Reputation:
Task execution IAM role in terraform
I am creating an IAM role for task execution. I have already done in cloudformation and now I am doing it in terraform but the problem that I am stuck on is in cloudformation there is an attribute to give ManagedPolicyArns but how would you give it in terraform. I am attaching both the scripts. Terraform script is incomplete in which I need help while cloudformation script is complete and I want to replicate it to terraform.
Terraform:
resource "aws_iam_role" "task_execution" {
name = "task-execution-${terraform.workspace}"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Effect": "Allow",
"Sid": "",
"path": "/",
}
]
}
EOF
tags = {
tag-key = "tag-value"
}
}
Cloudformation
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
Env:
Type: String
Resources:
ExRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
RoleName: !Sub "excutionrole-${Env}"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Policies:
- PolicyName: AccessECR
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
Resource: '*'
Upvotes: 1
Views: 2698
Answers (2)
Reputation: 238189
assume_role_policy is used for only
trust relationship (i.e. who/what can assume the role). Thus,
your aws_iam_role should be:
resource "aws_iam_role" "test_role" {
name = "s3_access"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
tags = {
tag-key = "tag-value"
}
}
Then, the required permissions could be attached to the role as follows:
resource "aws_iam_role_policy_attachment" "ecs-task-permissions" {
role = aws_iam_role.test_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
resource "aws_iam_role_policy" "ecr-access" {
name = "ecs-access"
role = aws_iam_role.test_role.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "2",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*"
}
]
}
EOF
}
Upvotes: 4
Reputation: 51634
In Terraform, you can attach policies to a role using the iam_role_policy_attachment resource:
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.test_role.name
policy_arn = // ARN of the managed policy
}
Upvotes: 4
Related Questions
- IAM role to allow command execution on AWS ECS containers
- How do I create an IAM role in Terraform for Amazon ECR?
- How can i provision IAM Role in aws with terraform?
- terraform aws iam role with policy assignment
- Terraform: Attaching an unmanaged IAM role
- Task execution role for ECS tasks - Cloudformation
- How to set proper IAM role(s) for an AWS Batch job?
- Creating an AWS Service Role with Terraform
- How to create roles in terraform
- Terraform using IAM role assume