hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.17k forks source link

[Enhancement]: aws_iam_policy data source could expose policy version and update date #39763

Open nitrocode opened 2 weeks ago

nitrocode commented 2 weeks ago

Description

I'd like to create custom iam policies and base them off of managed policies. I want to tag those custom policies with the exact version of the policies they are based on. This would be nice to pin my policies instead of using the aws managed policies. Then I can bump the policies as I see fit periodically.

Affected Resource(s) and/or Data Source(s)

Potential Terraform Configuration

data "aws_iam_policy" "example" {
  arn = "arn:aws:iam::123456789012:policy/UsersManageOwnCredentials"
}

output "policy_version" {
  value = data.aws_iam_policy.example.version
}

output "policy_update_date" {
  value = data.aws_iam_policy.example.update_date
}

References

Would you like to implement a fix?

No

github-actions[bot] commented 2 weeks ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

justinretzolk commented 1 week ago

Hey @nitrocode 👋 Thank you for taking the time to raise this! I may be overlooking something specific here, but my initial reaction is that you could use jsondecode() on the policy attribute to get that information with how the data source works today. Would that work for your use case?

nitrocode commented 6 days ago

Hi Justin 🤝

Here is an example of the terraform

data "aws_iam_policy" "poweruser" {
  arn = "arn:aws:iam::aws:policy/PowerUserAccess"
}

output "policy" {
  value = data.aws_iam_policy.poweruser
}

And the terraform output

$ terraform plan 
data.aws_iam_policy.poweruser: Reading...
data.aws_iam_policy.poweruser: Read complete after 1s [id=arn:aws:iam::aws:policy/PowerUserAccess]

Changes to Outputs:
  + policy = {
      + arn              = "arn:aws:iam::aws:policy/PowerUserAccess"
      + attachment_count = 3
      + description      = "Provides full access to AWS services and resources, but does not allow management of Users and groups."
      + id               = "arn:aws:iam::aws:policy/PowerUserAccess"
      + name             = "PowerUserAccess"
      + path             = "/"
      + path_prefix      = null
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Effect    = "Allow"
                      + NotAction = [
                          + "iam:*",
                          + "organizations:*",
                          + "account:*",
                        ]
                      + Resource  = "*"
                    },
                  + {
                      + Action   = [
                          + "account:GetAccountInformation",
                          + "account:GetPrimaryEmail",
                          + "account:ListRegions",
                          + "iam:CreateServiceLinkedRole",
                          + "iam:DeleteServiceLinkedRole",
                          + "iam:ListRoles",
                          + "organizations:DescribeOrganization",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id        = "snip"
      + tags             = {}
    }

If I run the awscli, I can see additional information for the policy that is unavailable in the data source

$ aws iam list-policies
...
        {
            "PolicyName": "PowerUserAccess",
            "PolicyId": "snip",
            "Arn": "arn:aws:iam::aws:policy/PowerUserAccess",
            "Path": "/",
            "DefaultVersionId": "v6",
            "AttachmentCount": 3,
            "PermissionsBoundaryUsageCount": 0,
            "IsAttachable": true,
            "CreateDate": "2015-02-06T18:39:47+00:00",
            "UpdateDate": "2024-08-19T16:12:55+00:00"
        },
justinretzolk commented 1 day ago

Makes sense, thanks for the clarification @nitrocode!