CODEWITHSUNDEEP
amazon-web-servicesterraformamazon-iam
TheWalkingMalteser
TheWalkingMalteser

Reputation: 691

How do you add a managed policy to a group in terraform?

I've got this so far: 

data "aws_iam_policy" "config_role" { 
  arn = "arn:aws:iam::aws:policy/service_role/AWSConfigRole"
}

But I'm not sure how to attach this to a group.

Upvotes: 3

Views: 3294

Answers (2)

ydaetskcoR
ydaetskcoR

Reputation: 56997

You can use either the aws_iam_group_policy_attachment resource or the aws_iam_policy_attachment resource to attach a policy to a group.

As mentioned in the aws_iam_policy_attachment resource docs this resource creates an exclusive attachment of that policy to specified users, groups and roles and isn't normally what you want so I'd recommend the aws_iam_group_policy_attachment resource.

This might look something like this:

resource "aws_iam_group" "aws_config_group" {
  name = "AWSConfigGroup"
  path = "/"
}

resource "aws_iam_group_policy_attachment" "aws_config_attach" {
  group      = "${aws_iam_group.aws_config_group.name}"
  policy_arn = "arn:aws:iam::aws:policy/service_role/AWSConfigRole"
}

Note that you don't actually need the aws_iam_policy data source here as you are already building the ARN to pass into the data source and that's all that's needed by the aws_iam_group_policy_attachment resource.

Upvotes: 6

patchus
patchus

Reputation: 97

You add it later down in the file.

so something like

resource "aws_iam_group" "aws_config_group" {
  name = "AWSConfigGroup"
  path = "/"
}

resource "aws_iam_policy" "config_role" {
  name = "AWSConfigRole" 
  arn = "arn:aws:iam::aws:policy/service_role/AWSConfigRole"
  group = ['aws_config_group']
}

Upvotes: 0

Related Questions