Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

resource/aws_iam_role: Add exclusive list support for a role's inline and managed policies #5904

Merged
merged 20 commits into from
Feb 23, 2021

Conversation

YakDriver
Copy link
Member

@YakDriver YakDriver commented Sep 17, 2018

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates #4426, #17511, #17512
Closes #17510

Release note for CHANGELOG:

`resource/aws_iam_role`: Add `inline_policy` and `managed_policy_arns` arguments to `aws_iam_role` to configure role policies and fix out-of-band changes.

Inline policy example:

resource "aws_iam_role" "example" {
  name               = "yak_role"
  assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # (not shown)

  inline_policy {
    name = "tf-acc-test"
    policy = data.aws_iam_policy_document.inline_policy.json
  }
}

data "aws_iam_policy_document" "inline_policy" {
  statement {
    actions   = ["ec2:DescribeAccountAttributes"]
    resources = ["*"]
  }
}

Managed policy example:

resource "aws_iam_role" "example" {
  name               = "yak_role"
  assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # not shown

  managed_policy_arns = [aws_iam_policy.policy_one.arn, aws_iam_policy.policy_two.arn]
}

resource "aws_iam_policy" "policy_one" {
  name        = "managed_policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_policy" "policy_two" {
  name        = "managed_policy2"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:HeadBucket"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

Output from acceptance testing (Sep. 17, original acceptance tests - when PR was for a new resource called aws_iam_role_policy_list):

$ make testacc TESTARGS='-run=TestAccAWSRolePolicyList_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -run=TestAccAWSRolePolicyList_ -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccAWSRolePolicyList_basicInline
--- PASS: TestAccAWSRolePolicyList_basicInline (18.93s)
=== RUN   TestAccAWSRolePolicyList_basicManaged
--- PASS: TestAccAWSRolePolicyList_basicManaged (18.97s)
=== RUN   TestAccAWSRolePolicyList_managedReattached
--- PASS: TestAccAWSRolePolicyList_managedReattached (12.57s)
=== RUN   TestAccAWSRolePolicyList_extraManagedAdded
--- PASS: TestAccAWSRolePolicyList_extraManagedAdded (12.57s)
=== RUN   TestAccAWSRolePolicyList_extraInlineAdded
--- PASS: TestAccAWSRolePolicyList_extraInlineAdded (13.43s)
=== RUN   TestAccAWSRolePolicyList_noInlineListExtraInlineAdded
--- PASS: TestAccAWSRolePolicyList_noInlineListExtraInlineAdded (10.22s)
=== RUN   TestAccAWSRolePolicyList_noManagedListExtraManagedAdded
--- PASS: TestAccAWSRolePolicyList_noManagedListExtraManagedAdded (10.55s)
=== RUN   TestAccAWSRolePolicyList_emptyInlineListExtraInlineAdded
--- PASS: TestAccAWSRolePolicyList_emptyInlineListExtraInlineAdded (12.97s)
=== RUN   TestAccAWSRolePolicyList_emptyManagedListExtraManagedAdded
--- PASS: TestAccAWSRolePolicyList_emptyManagedListExtraManagedAdded (11.04s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	121.290s

Output from acceptance testing of resource/aws_iam_policy:

$ make testacc TESTARGS='-run=TestAccAWSIAMPolicy_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -run=TestAccAWSIAMPolicy_ -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccAWSIAMPolicy_basic
--- PASS: TestAccAWSIAMPolicy_basic (10.63s)
=== RUN   TestAccAWSIAMPolicy_description
--- PASS: TestAccAWSIAMPolicy_description (6.24s)
=== RUN   TestAccAWSIAMPolicy_namePrefix
--- PASS: TestAccAWSIAMPolicy_namePrefix (6.32s)
=== RUN   TestAccAWSIAMPolicy_path
--- PASS: TestAccAWSIAMPolicy_path (7.97s)
=== RUN   TestAccAWSIAMPolicy_policy
--- PASS: TestAccAWSIAMPolicy_policy (10.75s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	41.971s

