Open ranopriyo-neogy opened 3 years ago
Hi @ranopriyo-neogy,
Thanks for reporting!
I am having trouble recreating the issue, is it possible to share an anonymized version of the plan?
Here is the state file:
{
"format_version":"0.1",
"terraform_version":"0.13.6",
"variables":{
"account_id":{
"value":"111111"
},
"aws_region":{
"value":"us-east-1"
},
"create_instance_profile":{
"value":false
},
"customer_id":{
"value":"sys"
},
"description_iam_policy":{
"value":"This is a POLICY description."
},
"description_iam_role":{
"value":"This is a ROLE description."
},
"environment":{
"value":"EXample"
},
"iam_policy_description":{
"value":null
},
"iam_policy_permission":{
"value":null
},
"policy_path":{
"value":"/ec2/"
},
"role":{
"value":null
},
"tags":{
"value":{
"Environment":"TAG VALUE",
"Name":"tag_key"
}
}
},
"planned_values":{
"outputs":{
"iam_instance_profile_id":{
"sensitive":false,
"value":""
},
"iam_role_arn":{
"sensitive":false
},
"iam_role_name":{
"sensitive":false
},
"tags":{
"sensitive":false,
"value":[
{
"account_id":"00000",
"environment":"exampl"
}
]
}
},
"root_module":{
"resources":[
{
"address":"data.aws_iam_policy_document.clusterautoscaler",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"clusterautoscaler",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"id":"1111111111111",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"kubernetesClusterautoscaler\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"autoscaling:TerminateInstanceInAutoScalingGroup\",\n \"autoscaling:SetDesiredCapacity\",\n \"autoscaling:DescribeTags\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"autoscaling:DescribeAutoScalingInstances\",\n \"autoscaling:DescribeAutoScalingGroups\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
],
"resources":[
"*"
],
"sid":"kubernetesClusterautoscaler"
}
],
"version":"2012-10-17"
}
},
{
"address":"data.aws_iam_policy_document.iam_assume_role_policy_doc_ec2",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"iam_assume_role_policy_doc_ec2",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"id":"0000000000",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"sts:AssumeRole"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
{
"identifiers":[
"ec2.amazonaws.com"
],
"type":"Service"
}
],
"resources":[
],
"sid":"ec2"
}
],
"version":"2012-10-17"
}
}
],
"child_modules":[
{
"resources":[
{
"address":"module.iam_ec2_cwa.aws_iam_role_policy_attachment.this",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"policy_arn":"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
}
}
],
"address":"module.iam_ec2_cwa"
},
{
"resources":[
{
"address":"module.iam_role.aws_iam_role.this",
"mode":"managed",
"type":"aws_iam_role",
"name":"this",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"assume_role_policy":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"description":"This is a ROLE description.",
"force_detach_policies":false,
"max_session_duration":3600,
"name_prefix":"sys-exampl-web-",
"path":"/ec2/",
"permissions_boundary":null,
"tags":{
"account_id":"00000",
"environment":"exampl"
},
"tags_all":{
"account_id":"00000",
"environment":"exampl"
}
}
},
{
"address":"module.iam_role.aws_iam_role_policy_attachment.this[0]",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"index":0,
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"policy_arn":"arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
}
}
],
"address":"module.iam_role"
}
]
}
},
"resource_changes":[
{
"address":"data.aws_iam_policy_document.clusterautoscaler",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"clusterautoscaler",
"provider_name":"registry.terraform.io/hashicorp/aws",
"change":{
"actions":[
"no-op"
],
"before":{
"id":"111111111",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"kubernetesClusterautoscaler\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"autoscaling:TerminateInstanceInAutoScalingGroup\",\n \"autoscaling:SetDesiredCapacity\",\n \"autoscaling:DescribeTags\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"autoscaling:DescribeAutoScalingInstances\",\n \"autoscaling:DescribeAutoScalingGroups\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
