Currently, the Terraform Neptune resource exports the administrative ARN as arn, which works fine for actions requiring administrative access to the cluster. However, for IAM policies, the resource ARN in the format:
is often required in the Resource field. From what I’ve observed, Terraform doesn’t directly export this ARN, despite providing the cluster_resource_id attribute. Users are forced to build this ARN manually, typically like so:
data "aws_caller_identity" "current" {}
locals {
neptune_cluster_arn = "arn:aws:neptune-db:${var.aws_region}:${data.aws_caller_identity.current.account_id}:${aws_neptune_cluster.db.cluster_resource_id}/*"
}
This method requires additional steps and string interpolation, which is both tedious and prone to errors, especially in environments where the resource ARN is frequently needed in IAM policies. By having Terraform natively export this ARN from the cluster resource, users would save time and reduce the risk of mistakes during deployment.
Affected Resource(s) and/or Data Source(s)
aws_neptune_cluster
Potential Terraform Configuration
resource "aws_iam_policy" "neptune_data_access_policy" {
name = "neptune-data-access-policy"
path = "/"
description = "allows all data api actions on neptune cluster"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"neptune:*",
]
Effect = "Allow"
Resource = aws_neptune_cluster.db.resource_arn
},
]
})
}
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Description
Currently, the Terraform Neptune resource exports the administrative ARN as
arn
, which works fine for actions requiring administrative access to the cluster. However, for IAM policies, the resource ARN in the format:arn:aws:neptune-db:region:account-id:cluster-resource-id/*
is often required in the Resource field. From what I’ve observed, Terraform doesn’t directly export this ARN, despite providing the cluster_resource_id attribute. Users are forced to build this ARN manually, typically like so:
This method requires additional steps and string interpolation, which is both tedious and prone to errors, especially in environments where the resource ARN is frequently needed in IAM policies. By having Terraform natively export this ARN from the cluster resource, users would save time and reduce the risk of mistakes during deployment.
Affected Resource(s) and/or Data Source(s)
aws_neptune_cluster
Potential Terraform Configuration
References
aws doc link
Would you like to implement a fix?
No