iam: unable to define roles inline policy

[mcanevet]

What happened?

Here is a retranscription of the discussion we had on Slack with @ulucinar:

In Terraform we have this resources envolved:
- aws_iam_role with optional inline_policy argument which allows to define an inline policy attached to the role, this resource is equivalent to the [roles.iam.aws.upbound.io](http://roles.iam.aws.upbound.io/) resource (although the resource do not have the inline_policy argument),
- aws_iam_policy which allows to define a "[managed policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#choosing-managed-or-inline)" (not inline), this resource is equivalent to the [policies.iam.aws.upbound.io](http://policies.iam.aws.upbound.io/) resource,
- this policy can (but not only) be attached to an aws_iam_role using the aws_iam_role_policy_attachment , which is equivalent to the [rolepolicyattachments.iam.aws.upbound.io](http://rolepolicyattachments.iam.aws.upbound.io/) resource,
- aws_iam_role_policy that also allows to define an inline policy attached to a role, that's why it conflicts with the optional inline_policy argument of the aws_iam_role resource. This resource has no equivalent in Crossplane.
I think the misunderstanding comes for that the [rolepolicyattachments.iam.aws.upbound.io](http://rolepolicyattachments.iam.aws.upbound.io/) is actually not a reflection of the aws_iam_role_policy  resource (in which case it would actually be mutually exclusive with the inline_policy argument), but it reflects the aws_iam_role_policy_attachment , which do not conflicts with the inline_policy argument.
I'm pretty sure there is currently no way to define an inline policy (which is not the same thing than a managed policy). We need either the inline_policy argument to not be moved to the status , or a standalone [rolepolicy.iam.aws.upbound.io](http://rolepolicy.iam.aws.upbound.io/) with some selector to match which role it should be attached to.

How can we reproduce it?

What environment did it happen in?

• Universal Crossplane Version: v1.10.1
• Provider Version: v0.20.0

[turkenf]

Hi @mcanevet thanks for raising this issue, could you please give more details (examples, expected behavior etc.) to clarify the problem

[mcanevet]

@turkenf sure, here is an example (from terraform documentation) of what is possible with Terraform, but not with the Crossplane AWS provider:

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:Describe*",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })
}

Declaring Role inline policy is not possible, only attaching a customer managed policy.
Having this feature would allow having only 1 Managed Resource (role.iam) instead of 3 (role.iam + policy.iam + rolepolicyattachment.iam) and save a lot of resources.

[turkenf]

This resource is in our skip list: https://github.com/upbound/provider-aws/blob/024487cd13e9a84573cb1e842fd1705acfba4448/config/provider.go#L120
We might add this resource to be able to define roles inline policy.

[mcanevet]

@turkenf in Terraform you can define an inline policy by either use the aws_iam_group_policy, aws_iam_role_policy or aws_iam_user_policy or by using the inline_policy policy argument of the aws_iam_group, aws_iam_role or aws_iam_user resources.

Modifying the line you points should allow the usage of the first method, but to enable the second method we should probably modify this line:

https://github.com/upbound/provider-aws/blob/516150c83a612fec64f9ecfa9c3f923be9a723aa/config/iam/config.go#L38

I don't know what the provider policy when you have 2 possibilities to do the same thing in Terraform. Should we allow both or prefer one over the other?

[mcanevet]

Community provider has the same issue: crossplane-contrib/provider-aws#177

[ivanzolotuhin]

@turkenf

https://github.com/upbound/provider-aws/blob/024487cd13e9a84573cb1e842fd1705acfba4448/config/provider.go#L120

Comment mentions that this resource is "identical with aws_iam_*_policy_attachment resources.", but it is actually not true:

• Inline policy exists only as part of the role and not available separately (i.e. it is impossible to attach this policy to other roles and there is no ARN for inline policy)
• But usual (not inline) policy got both attributes: it is available to attach to multiple role by ARN.

@mcanevet

I don't know what the provider policy when you have 2 possibilities to do the same thing in Terraform.

It is usual TF approach. For example:

• Role can be managed from single place and by one team, then it is Ok for the team to define everything in one place. Works ok for small teams.

• Or it is possible to provision "placeholder role" by one team from one repo (for example by writing common Terraform module which provisions Microservice, IAM Role, Security Group, attaches role and sg to microservice, etc). Then all available customisation is done outside the module, like attach policies to IAM role and security group rules.

Should we allow both or prefer one over the other?

Of course both methods should be available. In some cases (for example corporate security policies/bureaucracy) empty roles can be pre-provisioned separately and Crossplane will only manage inlinePolicy.

[portswigger-tim]

I was going to raise this today... It seems that inlinePolicy is a part of the CR status:

• https://github.com/upbound/provider-aws/blob/fa601c66b373b1c403f15666a990262c03e4c0b9/package/crds/iam.aws.upbound.io_roles.yaml#L314-L328

but not part of the forProvider spec 🤔

[turkenf]

Hi folks,

I opened a PR to be able to define roles with inline policy, this issue will be closed with this PR. If you still need the aws_iam_role_policy resource feel free to request it here.