],
"resources":[
"*"
],
"sid":"kubernetesClusterautoscaler"
}
],
"version":"2012-10-17"
},
"after":{
"id":"1111111111111",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"kubernetesClusterautoscaler\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"autoscaling:TerminateInstanceInAutoScalingGroup\",\n \"autoscaling:SetDesiredCapacity\",\n \"autoscaling:DescribeTags\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"autoscaling:DescribeAutoScalingInstances\",\n \"autoscaling:DescribeAutoScalingGroups\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
],
"resources":[
"*"
],
"sid":"kubernetesClusterautoscaler"
}
],
"version":"2012-10-17"
},
"after_unknown":{
}
}
},
{
"address":"data.aws_iam_policy_document.iam_assume_role_policy_doc_ec2",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"iam_assume_role_policy_doc_ec2",
"provider_name":"registry.terraform.io/hashicorp/aws",
"change":{
"actions":[
"no-op"
],
"before":{
"id":"0000000000",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"sts:AssumeRole"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
{
"identifiers":[
"ec2.amazonaws.com"
],
"type":"Service"
}
],
"resources":[
],
"sid":"ec2"
}
],
"version":"2012-10-17"
},
"after":{
"id":"00000000000",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"sts:AssumeRole"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
{
"identifiers":[
"ec2.amazonaws.com"
],
"type":"Service"
}
],
"resources":[
],
"sid":"ec2"
}
],
"version":"2012-10-17"
},
"after_unknown":{
}
}
},
{
"address":"module.iam_ec2_cwa.aws_iam_role_policy_attachment.this",
"module_address":"module.iam_ec2_cwa",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"provider_name":"registry.terraform.io/hashicorp/aws",
"change":{
"actions":[
"create"
],
"before":null,
"after":{
"policy_arn":"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
},
"after_unknown":{
"id":true,
"role":true
}
}
},
{
"address":"module.iam_role.aws_iam_role.this",
"module_address":"module.iam_role",
"mode":"managed",
"type":"aws_iam_role",
"name":"this",
"provider_name":"registry.terraform.io/hashicorp/aws",
"change":{
"actions":[
"create"
],
"before":null,
"after":{
"assume_role_policy":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"description":"This is a ROLE description.",
"force_detach_policies":false,
"max_session_duration":3600,
"name_prefix":"sys-exampl-web-",
"path":"/ec2/",
"permissions_boundary":null,
"tags":{
"account_id":"00000",
"environment":"exampl"
},
"tags_all":{
"account_id":"00000",
"environment":"exampl"
}
},
"after_unknown":{
"arn":true,
"create_date":true,
"id":true,
"inline_policy":true,
"managed_policy_arns":true,
"name":true,
"tags":{
},
"tags_all":{
},
"unique_id":true
}
}
},
{
"address":"module.iam_role.aws_iam_role_policy_attachment.this[0]",
"module_address":"module.iam_role",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"index":0,
"provider_name":"registry.terraform.io/hashicorp/aws",
"change":{
"actions":[
"create"
],
"before":null,
"after":{
"policy_arn":"arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
},
"after_unknown":{
"id":true,
"role":true
}
}
}
],
"output_changes":{
"iam_instance_profile_id":{
"actions":[
"create"
],
"before":null,
"after":"",
"after_unknown":false
},
"iam_role_arn":{
"actions":[
"create"
],
"before":null,
"after_unknown":true
},
"iam_role_name":{
"actions":[
"create"
],
"before":null,
"after_unknown":true
},
"tags":{
"actions":[
"create"
],
"before":null,
"after":[
{
"account_id":"00000",
"environment":"exampl"
}
],
"after_unknown":false
}
},
"prior_state":{
"format_version":"0.1",
"terraform_version":"0.13.6",
"values":{
"root_module":{
"resources":[
{
"address":"data.aws_iam_policy_document.clusterautoscaler",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"clusterautoscaler",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"id":"1111111111111",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"kubernetesClusterautoscaler\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"autoscaling:TerminateInstanceInAutoScalingGroup\",\n \"autoscaling:SetDesiredCapacity\",\n \"autoscaling:DescribeTags\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"autoscaling:DescribeAutoScalingInstances\",\n \"autoscaling:DescribeAutoScalingGroups\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
