CODEWITHSUNDEEP
amazon-web-servicesterraformamazon-iamterraform-provider-aws
Eduloc
Eduloc

Reputation: 53

Terraform Override AWS managed policy

My request seems simple and yet I can't realize it with Terraform. I want to create a new AWS Policy based on SecurityAudit managed policy to which I want to add a condition

"Condition": {
   "StringNotEquals": {
      "aws:TagKeys/MyTag": "disabled"
   }
}

I tried to use aws_iam_policy_document feature and then attached my policy to my role

data "aws_iam_policy_document" "security-audit-policy-override" {
  statement {
    principals {
      type        = "Federated"
      identifiers = ["arn:aws:iam::aws:policy/SecurityAudit"]
    }

    condition {
      test     = "StringNotEquals"
      values   = ["aws:TagKeys/MyTag"]
      variable = "disabled"
    }
  }
}

resource "aws_iam_role_policy" "security-audit-override" {
  policy     = data.aws_iam_policy_document.security-audit-policy-override.json
  role       = aws_iam_role.my_role.name
}

But I have the following mistake when I do a terraform apply command :

Error: Error putting IAM role policy terraform-XXXXXXXXX: MalformedPolicyDocument: Policy document should not specify a principal.

So, do you know how to override an existing managed AWS IAM Policy ?

Upvotes: 0

Views: 432

Answers (1)

Marcin
Marcin

Reputation: 238081

Theoretically, you can do this, but not with SecurityAudit. This is because this policy has over 12000 characters. But user managed policies are limited to 6,144.

So you have to split SecurityAudit into two or three user managed policies yourself. The best way is to construct these policies manually, or trim SecurityAudit down significantly.

Upvotes: 4

Related Questions