusive-policies branch from 7c89c82 to 89163a3 Compare September 19, 2018 21:52

YakDriver force-pushed the support-exclusive-policies branch from 89163a3 to a9ceccc Compare September 20, 2018 13:08

ghost added size/XXL Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. labels Sep 20, 2018

YakDriver added 7 commits February 22, 2021 11:53

resource/iam_role: Update documentation

2c13eb2

docs/iam_role: Clean up arguments

303a865

resource/iam_role: Add changelog file

49179fe

resource/iam_role: Rework exclusive policy lists

34db37e

docs/resource/iam_role: Update for new syntax

33349f1

docs/resource/iam_role: Minor correction

392c292

resource/iam_role: Adjust after review

387b80b

YakDriver force-pushed the support-exclusive-policies branch from 1208149 to 387b80b Compare February 22, 2021 16:53

YakDriver requested a review from bflad February 22, 2021 17:03

tests/resource/iam_role: Remove unused function

0f22b86

bflad approved these changes Feb 22, 2021

View reviewed changes

YakDriver and others added 4 commits February 22, 2021 19:00

Update website/docs/r/iam_policy_attachment.html.markdown

42bf4aa

Co-authored-by: Brian Flad <[email protected]>

Update website/docs/r/iam_role_policy.html.markdown

50fc806

Co-authored-by: Brian Flad <[email protected]>

Update website/docs/r/iam_role_policy_attachment.markdown

feb5457

Co-authored-by: Brian Flad <[email protected]>

docs/resource/iam_role: Switch to jsonencode

01ec6d5

YakDriver modified the milestones: Roadmap, v3.29.1 Feb 23, 2021

YakDriver merged commit 51061bc into hashicorp:main Feb 23, 2021

YakDriver deleted the support-exclusive-policies branch February 23, 2021 01:18

github-actions bot modified the milestones: v3.29.1, v3.30.0 Feb 23, 2021

YakDriver modified the milestones: v3.30.0, v3.29.1 Feb 24, 2021

ghost locked as resolved and limited conversation to collaborators Mar 25, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

resource/aws_iam_role: Add exclusive list support for a role's inline and managed policies #5904

resource/aws_iam_role: Add exclusive list support for a role's inline and managed policies #5904

YakDriver commented Sep 17, 2018 •

edited

Loading

YakDriver commented Sep 19, 2018

YakDriver commented Feb 22, 2021

bflad commented Feb 22, 2021

bflad left a comment

bflad Feb 22, 2021

YakDriver Feb 23, 2021

bflad Feb 22, 2021

YakDriver Feb 23, 2021

gowthamakanthan commented Feb 24, 2021

lorengordon commented Feb 24, 2021

ghost commented Mar 25, 2021

resource/aws_iam_role: Add exclusive list support for a role's inline and managed policies #5904

resource/aws_iam_role: Add exclusive list support for a role's inline and managed policies #5904

Conversation

YakDriver commented Sep 17, 2018 • edited Loading

Community Note

YakDriver commented Sep 19, 2018

YakDriver commented Feb 22, 2021

bflad commented Feb 22, 2021

bflad left a comment

Choose a reason for hiding this comment

bflad Feb 22, 2021

Choose a reason for hiding this comment

YakDriver Feb 23, 2021

Choose a reason for hiding this comment

bflad Feb 22, 2021

Choose a reason for hiding this comment

YakDriver Feb 23, 2021

Choose a reason for hiding this comment

gowthamakanthan commented Feb 24, 2021

lorengordon commented Feb 24, 2021

ghost commented Mar 25, 2021

YakDriver commented Sep 17, 2018 •

edited

Loading