],
"resources":[
"*"
],
"sid":"kubernetesClusterautoscaler"
}
],
"version":"2012-10-17"
}
},
{
"address":"data.aws_iam_policy_document.iam_assume_role_policy_doc_ec2",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"iam_assume_role_policy_doc_ec2",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"id":"0000000000",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"sts:AssumeRole"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
{
"identifiers":[
"ec2.amazonaws.com"
],
"type":"Service"
}
],
"resources":[
],
"sid":"ec2"
}
],
"version":"2012-10-17"
}
},
{
"address":"data.template_file.idpa",
"mode":"data",
"type":"template_file",
"name":"idpa",
"provider_name":"registry.terraform.io/hashicorp/template",
"schema_version":0,
"values":{
"filename":null,
"id":"0000000000",
"rendered":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"cognito-identity.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"cognito-identity.amazonaws.com:aud\": \"example\"\n },\n \"ForAnyValue:StringLike\": {\n \"cognito-identity.amazonaws.com:amr\": \"authenticated\"\n }\n }\n }\n ]\n}",
"template":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"cognito-identity.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"cognito-identity.amazonaws.com:aud\": \"${idpa}\"\n },\n \"ForAnyValue:StringLike\": {\n \"cognito-identity.amazonaws.com:amr\": \"authenticated\"\n }\n }\n }\n ]\n}",
"vars":{
"idpa":"example"
}
}
}
]
}
}
},
"configuration":{
"provider_config":{
"aws":{
"name":"aws",
"expressions":{
"region":{
"references":[
"var.aws_region"
]
}
}
}
},
"root_module":{
"outputs":{
"iam_instance_profile_id":{
"expression":{
"references":[
"module.iam_role.iam_instance_profile_id"
]
}
},
"iam_role_arn":{
"expression":{
"references":[
"module.iam_role.iam_role_arn"
]
}
},
"iam_role_name":{
"expression":{
"references":[
"module.iam_role.iam_role_arn"
]
}
},
"tags":{
"expression":{
"references":[
"module.iam_role.tags"
]
},
"description":"The tags attached to the role"
}
},
"resources":[
{
"address":"data.aws_iam_policy_document.clusterautoscaler",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"clusterautoscaler",
"provider_config_key":"aws",
"expressions":{
"statement":[
{
"actions":{
"constant_value":[
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
]
},
"effect":{
"constant_value":"Allow"
},
"resources":{
"constant_value":[
"*"
]
},
"sid":{
"constant_value":"kubernetesClusterautoscaler"
}
}
]
},
"schema_version":0
},
{
"address":"data.aws_iam_policy_document.iam_assume_role_policy_doc_ec2",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"iam_assume_role_policy_doc_ec2",
"provider_config_key":"aws",
"expressions":{
"statement":[
{
"actions":{
"constant_value":[
"sts:AssumeRole"
]
},
"principals":[
{
"identifiers":{
"constant_value":[
"ec2.amazonaws.com"
]
},
"type":{
"constant_value":"Service"
}
}
],
"sid":{
"constant_value":"ec2"
}
}
]
},
"schema_version":0
},
{
"address":"data.template_file.idpa",
"mode":"data",
"type":"template_file",
"name":"idpa",
"provider_config_key":"template",
"expressions":{
"template":{
"references":[
"path.module"
]
},
"vars":{
"constant_value":{
"idpa":"example"
}
}
},
"schema_version":0
}
],
"module_calls":{
"iam_ec2_cwa":{
"source":"../policy-attachment/",
"expressions":{
"attached_role":{
"references":[
"module.iam_role.iam_role_name"
]
},
"policy_arn":{
"constant_value":"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
}
},
"module":{
"resources":[
{
"address":"aws_iam_role_policy_attachment.this",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"provider_config_key":"iam_ec2_cwa:aws",
"expressions":{
"policy_arn":{
"references":[
"var.policy_arn"
]
},
"role":{
"references":[
"var.attached_role"
]
}
},
"schema_version":0
}
],
"variables":{
"attached_role":{
"description":"Custom variable: specify the role name where this policy will be attached."
},
"policy_arn":{
"default":null,
"description":"The ARN of the policy you want to apply."
