search

cloudposse / terraform-aws-iam-policy

Create an IAM policy from Terraform input
https://cloudposse.com/accelerate
Apache License 2.0
19 stars 15 forks source link

option to create an inline policy #21

Open nitrocode opened 1 year ago

nitrocode commented 1 year ago

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

Option to create an inline policy and attach it to a role. If that is implemented, we currently create a managed policy here and it would be good to also optionally to attach it to a role. This will allow people to use one or the other for all of our modules.

Related pr https://github.com/cloudposse/terraform-aws-ec2-bastion-server/pull/102/files

Workaround for now is to set iam_policy_enabled = false and use the json output like in the example in the README.

Nuru commented 1 year ago

Closing as wontfix because this module creates a policy, not a role. Having it create a role is feature creep and violates separation of concerns.

nitrocode commented 1 year ago

My hope was that instead of setting iam_policy_enabled = false and using the json output, we could instead do the following

module "iam_policy" {
  # ...
  inline_enabled = true

  role_arn = "arn:..."
}

which would disable the aws_iam_policy resource creation and instead add the aws_iam_role_policy_attachment resource to connect the inline policy to the role.

Please reconsider.

nitrocode commented 1 year ago

Oh nvm, maybe the readme already states that this is enough.

Thanks for considering.

resource "aws_iam_role" "example" {
  name               = "hello_role"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json

  inline_policy {
    name = "test_policy"

    policy = module.iam_policy.json
  }
}
nitrocode commented 2 months ago

Just happened to come across this again because I was looking at https://github.com/cloudposse/terraform-aws-eks-iam-role and wanted to use an inline policy there. I looked inside and it wasn't using this module, so I went back here to look for the inline method and came across this issue again.

Rereading this thread, I noticed that we may have a misunderstanding.

Closing as wontfix because this module creates a policy, not a role. Having it create a role is feature creep and violates separation of concerns.

I wasn't suggesting creating a role, but instead, attaching the inline policy (instead of a managed policy) to an existing role which would then need to be provided.

See this aws_iam_role_policy for attaching inline policies to existing roles.

e.g.

module "iam_policy" {
  # ...
  inline_attach_role_name = module.role.name
}

Would you reconsider? If so, this would help other downstream modules to reuse this logic and easily toggle between inline and managed policies without needing to recreate the logic per module.