Using the Terraform aws_iam_role datasource , get the statement from one AWS role and use it in creating another role in Terraform and append to it

Question

I want to get the AWS principals from one AWS role and use it in the data I will use in creating another role while also appending some more roles to it.

Not sure if I can do it something like the way I am proposing below or if there is a way to just pull out the AWS principals from the one role and use them in the new role I am creating.

Using the Terraform aws_iam_role datasource I can get everything from the the AWS IAM roles statement in the role I want to copy from:

Using this -

data "aws_iam_role" "admins" {
name = "biw-lz-admin"
}

output "foo" { value = data.aws_iam_role.admins.assume_role_policy }

I get this -

Changes to Outputs:
  + foo = jsonencode(
        {
          + Statement = [
              + {
                  + Action    = "sts:AssumeRole"
                  + Effect    = "Allow"
                  + Principal = {
                      + AWS = [
                          + "arn:aws:iam::xxxxxxxxxxxx:user/john.smith",
                          + "arn:aws:iam::xxxxxxxxxxxx:user/mary.gray",
                          + "arn:aws:iam::xxxxxxxxxxxx:user/ernie.bert",
                          + "arn:aws:iam::xxxxxxxxxxxx:user/andrew.kohut",
                          + "arn:aws:iam::xxxxxxxxxxxx:user/mark.mering",
                          + "arn:aws:iam::xxxxxxxxxxxx:user/carol.flay",
                          + "arn:aws:iam::xxxxxxxxxxxx:user/jack.dewer",
                          + "arn:aws:iam::xxxxxxxxxxxx:user/michael.hack",
                          + "arn:aws:iam::xxxxxxxxxxxx:user/dan.smith",
                        ]
                    }
                  + Sid       = ""
                },
            ]
          + Version   = "2012-10-17"
        }
    )

What I want to do is use the output of the above Terraform data source in another Terraform data block that i will use to create another AWS role but also add more AWS principles to it.

I think I want to do something like in my Terraform data file:

data "aws_iam_policy_document" "xena_role_assume_role" { statement { actions = [ "sts:AssumeRole", ] principals { type = "AWS" identifiers = flatten([

        # I WANT TO USE THE OUTPUT OF THE "data.aws_iam_role.admins" in here:
        data.aws_iam_role.admins # I KNOW THIS IS BAD BUT JUST TO SHOW WHAT I WANT I AM TRYING TO GET AT

        # NEXT I WANT TO ALSO APPEND THESE TWO OTHER ROLES :
        # GitLab role
        "arn:aws:iam::xxxxxxxxxxxx:role/gitlab-instance-role",

        # Another role to add
        "arn:aws:iam::xxxxxxxxxxxx:role/harry-smith-role",

      ])
    }
  }
}

The end result I want to achieve would create a Terraform data file to create an AWS IAM role statement to look like this :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxxxxxxx:user/john.smith",
                    "arn:aws:iam::xxxxxxxxxxxx:user/mary.gray",
                    "arn:aws:iam::xxxxxxxxxxxx:user/ernie.bert",
                    "arn:aws:iam::xxxxxxxxxxxx:user/andrew.kohut",
                    "arn:aws:iam::xxxxxxxxxxxx:user/mark.mering",
                    "arn:aws:iam::xxxxxxxxxxxx:user/carol.flay",
                    "arn:aws:iam::xxxxxxxxxxxx:user/jack.dewer",
                    "arn:aws:iam::xxxxxxxxxxxx:user/michael.hack",
                    "arn:aws:iam::xxxxxxxxxxxx:user/dan.smith",
                    "arn:aws:iam::xxxxxxxxxxxx:role/gitlab-instance-role",
                    "arn:aws:iam::xxxxxxxxxxxx:role/harry-smith-role"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Thanks for any help or advice!!

Using the Terraform aws_iam_role datasource , get the statement from one AWS role and use it in creating another role in Terraform and append to it

Answers (1)

Related Questions