}
}
}
},
"iam_role":{
"source":"../",
"expressions":{
"account_id":{
"references":[
"local.account_id"
]
},
"assume_role_policy":{
"references":[
"data.aws_iam_policy_document.iam_assume_role_policy_doc_ec2"
]
},
"create_instance_profile":{
"references":[
"var.create_instance_profile"
]
},
"customer_id":{
"references":[
"local.customer_id"
]
},
"description_iam_policy":{
"references":[
"var.description_iam_policy"
]
},
"description_iam_role":{
"references":[
"var.description_iam_role"
]
},
"environment":{
"references":[
"local.environment"
]
},
"policy_arn":{
"constant_value":"arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
},
"policy_path":{
"references":[
"var.policy_path"
]
},
"role":{
"constant_value":"web"
},
"tags":{
"references":[
"local.common_tags"
]
}
},
"module":{
"outputs":{
"iam_instance_profile_id":{
"expression":{
"references":[
"aws_iam_instance_profile.this"
]
},
"description":"The ID of the IAM instance"
},
"iam_permission_policy_arn":{
"expression":{
"references":[
"aws_iam_policy.this"
]
},
"description":"The ARN specifying the policy"
},
"iam_role_arn":{
"expression":{
"references":[
"aws_iam_role.this"
]
},
"description":"The ARN specifying the role"
},
"iam_role_name":{
"expression":{
"references":[
"aws_iam_role.this"
]
},
"description":"The name of the role"
},
"tags":{
"expression":{
"references":[
"aws_iam_role.this"
]
},
"description":"The tags attached to the role"
}
},
"resources":[
{
"address":"aws_iam_instance_profile.this",
"mode":"managed",
"type":"aws_iam_instance_profile",
"name":"this",
"provider_config_key":"iam_role:aws",
"expressions":{
"name":{
"references":[
"var.name",
"var.name"
]
},
"name_prefix":{
"references":[
"var.name",
"var.customer_id",
"var.environment"
]
},
"role":{
"references":[
"aws_iam_role.this"
]
}
},
"schema_version":0,
"count_expression":{
"references":[
"var.create_instance_profile"
]
}
},
{
"address":"aws_iam_policy.this",
"mode":"managed",
"type":"aws_iam_policy",
"name":"this",
"provider_config_key":"iam_role:aws",
"expressions":{
"description":{
"references":[
"var.description_iam_policy"
]
},
"name":{
"references":[
"var.name",
"var.name"
]
},
"name_prefix":{
"references":[
"var.name",
"var.customer_id",
"var.environment"
]
},
"path":{
"references":[
"var.policy_path"
]
},
"policy":{
"references":[
"var.iam_policy_permission"
]
}
},
"schema_version":0,
"count_expression":{
"references":[
"var.iam_policy_permission"
]
}
},
{
"address":"aws_iam_role.this",
"mode":"managed",
"type":"aws_iam_role",
"name":"this",
"provider_config_key":"iam_role:aws",
"expressions":{
"assume_role_policy":{
"references":[
"var.assume_role_policy"
]
},
"description":{
"references":[
"var.description_iam_role"
]
},
"name":{
"references":[
"var.name",
"var.name"
]
},
"name_prefix":{
"references":[
"var.name",
"var.customer_id",
"var.environment",
"var.role"
]
},
"path":{
"references":[
"var.policy_path"
]
},
"tags":{
"references":[
"var.tags"
]
}
},
"schema_version":0
},
{
"address":"aws_iam_role_policy_attachment.this",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"provider_config_key":"iam_role:aws",
"expressions":{
"policy_arn":{
"references":[
"var.iam_policy_permission",
"aws_iam_policy.this[0]",
"var.policy_arn"
]
},
"role":{
"references":[
"aws_iam_role.this"
]
}
},
"schema_version":0,
"count_expression":{
"references":[
"var.iam_policy_permission",
"var.policy_arn"
]
}
}
],
"variables":{
"account_id":{
"description":"Custom variable: specify a `account_id`, or `111111` (six one) for internal use."
},
"assume_role_policy":{
"description":"The policy that grants an entity permission to assume the role."
},
"create_instance_profile":{
"default":false,
"description":"Custom variable: boolean - specify `true` to create and IAM instance profile. Default is `false`."
},
"customer_id":{
"description":"Custom variable: specify the 3-character customer ID."
},
"description_iam_policy":{
"default":null,
"description":"The description of the role policy."
},
"description_iam_role":{
"default":null,
"description":"The description of the role."
},
"environment":{
"description":"Specify the environment. Can be one of `dev`, `stg`, `uat`, `oat`, `prd`."
},
"force_detach_policies":{
"default":null,
"description":"Specifies to force detaching any policies the role has before destroying it. Defaults to false."
},
"iam_policy_permission":{
"default":null,
"description":"Custom variable: The permission policy document."
},
"max_session_duration":{
"default":12,
"description":"(Optional) The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours."
},
"name":{
"default":null,
"description":"The name of the resource. This is an override."
},
"path":{
"default":null,
"description":"The path to the role."
},
"policy_arn":{
"default":null,
"description":"The ARN of the policy you want to apply."
},
"policy_path":{
"default":null,
"description":"The path of the policy in IAM."
},
"role":{
"default":null,
"description":"Custom variable: specify a descriptive role / purpose for the resource."
},
"tags":{
"default":{
},
"description":"Specify a map of tags."
}
}
}
}
},
"variables":{
"account_id":{
"description":"Specify the 5-digit customer account ID below."
},
"aws_region":{
"description":"Instantiate the `aws_region` variable. This will be passed either from the CLI or Terraform Enterprise Workspace Terraform variables."
},
"create_instance_profile":{
"default":false,
"description":"Custom variable: boolean - specify `true` to create and IAM instance profile. Default is `false`."
},
"customer_id":{
"description":"Specify a customer name."