@ghost ghost added size/L Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. labels Sep 17, 2018
@YakDriver YakDriver force-pushed the support-exclusive-policies branch from 6e5d3c2 to 069e2f4 Compare September 17, 2018 21:04
@ghost ghost added size/L Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. labels Sep 17, 2018
@YakDriver YakDriver force-pushed the support-exclusive-policies branch from 069e2f4 to b22f79e Compare September 17, 2018 21:06
@ghost ghost added size/L Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. labels Sep 17, 2018
@YakDriver YakDriver force-pushed the support-exclusive-policies branch from b22f79e to d073ca7 Compare September 18, 2018 15:42
@ghost ghost added size/L Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. labels Sep 18, 2018
@YakDriver YakDriver force-pushed the support-exclusive-policies branch from d073ca7 to 7c89c82 Compare September 19, 2018 21:31
@ghost ghost added size/XXL Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. and removed size/L Managed by automation to categorize the size of a PR. labels Sep 19, 2018
@YakDriver YakDriver force-pushed the support-exclusive-policies branch from 7c89c82 to 89163a3 Compare September 19, 2018 21:52
@ghost ghost added documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. size/XXL Managed by automation to categorize the size of a PR. labels Sep 19, 2018
@YakDriver
Copy link
Member Author

@bflad This PR is complete and ready for review and adjust.

@YakDriver YakDriver force-pushed the support-exclusive-policies branch from 89163a3 to a9ceccc Compare September 20, 2018 13:08
@ghost ghost added size/XXL Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. labels Sep 20, 2018
@YakDriver YakDriver force-pushed the support-exclusive-policies branch from 1208149 to 387b80b Compare February 22, 2021 16:53
@YakDriver YakDriver requested a review from bflad February 22, 2021 17:03
@YakDriver
Copy link
Member Author

After latest changes.

GovCloud:

--- PASS: TestAccAWSIAMRole_badJSON (6.07s)
--- PASS: TestAccAWSIAMRole_disappears (23.19s)
--- PASS: TestAccAWSIAMRole_basic (28.25s)
--- PASS: TestAccAWSIAMRole_policyBasicInlineEmpty (22.97s)
--- PASS: TestAccAWSIAMRole_namePrefix (32.62s)
--- PASS: TestAccAWSIAMRole_force_detach_policies (33.18s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_managedNonExistent (45.95s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedEmpty (47.99s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_inlineNonEmpty (49.83s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineEmpty (50.01s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineNonEmpty (51.37s)
--- PASS: TestAccAWSIAMRole_tags (53.34s)
--- PASS: TestAccAWSIAMRole_MaxSessionDuration (54.11s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedNonEmpty (55.00s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_managedNonEmpty (55.53s)
--- PASS: TestAccAWSIAMRole_testNameChange (58.05s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_inlineNonExistent (66.74s)
--- PASS: TestAccAWSIAMRole_basicWithDescription (69.48s)
--- PASS: TestAccAWSIAMRole_policyBasicInline (74.86s)
--- PASS: TestAccAWSIAMRole_policyBasicManaged (79.61s)
--- PASS: TestAccAWSIAMRole_PermissionsBoundary (98.49s)

us-west-2:

--- PASS: TestAccAWSIAMRole_badJSON (8.03s)
--- PASS: TestAccAWSIAMRole_disappears (28.85s)
--- PASS: TestAccAWSIAMRole_policyBasicInlineEmpty (30.89s)
--- PASS: TestAccAWSIAMRole_basic (34.11s)
--- PASS: TestAccAWSIAMRole_force_detach_policies (34.76s)
--- PASS: TestAccAWSIAMRole_namePrefix (35.49s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_managedNonExistent (46.03s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineEmpty (46.24s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedEmpty (46.38s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineNonEmpty (46.65s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_inlineNonEmpty (46.68s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedNonEmpty (47.32s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_managedNonEmpty (47.36s)
--- PASS: TestAccAWSIAMRole_tags (47.85s)
--- PASS: TestAccAWSIAMRole_testNameChange (50.89s)
--- PASS: TestAccAWSIAMRole_MaxSessionDuration (51.08s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_inlineNonExistent (55.51s)
--- PASS: TestAccAWSIAMRole_basicWithDescription (49.64s)
--- PASS: TestAccAWSIAMRole_policyBasicInline (57.87s)
--- PASS: TestAccAWSIAMRole_policyBasicManaged (58.69s)
--- PASS: TestAccAWSIAMRole_PermissionsBoundary (70.73s)

@bflad
Copy link
Contributor

bflad commented Feb 22, 2021

Awesome! I will hopefully get 👀 on this later today between other meetings.

Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few minor documentation nits, otherwise, I think this is good to go. 🚀

Output from acceptance testing in AWS Commercial:

--- PASS: TestAccAWSIAMRole_badJSON (9.67s)
--- PASS: TestAccAWSIAMRole_basic (54.29s)
--- PASS: TestAccAWSIAMRole_basicWithDescription (87.86s)
--- PASS: TestAccAWSIAMRole_disappears (43.86s)
--- PASS: TestAccAWSIAMRole_force_detach_policies (57.56s)
--- PASS: TestAccAWSIAMRole_MaxSessionDuration (90.66s)
--- PASS: TestAccAWSIAMRole_namePrefix (56.02s)
--- PASS: TestAccAWSIAMRole_PermissionsBoundary (111.15s)
--- PASS: TestAccAWSIAMRole_policyBasicInline (99.49s)
--- PASS: TestAccAWSIAMRole_policyBasicInlineEmpty (45.87s)
--- PASS: TestAccAWSIAMRole_policyBasicManaged (100.01s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_inlineNonExistent (94.01s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_managedNonExistent (77.75s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineEmpty (76.56s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineNonEmpty (82.36s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedEmpty (79.22s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedNonEmpty (84.76s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_inlineNonEmpty (77.85s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_managedNonEmpty (84.45s)
--- PASS: TestAccAWSIAMRole_tags (80.21s)
--- PASS: TestAccAWSIAMRole_testNameChange (90.14s)

Output from acceptance testing in AWS GovCloud (US):

--- PASS: TestAccAWSIAMRole_badJSON (5.57s)
--- PASS: TestAccAWSIAMRole_basic (57.30s)
--- PASS: TestAccAWSIAMRole_basicWithDescription (102.41s)
--- PASS: TestAccAWSIAMRole_disappears (50.09s)
--- PASS: TestAccAWSIAMRole_force_detach_policies (67.29s)
--- PASS: TestAccAWSIAMRole_MaxSessionDuration (93.17s)
--- PASS: TestAccAWSIAMRole_namePrefix (60.44s)
--- PASS: TestAccAWSIAMRole_PermissionsBoundary (130.63s)
--- PASS: TestAccAWSIAMRole_policyBasicInline (108.80s)
--- PASS: TestAccAWSIAMRole_policyBasicInlineEmpty (52.58s)
--- PASS: TestAccAWSIAMRole_policyBasicManaged (108.62s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_inlineNonExistent (99.44s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionIgnored_managedNonExistent (83.08s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineEmpty (32.71s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_inlineNonEmpty (87.56s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedEmpty (82.95s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandAdditionRemoved_managedNonEmpty (89.16s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_inlineNonEmpty (87.59s)
--- PASS: TestAccAWSIAMRole_policyOutOfBandRemovalAddedBack_managedNonEmpty (89.06s)
--- PASS: TestAccAWSIAMRole_tags (86.97s)
--- PASS: TestAccAWSIAMRole_testNameChange (91.27s)

website/docs/r/iam_policy_attachment.html.markdown Outdated Show resolved Hide resolved
website/docs/r/iam_role_policy.html.markdown Outdated Show resolved Hide resolved
website/docs/r/iam_role_policy_attachment.markdown Outdated Show resolved Hide resolved
inline_policy {
name = "my_inline_policy"

policy = <<EOF
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Let's use jsonencode() or aws_iam_policy_document data source here. 👍 Reference: #17714

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

resource "aws_iam_policy" "policy_one" {
name = "policy-618033"

policy = <<EOF
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Similarly here and below with jsonencode()/aws_iam_policy_document

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@YakDriver YakDriver modified the milestones: Roadmap, v3.29.1 Feb 23, 2021
@YakDriver YakDriver merged commit 51061bc into hashicorp:main Feb 23, 2021
@YakDriver YakDriver deleted the support-exclusive-policies branch February 23, 2021 01:18
@github-actions github-actions bot modified the milestones: v3.29.1, v3.30.0 Feb 23, 2021
@YakDriver YakDriver modified the milestones: v3.30.0, v3.29.1 Feb 24, 2021
@gowthamakanthan
Copy link

Am getting An argument named "managed_policy_arns" is not expected here. error. Any idea?

  on iam.tf line 131, in resource "aws_iam_role" "qualys_iam_role":
 131:   managed_policy_arns  = []

An argument named "managed_policy_arns" is not expected here.

Releasing state lock. This may take a few moments...
➜  aws_global git:(mgm/vpc) ✗ terraform --version
Terraform v0.12.29
+ provider.aws v3.1.0
+ provider.local v2.1.0
+ provider.template v2.1.2

@lorengordon
Copy link
Contributor

@gowthamakanthan this was released in v3.29.1 of the aws provider. your output shows v3.1.0. you'll need to upgrade your provider version to use this feature...

@ghost
Copy link

ghost commented Mar 25, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Mar 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. partition/aws-us-gov Pertains to the aws-us-gov partition. service/iam Issues and PRs that pertain to the iam service. size/XXL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Exclusive management of inline & managed policies for IAM roles
6 participants