Open nitrocode opened 2 weeks ago
Voting for Prioritization
Volunteering to Work on This Issue
Hey @nitrocode 👋 Thank you for taking the time to raise this! I may be overlooking something specific here, but my initial reaction is that you could use jsondecode()
on the policy
attribute to get that information with how the data source works today. Would that work for your use case?
Hi Justin 🤝
Here is an example of the terraform
data "aws_iam_policy" "poweruser" {
arn = "arn:aws:iam::aws:policy/PowerUserAccess"
}
output "policy" {
value = data.aws_iam_policy.poweruser
}
And the terraform output
$ terraform plan
data.aws_iam_policy.poweruser: Reading...
data.aws_iam_policy.poweruser: Read complete after 1s [id=arn:aws:iam::aws:policy/PowerUserAccess]
Changes to Outputs:
+ policy = {
+ arn = "arn:aws:iam::aws:policy/PowerUserAccess"
+ attachment_count = 3
+ description = "Provides full access to AWS services and resources, but does not allow management of Users and groups."
+ id = "arn:aws:iam::aws:policy/PowerUserAccess"
+ name = "PowerUserAccess"
+ path = "/"
+ path_prefix = null
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Effect = "Allow"
+ NotAction = [
+ "iam:*",
+ "organizations:*",
+ "account:*",
]
+ Resource = "*"
},
+ {
+ Action = [
+ "account:GetAccountInformation",
+ "account:GetPrimaryEmail",
+ "account:ListRegions",
+ "iam:CreateServiceLinkedRole",
+ "iam:DeleteServiceLinkedRole",
+ "iam:ListRoles",
+ "organizations:DescribeOrganization",
]
+ Effect = "Allow"
+ Resource = "*"
},
]
+ Version = "2012-10-17"
}
)
+ policy_id = "snip"
+ tags = {}
}
If I run the awscli, I can see additional information for the policy that is unavailable in the data source
$ aws iam list-policies
...
{
"PolicyName": "PowerUserAccess",
"PolicyId": "snip",
"Arn": "arn:aws:iam::aws:policy/PowerUserAccess",
"Path": "/",
"DefaultVersionId": "v6",
"AttachmentCount": 3,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2015-02-06T18:39:47+00:00",
"UpdateDate": "2024-08-19T16:12:55+00:00"
},
Makes sense, thanks for the clarification @nitrocode!
Description
I'd like to create custom iam policies and base them off of managed policies. I want to tag those custom policies with the exact version of the policies they are based on. This would be nice to pin my policies instead of using the aws managed policies. Then I can bump the policies as I see fit periodically.
Affected Resource(s) and/or Data Source(s)
UpdateDate
andDefaultVersionId
Potential Terraform Configuration
References
Would you like to implement a fix?
No