},
"description_iam_policy":{
"default":null,
"description":"The description of the role policy."
},
"description_iam_role":{
"default":null,
"description":"The description of the role."
},
"environment":{
"description":"Specify the environment. Can be one of `dev`, `stg`, `uat`, `oat`, `prd`."
},
"iam_policy_description":{
"default":null,
"description":"Description of the IAM policy (forces new resource)."
},
"iam_policy_permission":{
"default":null,
"description":"Custom variable: IAM permission policy (typically passed in from infrastructure module)."
},
"policy_path":{
"default":null,
"description":"Path in which to create the policy."
},
"role":{
"default":null,
"description":"Custom variable: specify a descriptive role / purpose for the resource."
},
"tags":{
"default":{
},
"description":"Specify a map of tags."
}
}
}
}
}
hello, went through the state file thoroughly, couldn't find any aws_iam_policy
resource created. Yes, there is a reference within a module which is referencing to module.iam_role.iam_permission_policy_arn
, but there is no resource record related with aws_iam_policy
resource here. Either, I am seeing something wrong, or its referenced but not created.
Can you please confirm if you see module.iam_role.aws_iam_policy.this
resource created/modified/deleted within your plan ?
hello, went through the state file thoroughly, couldn't find any
aws_iam_policy
resource created. Yes, there is a reference within a module which is referencing tomodule.iam_role.iam_permission_policy_arn
, but there is no resource record related withaws_iam_policy
resource here. Either, I am seeing something wrong, or its referenced but not created.Can you please confirm if you see
module.iam_role.aws_iam_policy.this
resource created/modified/deleted within your plan ?
I don't see that in plan either, is there a way I can refer to aws_iam_policy
below:
{
"address":"aws_iam_policy.this",
"mode":"managed",
"type":"aws_iam_policy",
"name":"this",
"provider_config_key":"iam_role:aws",
"expressions":{
"description":{
"references":[
"var.description_iam_policy"
]
},
"name":{
"references":[
"var.name",
"var.name"
]
},
"name_prefix":{
"references":[
"var.name",
"var.customer_id",
"var.environment"
]
},
"path":{
"references":[
"var.policy_path"
]
},
"policy":{
"references":[
"var.iam_policy_permission"
]
}
},
"schema_version":0,
"count_expression":{
"references":[
"var.iam_policy_permission"
]
}
},
I see something similar to this with an assume_role_policy
setting when it points to another resource. It then ends up in expressions
in the configuration
section of the json plan file and not in the main variables of the role resource.
So it skips the check.
Attached is the zipped up json plan
And here is the actual terraform and the output from terraform-compliance showing the assume_role_policy
getting completely missed.
Terraform:
resource "aws_iam_openid_connect_provider" "dummy" {
url = "https://dummy"
client_id_list = []
thumbprint_list = []
}
resource "aws_iam_role" "dummy" {
name = "dummy"
assume_role_policy = data.aws_iam_policy_document.dummy_assume_role_policy.json
}
data "aws_iam_policy_document" "dummy_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
identifiers = [aws_iam_openid_connect_provider.dummy.arn]
type = "Federated"
}
}
}
Terraform compliance output:
This feature checks stuff about the role Scenario: Reject if something about the role Given I have aws_iam_role defined
Press enter to continue 💡 SKIPPING: Can not find any assume_role_policy property for aws_iam_role resource in terraform plan. 💡 SKIPPING: Skipping the step since resource type does not have assume_role_policy property. When it has assume_role_policy
Feature:
Scenario: Reject if something about the role
Given I have aws_iam_role defined
When it has assume_role_policy
Then it must contain assume_role_policy
So I believe it is because the link to the assume_role_policy
document is not in the main resources
section but in the configuration
section which has this:
{
"address": "aws_iam_role.dummy",
"mode": "managed",
"type": "aws_iam_role",
"name": "dummy",
"provider_config_key": "secondary:aws",
"expressions": {
"assume_role_policy": {
"references": [
"data.aws_iam_policy_document.dummy_assume_role_policy.json",
"data.aws_iam_policy_document.dummy_assume_role_policy"
]
},
"name": { "constant_value": "dummy" }
},
"schema_version": 0
},
When running Terraform compliance command with required paths, it shows steps getting skipped even if the required attribute is defined in my module and present in plan.out.json. Am I doing something incorrectly? Note : I am running the terraform-compliance from my example folder calling the main module with the inputs.
My Main Module:
Present in plan.out.json
My Example directory - calling the main module with inputs:
SKIPPING: Can not find aws_iam_policy defined in target terraform plan.